Skip to content

Commit

Permalink
Merge branch 'main' into fix-search-with-plugin
Browse files Browse the repository at this point in the history
  • Loading branch information
@cwperks
cwperks committed Jan 17, 2025
2 parents 117855f + c84caef commit 00779ea
Show file tree
Hide file tree
Showing 15 changed files with 122 additions and 109 deletions.
2 changes: 1 addition & 1 deletion .github/actions/run-bwc-suite/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ runs:
-Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }}
-Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i
- uses: alehechka/upload-tartifact@v2
- uses: actions/upload-artifact@v4
if: always()
with:
name: ${{ inputs.report-artifact-name }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/integration-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:

- run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test

- uses: alehechka/upload-tartifact@v2
- uses: actions/upload-artifact@v4
if: always()
with:
name: ${{ matrix.jdk }}-${{ matrix.test-run }}-reports
Expand Down
16 changes: 10 additions & 6 deletions src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.stream.Collectors;

Expand Down Expand Up @@ -462,8 +463,9 @@ public void shouldPerformCatIndices_positive() throws IOException {
Request getIndicesRequest = new Request("GET", "/_cat/indices");
// High level client doesn't support _cat/_indices API
Response getIndicesResponse = restHighLevelClient.getLowLevelClient().performRequest(getIndicesRequest);
List<String> indexes = new BufferedReader(new InputStreamReader(getIndicesResponse.getEntity().getContent())).lines()
.collect(Collectors.toList());
List<String> indexes = new BufferedReader(
new InputStreamReader(getIndicesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
).lines().collect(Collectors.toList());

assertThat(indexes.size(), equalTo(1));
assertThat(indexes.get(0), containsString("marvelous_songs"));
Expand All @@ -476,8 +478,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_USER)) {
Request getAliasesRequest = new Request("GET", "/_cat/aliases");
Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
.collect(Collectors.toList());
List<String> aliases = new BufferedReader(
new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
).lines().collect(Collectors.toList());

// Does not fail on forbidden, but alias response only contains index which user has access to
assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
Expand All @@ -490,8 +493,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
Request getAliasesRequest = new Request("GET", "/_cat/aliases");
Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
.collect(Collectors.toList());
List<String> aliases = new BufferedReader(
new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
).lines().collect(Collectors.toList());

// Admin has access to all
assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
import org.apache.hc.client5.http.io.HttpClientConnectionManager;
import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
import org.apache.hc.core5.http.HttpEntity;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand Down Expand Up @@ -223,7 +224,7 @@ private CloseableHttpClient createHttpClient(HttpCacheStorage httpCacheStorage)

if (sslConfig != null) {
final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory())
.setTlsSocketStrategy(new DefaultClientTlsStrategy(sslConfig.getSslContext()))
.build();

builder.setConnectionManager(cm);
Expand Down
30 changes: 15 additions & 15 deletions src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,15 @@
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
import org.apache.hc.client5.http.io.HttpClientConnectionManager;
import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
import org.apache.hc.client5.http.ssl.TrustAllStrategy;
import org.apache.hc.core5.http.ContentType;
import org.apache.hc.core5.http.io.SocketConfig;
import org.apache.hc.core5.http.io.entity.StringEntity;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
import org.apache.hc.core5.ssl.SSLContextBuilder;
import org.apache.hc.core5.ssl.TrustStrategy;
import org.apache.http.HttpStatus;

import org.opensearch.common.settings.Settings;
Expand Down Expand Up @@ -368,27 +369,20 @@ CloseableHttpClient getHttpClient() {
.setConnectionRequestTimeout(timeout, TimeUnit.SECONDS)
.build();

final TrustStrategy trustAllStrategy = new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] chain, String authType) {
return true;
}
};

try {

HttpClientBuilder hcb = HttpClients.custom().setDefaultRequestConfig(config);
if (!verifySSL) {
SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(trustAllStrategy).build();
final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(TrustAllStrategy.INSTANCE).build();
final DefaultClientTlsStrategy sslsf = new DefaultClientTlsStrategy(
sslContext,
null,
null,
SSLBufferMode.STATIC,
NoopHostnameVerifier.INSTANCE
);

final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
.setSSLSocketFactory(sslsf)
.setTlsSocketStrategy(sslsf)
.setDefaultSocketConfig(SocketConfig.custom().setSoTimeout(timeout, TimeUnit.SECONDS).build())
.build();
hcb.setConnectionManager(cm);
Expand All @@ -399,10 +393,16 @@ public boolean isTrusted(X509Certificate[] chain, String authType) {
return HttpClients.custom().setDefaultRequestConfig(config).build();
}
SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(effectiveTruststore, null).build();
final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, null, null, new DefaultHostnameVerifier());
final DefaultClientTlsStrategy sslsf = new DefaultClientTlsStrategy(
sslContext,
null,
null,
SSLBufferMode.STATIC,
new DefaultHostnameVerifier()
);

final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create()
.setSSLSocketFactory(sslsf)
.setTlsSocketStrategy(sslsf)
.setDefaultSocketConfig(SocketConfig.custom().setSoTimeout(timeout, TimeUnit.SECONDS).build())
.build();
hcb.setConnectionManager(cm);
Expand Down
26 changes: 9 additions & 17 deletions src/main/java/org/opensearch/security/httpclient/HttpClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,23 +30,21 @@
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;

import com.google.common.collect.Lists;
import org.apache.hc.client5.http.config.RequestConfig;
import org.apache.hc.client5.http.impl.async.HttpAsyncClientBuilder;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
import org.apache.hc.client5.http.nio.AsyncClientConnectionManager;
import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
import org.apache.hc.core5.function.Factory;
import org.apache.hc.core5.http.HttpHeaders;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.message.BasicHeader;
import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.reactor.ssl.TlsDetails;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
import org.apache.hc.core5.ssl.PrivateKeyDetails;
import org.apache.hc.core5.ssl.PrivateKeyStrategy;
import org.apache.hc.core5.ssl.SSLContextBuilder;
Expand Down Expand Up @@ -280,19 +278,13 @@ public String chooseAlias(Map<String, PrivateKeyDetails> aliases, SSLParameters
final HostnameVerifier hnv = verifyHostnames ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;

final SSLContext sslContext = sslContextBuilder.build();
TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create()
.setSslContext(sslContext)
.setTlsVersions(supportedProtocols)
.setCiphers(supportedCipherSuites)
.setHostnameVerifier(hnv)
// See please https://issues.apache.org/jira/browse/HTTPCLIENT-2219
.setTlsDetailsFactory(new Factory<SSLEngine, TlsDetails>() {
@Override
public TlsDetails create(final SSLEngine sslEngine) {
return new TlsDetails(sslEngine.getSession(), sslEngine.getApplicationProtocol());
}
})
.build();
final TlsStrategy tlsStrategy = new DefaultClientTlsStrategy(
sslContext,
supportedProtocols,
supportedCipherSuites,
SSLBufferMode.STATIC,
hnv
);

final AsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create().setTlsStrategy(tlsStrategy).build();
httpClientBuilder.setConnectionManager(cm);
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ public Tuple<TrustStoreConfiguration, KeyStoreConfiguration> loadConfiguration(f
final var settings = environment.settings();
final var sslConfigSettings = settings.getByPrefix(fullSslConfigSuffix);
if (settings.hasValue(sslConfigSuffix + KEYSTORE_FILEPATH)) {
final var keyStorePassword = resolvePassword(sslConfigSuffix + KEYSTORE_PASSWORD, settings, DEFAULT_STORE_PASSWORD);
return Tuple.tuple(
environment.settings().hasValue(sslConfigSuffix + TRUSTSTORE_FILEPATH)
? buildJdkTrustStoreConfiguration(
Expand All @@ -73,8 +74,12 @@ public Tuple<TrustStoreConfiguration, KeyStoreConfiguration> loadConfiguration(f
buildJdkKeyStoreConfiguration(
sslConfigSettings,
environment,
resolvePassword(sslConfigSuffix + KEYSTORE_PASSWORD, settings, DEFAULT_STORE_PASSWORD),
resolvePassword(fullSslConfigSuffix + KEYSTORE_KEY_PASSWORD, settings, DEFAULT_STORE_PASSWORD)
keyStorePassword,
resolvePassword(
fullSslConfigSuffix + KEYSTORE_KEY_PASSWORD,
settings,
keyStorePassword != null ? String.valueOf(keyStorePassword) : null
)
)
);
} else {
Expand Down
39 changes: 21 additions & 18 deletions src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/MockIpdServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,24 +62,27 @@ class MockIpdServer implements Closeable {
this.ssl = ssl;
this.jwks = jwks;

ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap()
.setListenerPort(port)
.register(CTX_DISCOVER, new HttpRequestHandler() {

@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleDiscoverRequest(request, response, context);
}
})
.register(CTX_KEYS, new HttpRequestHandler() {

@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleKeysRequest(request, response, context);
}
});
ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap().setListenerPort(port).setRequestRouter((request, context) -> {
if (request.getRequestUri().startsWith(CTX_DISCOVER)) {
return new HttpRequestHandler() {
@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleDiscoverRequest(request, response, context);
}
};
} else if (request.getRequestUri().startsWith(CTX_KEYS)) {
return new HttpRequestHandler() {
@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleKeysRequest(request, response, context);
}
};
} else {
return null;
}
});

if (ssl) {
serverBootstrap = serverBootstrap.setSslContext(createSSLContext()).setSslSetupHandler(new Callback<SSLParameters>() {
Expand Down
57 changes: 29 additions & 28 deletions src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,34 +195,35 @@ class MockSamlIdpServer implements Closeable {

this.loadSigningKeys("saml/kirk-keystore.jks", "kirk");

ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap()
.setListenerPort(port)
.register(CTX_METADATA, new HttpRequestHandler() {

@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {

handleMetadataRequest(request, response, context);

}
})
.register(CTX_SAML_SSO, new HttpRequestHandler() {

@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleSsoRequest(request, response, context);
}
})
.register(CTX_SAML_SLO, new HttpRequestHandler() {

@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleSloRequest(request, response, context);
}
});
ServerBootstrap serverBootstrap = ServerBootstrap.bootstrap().setListenerPort(port).setRequestRouter((request, context) -> {
if (request.getRequestUri().startsWith(CTX_METADATA)) {
return new HttpRequestHandler() {
@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleMetadataRequest(request, response, context);
}
};
} else if (request.getRequestUri().startsWith(CTX_SAML_SSO)) {
return new HttpRequestHandler() {
@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleSsoRequest(request, response, context);
}
};
} else if (request.getRequestUri().startsWith(CTX_SAML_SLO)) {
return new HttpRequestHandler() {
@Override
public void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context) throws HttpException,
IOException {
handleSloRequest(request, response, context);
}
};
} else {
return null;
}
});

if (ssl) {

Expand Down
2 changes: 1 addition & 1 deletion src/test/java/org/opensearch/security/InitializationIntegrationTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ public void testWhoAmIForceHttp1() throws Exception {
Response whoAmIRes = restHighLevelClient.getLowLevelClient().performRequest(new Request("GET", "/_plugins/_security/whoami"));
assertThat(200, is(whoAmIRes.getStatusLine().getStatusCode()));
// The HTTP/1.1 is forced and should be used instead
assertThat(HttpVersion.HTTP_1_1, is(whoAmIRes.getStatusLine().getProtocolVersion()));
assertThat(whoAmIRes.getStatusLine().getProtocolVersion(), is(HttpVersion.HTTP_1_1));
JsonNode whoAmIResNode = DefaultObjectMapper.objectMapper.readTree(whoAmIRes.getEntity().getContent());
String whoAmIResponsePayload = whoAmIResNode.toPrettyString();
assertThat(whoAmIResponsePayload, whoAmIResNode.get("dn").asText(), is("CN=spock,OU=client,O=client,L=Test,C=DE"));
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ public void testTlsConfigurationNoFallback() throws Exception {
.setListenerPort(port)
.setHttpProcessor(HttpProcessors.server("Test/1.1"))
.setSslContext(createSSLContext())
.register("*", handler)
.setRequestRouter((request, context) -> handler)
.create();

server.start();
Expand Down
Loading

0 comments on commit 00779ea

Please sign in to comment.