Forward port integration tests (opensearch-project#3512)

Forward ports integration test changes from 2.11 and 2.x branches

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>

.github/workflows/ci.yml

@@ -87,8 +87,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [17]
-        platform: [ubuntu-latest, windows-latest]
+        jdk: [11, 17]
+        platform: [ubuntu-latest] # Removed windows https://github.com/opensearch-project/security/issues/3423
     runs-on: ${{ matrix.platform }}
 
     steps:
@@ -103,7 +103,6 @@ jobs:
 
     - name: Build and Test
       uses: gradle/gradle-build-action@v2
-      continue-on-error: true # Until retries are enable do not fail the workflow https://github.com/opensearch-project/security/issues/2184
       with:
         cache-disabled: true
         arguments: |
@@ -135,6 +134,7 @@ jobs:
         cache-disabled: true
         arguments: |
             integrationTest -Dbuild.snapshot=false --tests org.opensearch.security.ResourceFocusedTests
+
   backward-compatibility-build:
     runs-on: ubuntu-latest
     steps:

.github/workflows/code-hygiene.yml

@@ -43,7 +43,7 @@ jobs:
       - uses: gradle/gradle-build-action@v2
         with:
           cache-disabled: true
-          arguments: checkstyleMain checkstyleTest
+          arguments: checkstyleMain checkstyleTest checkstyleIntegrationTest
 
   spotbugs:
     runs-on: ubuntu-latest

build.gradle

@@ -432,6 +432,10 @@ configurations {
             force "com.github.luben:zstd-jni:${versions.zstd}"
             force "org.xerial.snappy:snappy-java:1.1.10.5"
             force "com.google.guava:guava:${guava_version}"
+
+            // For integrationTest
+            force "org.apache.httpcomponents:httpclient:4.5.13"
+            force "org.apache.httpcomponents:httpcore:4.4.16"
         }
     }
 
@@ -447,6 +451,7 @@ sourceSets {
             srcDir file ('src/integrationTest/java')
             compileClasspath += sourceSets.main.output
             runtimeClasspath += sourceSets.main.output
+
         }
         resources {
             srcDir file('src/integrationTest/resources')
@@ -461,9 +466,7 @@ sourceSets {
 task integrationTest(type: Test) {
     doFirst {
         // Only run resources tests on resource-test CI environments or locally
-        if (System.getenv('CI_ENVIRONMENT') == 'resource-test' || System.getenv('CI_ENVIRONMENT') == null) {
-            include '**/ResourceFocusedTests.class'
-        } else {
+        if (System.getenv('CI_ENVIRONMENT') != 'resource-test' && System.getenv('CI_ENVIRONMENT') != null) {
             exclude '**/ResourceFocusedTests.class'
         }
         // Only run with retries while in CI systems
@@ -648,6 +651,11 @@ dependencies {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
     integrationTestImplementation 'com.unboundid:unboundid-ldapsdk:4.0.14'
+    integrationTestImplementation "org.apache.httpcomponents:httpclient-cache:4.5.13"
+    integrationTestImplementation "org.apache.httpcomponents:httpclient:4.5.13"
+    integrationTestImplementation "org.apache.httpcomponents:fluent-hc:4.5.13"
+    integrationTestImplementation "org.apache.httpcomponents:httpcore:4.4.13"
+    integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
     implementation('com.google.googlejavaformat:google-java-format:1.17.0') {

src/integrationTest/java/org/opensearch/security/CrossClusterSearchTests.java

@@ -18,6 +18,7 @@
 import org.apache.commons.lang3.tuple.Pair;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
+import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
@@ -64,6 +65,7 @@
 * This is a parameterized test so that one test class is used to test security plugin behaviour when <code>ccsMinimizeRoundtrips</code>
 * option is enabled or disabled. Method {@link #parameters()} is a source of parameters values.
 */
+@Ignore("Setting up two clusters at once seems to be prone to issues where they have port mismatches")
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class CrossClusterSearchTests {

src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java

@@ -44,7 +44,14 @@
 import org.opensearch.test.framework.cluster.LocalCluster;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.*;
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.Matchers.aMapWithSize;
+import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
+import static org.hamcrest.Matchers.arrayWithSize;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.hasKey;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.nullValue;
 import static org.opensearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions.Type.ADD;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.client.RequestOptions.DEFAULT;

src/integrationTest/java/org/opensearch/security/IpBruteForceAttacksPreventionTests.java

@@ -26,17 +26,17 @@
 import org.opensearch.test.framework.cluster.TestRestClientConfiguration;
 import org.opensearch.test.framework.log.LogsRule;
 
-import static org.apache.hc.core5.http.HttpStatus.SC_OK;
-import static org.apache.hc.core5.http.HttpStatus.SC_UNAUTHORIZED;
+import static org.apache.http.HttpStatus.SC_OK;
+import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL_WITHOUT_CHALLENGE;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
 import static org.opensearch.test.framework.cluster.TestRestClientConfiguration.userWithSourceIp;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class IpBruteForceAttacksPreventionTests {
-    static final User USER_1 = new User("simple-user-1").roles(ALL_ACCESS);
-    static final User USER_2 = new User("simple-user-2").roles(ALL_ACCESS);
+    protected static final User USER_1 = new User("simple-user-1").roles(ALL_ACCESS);
+    protected static final User USER_2 = new User("simple-user-2").roles(ALL_ACCESS);
 
     public static final int ALLOWED_TRIES = 3;
     public static final int TIME_WINDOW_SECONDS = 3;
@@ -50,7 +50,7 @@ public class IpBruteForceAttacksPreventionTests {
     public static final String CLIENT_IP_8 = "127.0.0.8";
     public static final String CLIENT_IP_9 = "127.0.0.9";
 
-    static final AuthFailureListeners listener = new AuthFailureListeners().addRateLimit(
+    protected static final AuthFailureListeners listener = new AuthFailureListeners().addRateLimit(
         new RateLimiting("internal_authentication_backend_limiting").type("ip")
             .allowedTries(ALLOWED_TRIES)
             .timeWindowSeconds(TIME_WINDOW_SECONDS)
@@ -154,7 +154,7 @@ public void shouldReleaseIpAddressLock() throws InterruptedException {
         }
     }
 
-    void authenticateUserWithIncorrectPassword(String sourceIpAddress, User user, int numberOfRequests) {
+    private void authenticateUserWithIncorrectPassword(String sourceIpAddress, User user, int numberOfRequests) {
         var clientConfiguration = new TestRestClientConfiguration().username(user.getName())
             .password("incorrect password")
             .sourceInetAddress(sourceIpAddress);

src/integrationTest/java/org/opensearch/security/PointInTimeOperationTest.java

@@ -16,6 +16,7 @@
 import org.apache.commons.lang3.tuple.Pair;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
+import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
@@ -179,6 +180,7 @@ public void createPitWithIndexAlias_negative() throws IOException {
         }
     }
 
+    @Ignore("Pretty sure cleanUpPits is returning before all of the PITs have actually been deleted")
     @Test
     public void listAllPits_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(POINT_IN_TIME_USER)) {
@@ -245,6 +247,7 @@ public void deletePitCreatedWithIndexAlias_negative() throws IOException {
         }
     }
 
+    @Ignore("Pretty sure cleanUpPits is returning before all of the PITs have actually been deleted")
     @Test
     public void deleteAllPits_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(POINT_IN_TIME_USER)) {
@@ -336,7 +339,7 @@ public void listPitSegments_positive() throws IOException {
         try (TestRestClient restClient = cluster.getRestClient(LIMITED_POINT_IN_TIME_USER)) {
             String existingPitId = createPitForIndices(FIRST_SONG_INDEX);
             String body = String.format("{\"pit_id\":[\"%s\"]}", existingPitId);
-            HttpResponse response = restClient.getWithJsonBody("/_cat/pit_segments", body);
+            HttpResponse response = restClient.getWithJsonBody("_cat/pit_segments", body);
 
             response.assertStatusCode(OK.getStatus());
         }
@@ -347,7 +350,7 @@ public void listPitSegmentsCreatedWithIndexAlias_positive() throws IOException {
         try (TestRestClient restClient = cluster.getRestClient(POINT_IN_TIME_USER)) {
             String existingPitId = createPitForIndices(FIRST_INDEX_ALIAS);
             String body = String.format("{\"pit_id\":[\"%s\"]}", existingPitId);
-            HttpResponse response = restClient.getWithJsonBody("/_cat/pit_segments", body);
+            HttpResponse response = restClient.getWithJsonBody("_cat/pit_segments", body);
 
             response.assertStatusCode(OK.getStatus());
         }
@@ -358,7 +361,7 @@ public void listPitSegments_negative() throws IOException {
         try (TestRestClient restClient = cluster.getRestClient(LIMITED_POINT_IN_TIME_USER)) {
             String existingPitId = createPitForIndices(SECOND_SONG_INDEX);
             String body = String.format("{\"pit_id\":[\"%s\"]}", existingPitId);
-            HttpResponse response = restClient.getWithJsonBody("/_cat/pit_segments", body);
+            HttpResponse response = restClient.getWithJsonBody("_cat/pit_segments", body);
 
             response.assertStatusCode(FORBIDDEN.getStatus());
         }
@@ -369,7 +372,7 @@ public void listPitSegmentsCreatedWithIndexAlias_negative() throws IOException {
         try (TestRestClient restClient = cluster.getRestClient(LIMITED_POINT_IN_TIME_USER)) {
             String existingPitId = createPitForIndices(SECOND_INDEX_ALIAS);
             String body = String.format("{\"pit_id\":[\"%s\"]}", existingPitId);
-            HttpResponse response = restClient.getWithJsonBody("/_cat/pit_segments", body);
+            HttpResponse response = restClient.getWithJsonBody("_cat/pit_segments", body);
 
             response.assertStatusCode(FORBIDDEN.getStatus());
         }

src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java

@@ -139,7 +139,7 @@ private Long runResourceTest(
             CompletableFuture<Void> statPrinter = statsPrinter ? CompletableFuture.runAsync(() -> {
                 while (true) {
                     printStats();
-                    System.out.println(" & Succesful completions: " + getCount.get());
+                    System.err.println(" & Succesful completions: " + getCount.get());
                     try {
                         Thread.sleep(500);
                     } catch (Exception e) {
@@ -159,7 +159,7 @@ private Long runResourceTest(
 
             if (statsPrinter) {
                 printStats();
-                System.out.println(" & Succesful completions: " + getCount.get());
+                System.err.println(" & Succesful completions: " + getCount.get());
             }
             return getCount.get();
         }
@@ -207,7 +207,7 @@ private byte[] createCompressedRequestBody(final RequestBodySize size) {
             gzipOutputStream.finish();
 
             final byte[] compressedRequestBody = byteArrayOutputStream.toByteArray();
-            System.out.println(
+            System.err.println(
                 "^^^"
                     + String.format(
                         "Original size was %,d bytes, compressed to %,d bytes, ratio %,.2f",
@@ -223,7 +223,7 @@ private byte[] createCompressedRequestBody(final RequestBodySize size) {
     }
 
     private void printStats() {
-        System.out.println("** Stats ");
+        System.err.println("** Stats ");
         printMemory();
         printMemoryPools();
         printGCPools();
@@ -236,21 +236,21 @@ private void printMemory() {
         final long freeMemory = runtime.freeMemory(); // Amount of free memory
         final long usedMemory = totalMemory - freeMemory; // Amount of used memory
 
-        System.out.println("   Memory Total: " + totalMemory + " Free:" + freeMemory + " Used:" + usedMemory);
+        System.err.println("   Memory Total: " + totalMemory + " Free:" + freeMemory + " Used:" + usedMemory);
     }
 
     private void printMemoryPools() {
         List<MemoryPoolMXBean> memoryPools = ManagementFactory.getMemoryPoolMXBeans();
         for (MemoryPoolMXBean memoryPool : memoryPools) {
             MemoryUsage usage = memoryPool.getUsage();
-            System.out.println("   " + memoryPool.getName() + " USED: " + usage.getUsed() + " MAX: " + usage.getMax());
+            System.err.println("   " + memoryPool.getName() + " USED: " + usage.getUsed() + " MAX: " + usage.getMax());
         }
     }
 
     private void printGCPools() {
         List<GarbageCollectorMXBean> garbageCollectors = ManagementFactory.getGarbageCollectorMXBeans();
         for (GarbageCollectorMXBean garbageCollector : garbageCollectors) {
-            System.out.println("   " + garbageCollector.getName() + " COLLECTION TIME: " + garbageCollector.getCollectionTime());
+            System.err.println("   " + garbageCollector.getName() + " COLLECTION TIME: " + garbageCollector.getCollectionTime());
         }
     }
 

src/integrationTest/java/org/opensearch/security/SearchOperationTest.java

@@ -975,6 +975,7 @@ public void shouldIndexDocumentInBulkRequest_positive() throws IOException {
         auditLogsRule.assertAtLeast(2, grantedPrivilege(LIMITED_WRITE_USER, "PutMappingRequest"));// sometimes 2 or 4
     }
 
+    @Ignore("Audit log verification is shown to be flaky in this test")
     @Test
     public void shouldIndexDocumentInBulkRequest_partiallyPositive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1029,6 +1030,7 @@ public void shouldIndexDocumentInBulkRequest_negative() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(LIMITED_WRITE_USER, "BulkShardRequest").withIndex(SONG_INDEX_NAME));
     }
 
+    @Ignore("Audit log verification is shown to be flaky in this test")
     @Test
     public void shouldUpdateDocumentsInBulk_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1056,6 +1058,7 @@ public void shouldUpdateDocumentsInBulk_positive() throws IOException {
 
     }
 
+    @Ignore("Audit log verification is shown to be flaky in this test")
     @Test
     public void shouldUpdateDocumentsInBulk_partiallyPositive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1140,6 +1143,7 @@ public void shouldDeleteDocumentInBulk_positive() throws IOException {
         auditLogsRule.assertExactly(6, auditPredicate(INDEX_EVENT).withEffectiveUser(LIMITED_WRITE_USER));
     }
 
+    @Ignore("Audit log verification is shown to be flaky in this test")
     @Test
     public void shouldDeleteDocumentInBulk_partiallyPositive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1198,6 +1202,7 @@ public void shouldDeleteDocumentInBulk_negative() throws IOException {
 
     }
 
+    @Ignore("Seems like reindixing isn't completing before the test proceeds")
     @Test
     public void shouldReindexDocuments_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(REINDEXING_USER)) {
@@ -1223,6 +1228,7 @@ public void shouldReindexDocuments_positive() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(REINDEXING_USER, "ClearScrollRequest"));
     }
 
+    @Ignore("Seems like reindixing isn't completing before the test proceeds")
     @Test
     public void shouldReindexDocuments_negativeSource() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(REINDEXING_USER)) {
@@ -1237,6 +1243,7 @@ public void shouldReindexDocuments_negativeSource() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(REINDEXING_USER, "SearchRequest"));
     }
 
+    @Ignore("Seems like reindixing isn't completing before the test proceeds")
     @Test
     public void shouldReindexDocuments_negativeDestination() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(REINDEXING_USER)) {
@@ -1255,6 +1262,7 @@ public void shouldReindexDocuments_negativeDestination() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(REINDEXING_USER, "ClearScrollRequest"));
     }
 
+    @Ignore("Seems like reindixing isn't completing before the test proceeds")
     @Test
     public void shouldReindexDocuments_negativeSourceAndDestination() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(REINDEXING_USER)) {
@@ -1327,6 +1335,7 @@ public void shouldDeleteDocument_negative() throws IOException {
         }
     }
 
+    @Ignore("Create alias / delete alias isn't resolving in a timely manner for this test")
     @Test
     public void shouldCreateAlias_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_READ_USER)) {
@@ -1344,6 +1353,7 @@ public void shouldCreateAlias_positive() throws IOException {
         auditLogsRule.assertExactly(2, auditPredicate(INDEX_EVENT).withEffectiveUser(LIMITED_READ_USER));
     }
 
+    @Ignore("Create alias / delete alias isn't resolving in a timely manner for this test")
     @Test
     public void shouldCreateAlias_negative() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_READ_USER)) {
@@ -1361,6 +1371,7 @@ public void shouldCreateAlias_negative() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(LIMITED_READ_USER, "IndicesAliasesRequest"));
     }
 
+    @Ignore("Create alias / delete alias isn't resolving in a timely manner for this test")
     @Test
     public void shouldDeleteAlias_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_READ_USER)) {
@@ -1398,6 +1409,7 @@ public void shouldDeleteAlias_negative() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(LIMITED_READ_USER, "IndicesAliasesRequest"));
     }
 
+    @Ignore("Create alias / delete alias isn't resolving in a timely manner for this test")
     @Test
     public void shouldCreateIndexTemplate_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1479,6 +1491,7 @@ public void shouldDeleteTemplate_negative() throws IOException {
         auditLogsRule.assertExactlyOne(missingPrivilege(LIMITED_READ_USER, "DeleteIndexTemplateRequest"));
     }
 
+    @Ignore("Create alias / delete alias isn't resolving in a timely manner for this test")
     @Test
     public void shouldUpdateTemplate_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_WRITE_USER)) {
@@ -1765,6 +1778,7 @@ public void shouldDeleteSnapshot_negative() throws IOException {
         auditLogsRule.assertAtLeast(2, grantedPrivilege(LIMITED_WRITE_USER, "GetSnapshotsRequest"));
     }
 
+    @Ignore("Audit log entries verifcation isn't always consistant")
     @Test
     public void shouldRestoreSnapshot_positive() throws IOException {
         final String snapshotName = "restore-snapshot-positive";

src/integrationTest/java/org/opensearch/security/SecurityRolesTests.java

@@ -12,7 +12,7 @@
 package org.opensearch.security;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import org.apache.hc.core5.http.HttpStatus;
+import org.apache.http.HttpStatus;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;