From 2178bb2a2be3d9b7bb5a3a60072bf4e7028c4866 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Wed, 24 Aug 2022 09:56:51 -0400 Subject: [PATCH 1/7] Support for HTTP/2 (server-side) Signed-off-by: Andriy Redko --- build.gradle | 3 +- bwc-test/build.gradle | 2 +- .../kerberos/HTTPSpnegoAuthenticator.java | 2 +- .../saml/SamlFilesystemMetadataResolver.java | 2 +- .../security/OpenSearchSecurityPlugin.java | 4 +- .../auditlog/impl/AbstractAuditLog.java | 2 +- .../ConfigurationRepository.java | 2 +- .../security/ssl/DefaultSecurityKeyStore.java | 57 +++++++++++++++---- .../SecuritySSLNettyHttpServerTransport.java | 30 +++++++++- .../security/ssl/util/SSLRequestHelper.java | 16 ++++-- .../security/support/PemKeyReader.java | 4 +- .../security/RolesInjectorIntegTest.java | 8 +-- .../security/RolesValidationIntegTest.java | 8 +-- .../security/SlowIntegrationTests.java | 8 +-- .../TransportUserInjectorIntegTest.java | 12 ++-- .../ccstest/CrossClusterSearchTests.java | 6 +- .../dlic/dlsfls/CCReplicationTest.java | 10 ++-- .../opensearch/security/ssl/OpenSSLTest.java | 4 +- .../org/opensearch/security/ssl/SSLTest.java | 6 +- .../helper/cluster/ClusterConfiguration.java | 14 ++--- 20 files changed, 134 insertions(+), 66 deletions(-) diff --git a/build.gradle b/build.gradle index 726dd06d6f..b1cb4323bd 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ import org.opensearch.gradle.test.RestIntegTestTask buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.4.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") @@ -56,6 +56,7 @@ plugins { id 'checkstyle' id 'nebula.ospackage' version "8.3.0" id "org.gradle.test-retry" version "1.3.1" + id 'eclipse' } allprojects { diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 583d9d173c..008fb9b5f0 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -47,7 +47,7 @@ ext { buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.4.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") opensearch_group = "org.opensearch" } repositories { diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java index 812ca4f82f..3603aeb94e 100644 --- a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java @@ -70,7 +70,7 @@ public class HTTPSpnegoAuthenticator implements HTTPAuthenticator { public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) { super(); try { - final Path configDir = new Environment(settings, configPath).configFile(); + final Path configDir = new Environment(settings, configPath).configDir(); final String krb5PathSetting = settings.get("plugins.security.kerberos.krb5_filepath"); final SecurityManager sm = System.getSecurityManager(); diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java index 80f272b43b..302b1f41ea 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java @@ -51,6 +51,6 @@ public byte[] run() throws ResolverException { private static File getMetadataFile(String filePath, Settings settings, Path configPath) { Environment env = new Environment(settings, configPath); - return env.configFile().resolve(filePath).toAbsolutePath().toFile(); + return env.configDir().resolve(filePath).toAbsolutePath().toFile(); } } diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 66530cfaed..69dce00d41 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -326,7 +326,7 @@ public Object run() { final List filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction>() { @Override public List run() { - final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath(); + final Path confPath = new Environment(settings, configPath).configDir().toAbsolutePath(); if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) { try (Stream s = Files.walk(confPath)) { return s.distinct().filter(p -> checkFilePermissions(p)).collect(Collectors.toList()); @@ -356,7 +356,7 @@ public List run() { final List files = AccessController.doPrivileged(new PrivilegedAction>() { @Override public List run() { - final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath(); + final Path confPath = new Environment(settings, configPath).configDir().toAbsolutePath(); if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) { try (Stream s = Files.walk(confPath)) { return s.distinct().map(p -> sha256(p)).collect(Collectors.toList()); diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index bc5e240c77..d6f59028fa 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -560,7 +560,7 @@ public Map run() { (key.contains("filepath") || key.contains("file_path"))) { String value = settings.get(key); if(value != null && !value.isEmpty()) { - Path path = value.startsWith("/")?Paths.get(value):environment.configFile().resolve(value); + Path path = value.startsWith("/")?Paths.get(value):environment.configDir().resolve(value); paths.put(key, path); } } diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java index 81f5c5d60d..5a8c9a069c 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java @@ -120,7 +120,7 @@ public void run() { try { String lookupDir = System.getProperty("security.default_init.dir"); - final String cd = lookupDir != null? (lookupDir+"/") : new Environment(settings, configPath).configFile().toAbsolutePath().toString()+"/opensearch-security/"; + final String cd = lookupDir != null? (lookupDir+"/") : new Environment(settings, configPath).configDir().toAbsolutePath().toString()+"/opensearch-security/"; File confFile = new File(cd+"config.yml"); if(confFile.exists()) { final ThreadContext threadContext = threadPool.getThreadContext(); diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 72d18fc0c9..de9854c788 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -42,6 +42,8 @@ import java.util.Set; import java.util.function.Function; import java.util.stream.Collectors; +import java.util.stream.Stream; +import java.util.stream.StreamSupport; import javax.crypto.Cipher; import javax.net.ssl.SSLContext; @@ -49,12 +51,18 @@ import javax.net.ssl.SSLException; import javax.net.ssl.SSLParameters; +import io.netty.handler.codec.http2.Http2SecurityUtil; import io.netty.handler.ssl.ApplicationProtocolConfig; +import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol; +import io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBehavior; +import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior; +import io.netty.handler.ssl.ApplicationProtocolNames; import io.netty.handler.ssl.ClientAuth; import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslProvider; +import io.netty.handler.ssl.SupportedCipherSuiteFilter; import io.netty.util.internal.PlatformDependent; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -226,8 +234,8 @@ private String resolve(String propName, boolean mustBeValid) { log.debug("Value for {} is {}", propName, originalPath); if (env != null && originalPath != null && originalPath.length() > 0) { - path = env.configFile().resolve(originalPath).toAbsolutePath().toString(); - log.debug("Resolved {} to {} against {}", originalPath, path, env.configFile().toAbsolutePath().toString()); + path = env.configDir().resolve(originalPath).toAbsolutePath().toString(); + log.debug("Resolved {} to {} against {}", originalPath, path, env.configDir().toAbsolutePath().toString()); } if (mustBeValid) { @@ -247,7 +255,7 @@ private void initSSLConfig() { log.info("No config directory, key- and truststore files are resolved absolutely"); } else { log.info("Config directory is {}/, from there the key- and truststore files are resolved relatively", - env.configFile().toAbsolutePath()); + env.configDir().toAbsolutePath()); } @@ -426,7 +434,7 @@ public void initTransportSSLConfig() { /** * Initializes certs used for client https communication */ - public void initHttpSSLConfig() { + public void initHttpSSLConfig() { final boolean useKeyStore = settings.hasValue(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); final boolean useRawFiles = settings.hasValue(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH); final ClientAuth httpClientAuthMode = ClientAuth.valueOf(settings @@ -879,10 +887,24 @@ private SslContext buildSSLServerContext(final PrivateKey _key, final X509Certif final X509Certificate[] _trustedCerts, final Iterable ciphers, final SslProvider sslProvider, final ClientAuth authMode) throws SSLException { - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert).ciphers(ciphers) - .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) + final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert) + .ciphers(Stream + .concat( + Http2SecurityUtil.CIPHERS.stream(), + StreamSupport.stream(ciphers.spliterator(), false)) + .collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE) .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 - .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider); + .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider) + .applicationProtocolConfig( + new ApplicationProtocolConfig( + Protocol.ALPN, + // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. + SelectorFailureBehavior.NO_ADVERTISE, + // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. + SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2, + ApplicationProtocolNames.HTTP_1_1 + )); if (_trustedCerts != null && _trustedCerts.length > 0) { _sslContextBuilder.trustManager(_trustedCerts); @@ -895,11 +917,24 @@ private SslContext buildSSLServerContext(final File _key, final File _cert, fina final String pwd, final Iterable ciphers, final SslProvider sslProvider, final ClientAuth authMode) throws SSLException { - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd).ciphers(ciphers) - .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED) + final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd) + .ciphers(Stream + .concat( + Http2SecurityUtil.CIPHERS.stream(), + StreamSupport.stream(ciphers.spliterator(), false)) + .collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE) .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 - .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider); - + .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider) + .applicationProtocolConfig( + new ApplicationProtocolConfig( + Protocol.ALPN, + // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. + SelectorFailureBehavior.NO_ADVERTISE, + // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. + SelectedListenerFailureBehavior.ACCEPT, + ApplicationProtocolNames.HTTP_2, + ApplicationProtocolNames.HTTP_1_1 + )); if (_trustedCerts != null) { _sslContextBuilder.trustManager(_trustedCerts); } diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java index 5e604beb87..f56a26d17b 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java @@ -19,7 +19,10 @@ import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; +import io.netty.channel.ChannelHandlerContext; import io.netty.handler.codec.DecoderException; +import io.netty.handler.ssl.ApplicationProtocolNames; +import io.netty.handler.ssl.ApplicationProtocolNegotiationHandler; import io.netty.handler.ssl.SslHandler; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -72,7 +75,27 @@ public void onException(HttpChannel channel, Exception cause0) { } protected class SSLHttpChannelHandler extends Netty4HttpServerTransport.HttpChannelHandler { - + /** + * Application negotiation handler to select either HTTP 1.1 or HTTP 2 protocol, based + * on client/server ALPN negotiations. + */ + private class Http2OrHttpHandler extends ApplicationProtocolNegotiationHandler { + protected Http2OrHttpHandler() { + super(ApplicationProtocolNames.HTTP_1_1); + } + + @Override + protected void configurePipeline(ChannelHandlerContext ctx, String protocol) throws Exception { + if (ApplicationProtocolNames.HTTP_2.equals(protocol)) { + configureDefaultHttp2Pipeline(ctx.pipeline()); + } else if (ApplicationProtocolNames.HTTP_1_1.equals(protocol)) { + configureDefaultHttpPipeline(ctx.pipeline()); + } else { + throw new IllegalStateException("Unknown application protocol: " + protocol); + } + } + } + protected SSLHttpChannelHandler(Netty4HttpServerTransport transport, final HttpHandlingSettings handlingSettings, final SecurityKeyStore odsks) { super(transport, handlingSettings); } @@ -83,5 +106,10 @@ protected void initChannel(Channel ch) throws Exception { final SslHandler sslHandler = new SslHandler(SecuritySSLNettyHttpServerTransport.this.sks.createHTTPSSLEngine()); ch.pipeline().addFirst("ssl_http", sslHandler); } + + @Override + protected void configureDefaultPipeline(Channel ch) { + ch.pipeline().addLast(new Http2OrHttpHandler()); + } } } diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java index 5bd72fba5d..3ec6649013 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java @@ -109,12 +109,16 @@ public static SSLInfo getSSLInfo(final Settings settings, final Path configPath, return null; } - final SslHandler sslhandler = (SslHandler) ((Netty4HttpChannel)request.getHttpChannel()).getNettyChannel().pipeline().get("ssl_http"); - + final Netty4HttpChannel httpChannel = (Netty4HttpChannel)request.getHttpChannel(); + SslHandler sslhandler = (SslHandler) httpChannel.getNettyChannel().pipeline().get("ssl_http"); + if(sslhandler == null && httpChannel.inboundPipeline() != null) { + sslhandler = (SslHandler) httpChannel.inboundPipeline().get("ssl_http"); + } + if(sslhandler == null) { return null; } - + final SSLEngine engine = sslhandler.engine(); final SSLSession session = engine.getSession(); @@ -199,7 +203,7 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett final String crlFile = settings.get(SSLConfigConstants.SSECURITY_SSL_HTTP_CRL_FILE); if(crlFile != null) { - final File crl = env.configFile().resolve(crlFile).toAbsolutePath().toFile(); + final File crl = env.configDir().resolve(crlFile).toAbsolutePath().toFile(); try(FileInputStream crlin = new FileInputStream(crl)) { crls = CertificateFactory.getInstance("X.509").generateCRLs(crlin); } @@ -222,12 +226,12 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett //final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); final KeyStore ts = KeyStore.getInstance(truststoreType); - try(FileInputStream fin = new FileInputStream(new File(env.configFile().resolve(truststore).toAbsolutePath().toString()))) { + try(FileInputStream fin = new FileInputStream(new File(env.configDir().resolve(truststore).toAbsolutePath().toString()))) { ts.load(fin, (truststorePassword == null || truststorePassword.length() == 0) ?null:truststorePassword.toCharArray()); } validator = new CertificateValidator(ts, crls); } else { - final File trustedCas = env.configFile().resolve(settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); + final File trustedCas = env.configDir().resolve(settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); try(FileInputStream trin = new FileInputStream(trustedCas)) { Collection cert = (Collection) CertificateFactory.getInstance("X.509").generateCertificates(trin); validator = new CertificateValidator(cert.toArray(new X509Certificate[0]), crls); diff --git a/src/main/java/org/opensearch/security/support/PemKeyReader.java b/src/main/java/org/opensearch/security/support/PemKeyReader.java index 66d1af8799..fb3a595f9e 100644 --- a/src/main/java/org/opensearch/security/support/PemKeyReader.java +++ b/src/main/java/org/opensearch/security/support/PemKeyReader.java @@ -329,8 +329,8 @@ public static String resolve(String originalPath, String propName, Settings sett final Environment env = new Environment(settings, configPath); if(env != null && originalPath != null && originalPath.length() > 0) { - path = env.configFile().resolve(originalPath).toAbsolutePath().toString(); - log.debug("Resolved {} to {} against {}", originalPath, path, env.configFile().toAbsolutePath().toString()); + path = env.configDir().resolve(originalPath).toAbsolutePath().toString(); + log.debug("Resolved {} to {} against {}", originalPath, path, env.configDir().toAbsolutePath().toString()); } if(mustBeValid) { diff --git a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java index 8a4129e32b..06f7d31507 100644 --- a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java @@ -49,7 +49,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class RolesInjectorIntegTest extends SingleClusterTest { @@ -97,7 +97,7 @@ public void testRolesInject() throws Exception { .build(); //1. Without roles injection. - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); @@ -110,7 +110,7 @@ public void testRolesInject() throws Exception { //2. With invalid roles, must throw security exception. RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -124,7 +124,7 @@ public void testRolesInject() throws Exception { //3. With valid roles - which has permission to create index. RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); diff --git a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java index 57a2d45a28..36626b3428 100644 --- a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java @@ -43,7 +43,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class RolesValidationIntegTest extends SingleClusterTest { @@ -88,7 +88,7 @@ public void testRolesValidation() throws Exception { .build(); // 1. Without roles validation - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -100,7 +100,7 @@ public void testRolesValidation() throws Exception { OpenSearchSecurityException exception = null; // 2. with roles invalid to the user RolesValidationPlugin.rolesValidation = "invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -112,7 +112,7 @@ public void testRolesValidation() throws Exception { // 3. with roles valid to the user RolesValidationPlugin.rolesValidation = "opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index fd01dc7bdd..c08e3e3fd6 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -47,7 +47,7 @@ import org.opensearch.security.test.helper.cluster.ClusterConfiguration; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public class SlowIntegrationTests extends SingleClusterTest { @@ -84,7 +84,7 @@ public void testNodeClientAllowedWithServerCertificate() throws Exception { log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Assert.assertFalse(node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes(String.valueOf(clusterInfo.numNodes+1))).actionGet().isTimedOut()); Assert.assertEquals(clusterInfo.numNodes+1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } @@ -113,7 +113,7 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Thread.sleep(10000); Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } catch (Exception e) { @@ -144,7 +144,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Thread.sleep(10000); Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } catch (Exception e) { diff --git a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java index 4f3105501f..8ad576be53 100644 --- a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java @@ -41,7 +41,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class TransportUserInjectorIntegTest extends SingleClusterTest { @@ -88,7 +88,7 @@ public void testSecurityUserInjection() throws Exception { // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -99,7 +99,7 @@ public void testSecurityUserInjection() throws Exception { // 2. with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -113,7 +113,7 @@ public void testSecurityUserInjection() throws Exception { // 3. with valid backend roles for injected user UserInjectorPlugin.injectedUser = "injectedadmin|injecttest"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -141,7 +141,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { .build(); // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -150,7 +150,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { // with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index acd5e37b68..69141be6e6 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -59,7 +59,7 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsString; @@ -1021,7 +1021,7 @@ public void testCcsWithRoleInjection() throws Exception { System.out.println("###################### with invalid role injection"); //1. With invalid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); @@ -1041,7 +1041,7 @@ public void testCcsWithRoleInjection() throws Exception { System.out.println("###################### with valid role injection"); //2. With valid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java index 720f59980d..fb557f038b 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java @@ -64,7 +64,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.transport.TransportService; import org.opensearch.watcher.ResourceWatcherService; // CS-ENFORCE-SINGLE @@ -199,7 +199,7 @@ public void testReplication() throws Exception { // Set roles for the user MockReplicationPlugin.injectedRoles = "ccr_user|opendistro_security_human_resources_trainee"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-dls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -209,7 +209,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-fls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -219,7 +219,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-masking"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -229,7 +229,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-normal"); AcknowledgedResponse res = node.client().execute(MockReplicationAction.INSTANCE, new MockReplicationRequest("hr-normal")).actionGet(); Assert.assertTrue(res.isAcknowledged()); diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java index 961eadeab5..7b97112a27 100644 --- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java @@ -43,7 +43,7 @@ import org.opensearch.security.test.AbstractSecurityUnitTest; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public class OpenSSLTest extends SSLTest { private static final String USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY = "opensearch.unsafe.use_netty_default_allocator"; @@ -218,7 +218,7 @@ public void testNodeClientSSLwithOpenSslTLSv13() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index ab28b4a88f..e028ac82e3 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -60,7 +60,7 @@ import org.opensearch.security.test.SingleClusterTest; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; @SuppressWarnings({"resource", "unchecked"}) public class SSLTest extends SingleClusterTest { @@ -507,7 +507,7 @@ public void testNodeClientSSL() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(15))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); @@ -698,7 +698,7 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java index 05815c55f3..871cf5a59d 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java @@ -34,15 +34,15 @@ import com.google.common.collect.Lists; -import org.opensearch.index.reindex.ReindexPlugin; -import org.opensearch.join.ParentJoinPlugin; -import org.opensearch.percolator.PercolatorPlugin; +import org.opensearch.index.reindex.ReindexModulePlugin; +import org.opensearch.join.ParentJoinModulePlugin; +import org.opensearch.percolator.PercolatorModulePlugin; import org.opensearch.plugins.Plugin; -import org.opensearch.script.mustache.MustachePlugin; -import org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin; +import org.opensearch.script.mustache.MustacheModulePlugin; +import org.opensearch.search.aggregations.matrix.MatrixAggregationModulePlugin; import org.opensearch.security.OpenSearchSecurityPlugin; import org.opensearch.security.test.plugin.UserInjectorPlugin; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public enum ClusterConfiguration { //first one needs to be a cluster manager @@ -109,7 +109,7 @@ public int getClientNodes() { public static class NodeSettings { public boolean clusterManagerNode; public boolean dataNode; - public List> plugins = Lists.newArrayList(Netty4Plugin.class, OpenSearchSecurityPlugin.class, MatrixAggregationPlugin.class, MustachePlugin.class, ParentJoinPlugin.class, PercolatorPlugin.class, ReindexPlugin.class); + public List> plugins = Lists.newArrayList(Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MatrixAggregationModulePlugin.class, MustacheModulePlugin.class, ParentJoinModulePlugin.class, PercolatorModulePlugin.class, ReindexModulePlugin.class); public NodeSettings(boolean clusterManagerNode, boolean dataNode) { super(); From d0d88040af06614fffb4fddf79f4f40bfe55dbcc Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Fri, 26 Aug 2022 11:00:20 -0400 Subject: [PATCH 2/7] Addressing code review comments Signed-off-by: Andriy Redko --- .../security/ssl/DefaultSecurityKeyStore.java | 39 +++++++------------ .../SecuritySSLNettyHttpServerTransport.java | 2 +- 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index de9854c788..54dfaf6306 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -887,24 +887,8 @@ private SslContext buildSSLServerContext(final PrivateKey _key, final X509Certif final X509Certificate[] _trustedCerts, final Iterable ciphers, final SslProvider sslProvider, final ClientAuth authMode) throws SSLException { - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_key, _cert) - .ciphers(Stream - .concat( - Http2SecurityUtil.CIPHERS.stream(), - StreamSupport.stream(ciphers.spliterator(), false)) - .collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE) - .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 - .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider) - .applicationProtocolConfig( - new ApplicationProtocolConfig( - Protocol.ALPN, - // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers. - SelectorFailureBehavior.NO_ADVERTISE, - // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers. - SelectedListenerFailureBehavior.ACCEPT, - ApplicationProtocolNames.HTTP_2, - ApplicationProtocolNames.HTTP_1_1 - )); + final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(SslContextBuilder.forServer(_key, _cert), + sslProvider, ciphers, authMode); if (_trustedCerts != null && _trustedCerts.length > 0) { _sslContextBuilder.trustManager(_trustedCerts); @@ -917,7 +901,19 @@ private SslContext buildSSLServerContext(final File _key, final File _cert, fina final String pwd, final Iterable ciphers, final SslProvider sslProvider, final ClientAuth authMode) throws SSLException { - final SslContextBuilder _sslContextBuilder = SslContextBuilder.forServer(_cert, _key, pwd) + final SslContextBuilder _sslContextBuilder = configureSSLServerContextBuilder(SslContextBuilder.forServer(_cert, _key, pwd), + sslProvider, ciphers, authMode); + + if (_trustedCerts != null) { + _sslContextBuilder.trustManager(_trustedCerts); + } + + return buildSSLContext0(_sslContextBuilder); + } + + private SslContextBuilder configureSSLServerContextBuilder(final SslContextBuilder builder, final SslProvider sslProvider, + final Iterable ciphers, final ClientAuth authMode) { + return builder .ciphers(Stream .concat( Http2SecurityUtil.CIPHERS.stream(), @@ -935,11 +931,6 @@ private SslContext buildSSLServerContext(final File _key, final File _cert, fina ApplicationProtocolNames.HTTP_2, ApplicationProtocolNames.HTTP_1_1 )); - if (_trustedCerts != null) { - _sslContextBuilder.trustManager(_trustedCerts); - } - - return buildSSLContext0(_sslContextBuilder); } private SslContext buildSSLClientContext(final PrivateKey _key, final X509Certificate[] _cert, diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java index f56a26d17b..aa191201da 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java @@ -108,7 +108,7 @@ protected void initChannel(Channel ch) throws Exception { } @Override - protected void configureDefaultPipeline(Channel ch) { + protected void configurePipeline(Channel ch) { ch.pipeline().addLast(new Http2OrHttpHandler()); } } From 4c8730dcd10243c931800927fa360b8a4aa22b1b Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Tue, 20 Sep 2022 14:55:40 -0400 Subject: [PATCH 3/7] Fixed ClusterManager compilation issues Signed-off-by: Andriy Redko --- .../test/framework/cluster/ClusterManager.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java index 005321b24c..760820a3b6 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java +++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java @@ -36,13 +36,13 @@ import java.util.Objects; import java.util.stream.Collectors; -import org.opensearch.index.reindex.ReindexPlugin; -import org.opensearch.join.ParentJoinPlugin; -import org.opensearch.percolator.PercolatorPlugin; +import org.opensearch.index.reindex.ReindexModulePlugin; +import org.opensearch.join.ParentJoinModulePlugin; +import org.opensearch.percolator.PercolatorModulePlugin; import org.opensearch.plugins.Plugin; -import org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin; +import org.opensearch.search.aggregations.matrix.MatrixAggregationModulePlugin; import org.opensearch.security.OpenSearchSecurityPlugin; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import static java.util.Collections.unmodifiableList; import static org.opensearch.test.framework.cluster.NodeType.CLIENT; @@ -98,8 +98,8 @@ public int getClientNodes() { public static class NodeSettings { - private final static List> DEFAULT_PLUGINS = List.of(Netty4Plugin.class, OpenSearchSecurityPlugin.class, - MatrixAggregationPlugin.class, ParentJoinPlugin.class, PercolatorPlugin.class, ReindexPlugin.class); + private final static List> DEFAULT_PLUGINS = List.of(Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, + MatrixAggregationModulePlugin.class, ParentJoinModulePlugin.class, PercolatorModulePlugin.class, ReindexModulePlugin.class); public final boolean clusterManagerNode; public final boolean dataNode; public final List> plugins; From 7417a9b600cf9059ce493328ff43b3583dc15103 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Tue, 20 Sep 2022 15:00:02 -0400 Subject: [PATCH 4/7] Fixing bwc test version Signed-off-by: Andriy Redko --- bwc-test/build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 008fb9b5f0..6780800779 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -76,13 +76,13 @@ dependencies { String bwcVersion = "2.3.0.0"; String baseName = "securityBwcCluster" String bwcFilePath = "src/test/resources/" -String projectVersion = "2.4.0.0" +String projectVersion = "3.0.0.0" 2.times {i -> testClusters { "${baseName}$i" { testDistribution = "ARCHIVE" - versions = ["2.3.0","2.4.0"] + versions = ["2.3.0","3.0.0"] numberOfNodes = 3 plugin(provider(new Callable() { @Override From 6ed7c42d2e53376495dd488fffafc926c8830995 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Fri, 23 Sep 2022 16:03:32 -0400 Subject: [PATCH 5/7] Removed outdated comment Signed-off-by: Andriy Redko --- .../org/opensearch/security/ssl/DefaultSecurityKeyStore.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 54dfaf6306..8562ea20e7 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -919,7 +919,7 @@ private SslContextBuilder configureSSLServerContextBuilder(final SslContextBuild Http2SecurityUtil.CIPHERS.stream(), StreamSupport.stream(ciphers.spliterator(), false)) .collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE) - .clientAuth(Objects.requireNonNull(authMode)) // https://github.com/netty/netty/issues/4722 + .clientAuth(Objects.requireNonNull(authMode)) .sessionCacheSize(0).sessionTimeout(0).sslProvider(sslProvider) .applicationProtocolConfig( new ApplicationProtocolConfig( From 6bc350e3861bf728f11d2149436c22c556d335f8 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Fri, 23 Sep 2022 17:14:55 -0400 Subject: [PATCH 6/7] Fixing exception propagation from Http2OrHttpHandler to server transport Signed-off-by: Andriy Redko --- .../SecuritySSLNettyHttpServerTransport.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java index aa191201da..c2df3cbf98 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java @@ -24,6 +24,7 @@ import io.netty.handler.ssl.ApplicationProtocolNames; import io.netty.handler.ssl.ApplicationProtocolNegotiationHandler; import io.netty.handler.ssl.SslHandler; +import io.netty.util.AttributeKey; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -34,6 +35,7 @@ import org.opensearch.common.xcontent.NamedXContentRegistry; import org.opensearch.http.HttpChannel; import org.opensearch.http.HttpHandlingSettings; +import org.opensearch.http.netty4.Netty4HttpChannel; import org.opensearch.http.netty4.Netty4HttpServerTransport; import org.opensearch.security.ssl.SecurityKeyStore; import org.opensearch.security.ssl.SslExceptionHandler; @@ -41,6 +43,7 @@ import org.opensearch.transport.SharedGroupFactory; public class SecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport { + static final AttributeKey HTTP_CHANNEL_KEY = AttributeKey.valueOf("opensearch-http-channel"); private static final Logger logger = LogManager.getLogger(SecuritySSLNettyHttpServerTransport.class); private final SecurityKeyStore sks; @@ -94,6 +97,19 @@ protected void configurePipeline(ChannelHandlerContext ctx, String protocol) thr throw new IllegalStateException("Unknown application protocol: " + protocol); } } + + @Override + public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception { + super.exceptionCaught(ctx, cause); + Netty4HttpChannel channel = ctx.channel().attr(HTTP_CHANNEL_KEY).get(); + if (channel != null) { + if (cause instanceof Error) { + onException(channel, new Exception(cause)); + } else { + onException(channel, (Exception) cause); + } + } + } } protected SSLHttpChannelHandler(Netty4HttpServerTransport transport, final HttpHandlingSettings handlingSettings, final SecurityKeyStore odsks) { From 26dd5ceb56e006ad671b45c0138aa43533fbb6aa Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Wed, 24 Aug 2022 09:56:51 -0400 Subject: [PATCH 7/7] Switch to OpenSearch v3.0 Rev'ed version number and fixed compilation issues Signed-off-by: Andriy Redko Signed-off-by: Peter Nied --- .github/workflows/ci.yml | 6 +++--- build.gradle | 3 ++- bwc-test/build.gradle | 8 ++++---- .../test/framework/cluster/ClusterManager.java | 14 +++++++------- .../http/kerberos/HTTPSpnegoAuthenticator.java | 2 +- .../http/saml/SamlFilesystemMetadataResolver.java | 2 +- .../security/OpenSearchSecurityPlugin.java | 4 ++-- .../security/auditlog/impl/AbstractAuditLog.java | 2 +- .../configuration/ConfigurationRepository.java | 2 +- .../security/ssl/DefaultSecurityKeyStore.java | 6 +++--- .../security/ssl/util/SSLRequestHelper.java | 6 +++--- .../opensearch/security/support/PemKeyReader.java | 4 ++-- .../security/RolesInjectorIntegTest.java | 8 ++++---- .../security/RolesValidationIntegTest.java | 8 ++++---- .../opensearch/security/SlowIntegrationTests.java | 8 ++++---- .../security/TransportUserInjectorIntegTest.java | 12 ++++++------ .../security/ccstest/CrossClusterSearchTests.java | 6 +++--- .../security/dlic/dlsfls/CCReplicationTest.java | 10 +++++----- .../org/opensearch/security/ssl/OpenSSLTest.java | 4 ++-- .../java/org/opensearch/security/ssl/SSLTest.java | 6 +++--- .../test/helper/cluster/ClusterConfiguration.java | 14 +++++++------- 21 files changed, 68 insertions(+), 67 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f00e5bef68..fcb692eb17 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,9 +72,9 @@ jobs: cp -r build/ ./bwc-test/ mkdir ./bwc-test/src/test/resources/security_plugin_version_no_snapshot cp build/distributions/opensearch-security-${security_plugin_version_no_snapshot}.zip ./bwc-test/src/test/resources/${security_plugin_version_no_snapshot} - mkdir bwc-test/src/test/resources/2.3.0.0 - wget https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.3.0/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-security-2.3.0.0.zip - mv opensearch-security-2.3.0.0.zip bwc-test/src/test/resources/2.3.0.0/ + mkdir bwc-test/src/test/resources/2.4.0.0 + wget https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.4.0/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-security-2.4.0.0.zip + mv opensearch-security-2.4.0.0.zip bwc-test/src/test/resources/2.4.0.0/ cd bwc-test/ ./gradlew bwcTestSuite -Dtests.security.manager=false diff --git a/build.gradle b/build.gradle index 726dd06d6f..b1cb4323bd 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ import org.opensearch.gradle.test.RestIntegTestTask buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.4.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") @@ -56,6 +56,7 @@ plugins { id 'checkstyle' id 'nebula.ospackage' version "8.3.0" id "org.gradle.test-retry" version "1.3.1" + id 'eclipse' } allprojects { diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 583d9d173c..9badfd1c85 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -47,7 +47,7 @@ ext { buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.4.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") opensearch_group = "org.opensearch" } repositories { @@ -73,16 +73,16 @@ dependencies { testImplementation "org.opensearch.test:framework:${opensearch_version}" } -String bwcVersion = "2.3.0.0"; +String bwcVersion = "2.4.0.0"; String baseName = "securityBwcCluster" String bwcFilePath = "src/test/resources/" -String projectVersion = "2.4.0.0" +String projectVersion = "3.0.0.0" 2.times {i -> testClusters { "${baseName}$i" { testDistribution = "ARCHIVE" - versions = ["2.3.0","2.4.0"] + versions = ["2.4.0","3.0.0"] numberOfNodes = 3 plugin(provider(new Callable() { @Override diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java index 005321b24c..760820a3b6 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java +++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/ClusterManager.java @@ -36,13 +36,13 @@ import java.util.Objects; import java.util.stream.Collectors; -import org.opensearch.index.reindex.ReindexPlugin; -import org.opensearch.join.ParentJoinPlugin; -import org.opensearch.percolator.PercolatorPlugin; +import org.opensearch.index.reindex.ReindexModulePlugin; +import org.opensearch.join.ParentJoinModulePlugin; +import org.opensearch.percolator.PercolatorModulePlugin; import org.opensearch.plugins.Plugin; -import org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin; +import org.opensearch.search.aggregations.matrix.MatrixAggregationModulePlugin; import org.opensearch.security.OpenSearchSecurityPlugin; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import static java.util.Collections.unmodifiableList; import static org.opensearch.test.framework.cluster.NodeType.CLIENT; @@ -98,8 +98,8 @@ public int getClientNodes() { public static class NodeSettings { - private final static List> DEFAULT_PLUGINS = List.of(Netty4Plugin.class, OpenSearchSecurityPlugin.class, - MatrixAggregationPlugin.class, ParentJoinPlugin.class, PercolatorPlugin.class, ReindexPlugin.class); + private final static List> DEFAULT_PLUGINS = List.of(Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, + MatrixAggregationModulePlugin.class, ParentJoinModulePlugin.class, PercolatorModulePlugin.class, ReindexModulePlugin.class); public final boolean clusterManagerNode; public final boolean dataNode; public final List> plugins; diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java index 812ca4f82f..3603aeb94e 100644 --- a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java @@ -70,7 +70,7 @@ public class HTTPSpnegoAuthenticator implements HTTPAuthenticator { public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) { super(); try { - final Path configDir = new Environment(settings, configPath).configFile(); + final Path configDir = new Environment(settings, configPath).configDir(); final String krb5PathSetting = settings.get("plugins.security.kerberos.krb5_filepath"); final SecurityManager sm = System.getSecurityManager(); diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java index 80f272b43b..302b1f41ea 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java @@ -51,6 +51,6 @@ public byte[] run() throws ResolverException { private static File getMetadataFile(String filePath, Settings settings, Path configPath) { Environment env = new Environment(settings, configPath); - return env.configFile().resolve(filePath).toAbsolutePath().toFile(); + return env.configDir().resolve(filePath).toAbsolutePath().toFile(); } } diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 66530cfaed..69dce00d41 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -326,7 +326,7 @@ public Object run() { final List filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction>() { @Override public List run() { - final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath(); + final Path confPath = new Environment(settings, configPath).configDir().toAbsolutePath(); if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) { try (Stream s = Files.walk(confPath)) { return s.distinct().filter(p -> checkFilePermissions(p)).collect(Collectors.toList()); @@ -356,7 +356,7 @@ public List run() { final List files = AccessController.doPrivileged(new PrivilegedAction>() { @Override public List run() { - final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath(); + final Path confPath = new Environment(settings, configPath).configDir().toAbsolutePath(); if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) { try (Stream s = Files.walk(confPath)) { return s.distinct().map(p -> sha256(p)).collect(Collectors.toList()); diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index bc5e240c77..d6f59028fa 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -560,7 +560,7 @@ public Map run() { (key.contains("filepath") || key.contains("file_path"))) { String value = settings.get(key); if(value != null && !value.isEmpty()) { - Path path = value.startsWith("/")?Paths.get(value):environment.configFile().resolve(value); + Path path = value.startsWith("/")?Paths.get(value):environment.configDir().resolve(value); paths.put(key, path); } } diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java index 81f5c5d60d..5a8c9a069c 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java @@ -120,7 +120,7 @@ public void run() { try { String lookupDir = System.getProperty("security.default_init.dir"); - final String cd = lookupDir != null? (lookupDir+"/") : new Environment(settings, configPath).configFile().toAbsolutePath().toString()+"/opensearch-security/"; + final String cd = lookupDir != null? (lookupDir+"/") : new Environment(settings, configPath).configDir().toAbsolutePath().toString()+"/opensearch-security/"; File confFile = new File(cd+"config.yml"); if(confFile.exists()) { final ThreadContext threadContext = threadPool.getThreadContext(); diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 72d18fc0c9..026165f95e 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -226,8 +226,8 @@ private String resolve(String propName, boolean mustBeValid) { log.debug("Value for {} is {}", propName, originalPath); if (env != null && originalPath != null && originalPath.length() > 0) { - path = env.configFile().resolve(originalPath).toAbsolutePath().toString(); - log.debug("Resolved {} to {} against {}", originalPath, path, env.configFile().toAbsolutePath().toString()); + path = env.configDir().resolve(originalPath).toAbsolutePath().toString(); + log.debug("Resolved {} to {} against {}", originalPath, path, env.configDir().toAbsolutePath().toString()); } if (mustBeValid) { @@ -247,7 +247,7 @@ private void initSSLConfig() { log.info("No config directory, key- and truststore files are resolved absolutely"); } else { log.info("Config directory is {}/, from there the key- and truststore files are resolved relatively", - env.configFile().toAbsolutePath()); + env.configDir().toAbsolutePath()); } diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java index 5bd72fba5d..893fb04fac 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java @@ -199,7 +199,7 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett final String crlFile = settings.get(SSLConfigConstants.SSECURITY_SSL_HTTP_CRL_FILE); if(crlFile != null) { - final File crl = env.configFile().resolve(crlFile).toAbsolutePath().toFile(); + final File crl = env.configDir().resolve(crlFile).toAbsolutePath().toFile(); try(FileInputStream crlin = new FileInputStream(crl)) { crls = CertificateFactory.getInstance("X.509").generateCRLs(crlin); } @@ -222,12 +222,12 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett //final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); final KeyStore ts = KeyStore.getInstance(truststoreType); - try(FileInputStream fin = new FileInputStream(new File(env.configFile().resolve(truststore).toAbsolutePath().toString()))) { + try(FileInputStream fin = new FileInputStream(new File(env.configDir().resolve(truststore).toAbsolutePath().toString()))) { ts.load(fin, (truststorePassword == null || truststorePassword.length() == 0) ?null:truststorePassword.toCharArray()); } validator = new CertificateValidator(ts, crls); } else { - final File trustedCas = env.configFile().resolve(settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); + final File trustedCas = env.configDir().resolve(settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); try(FileInputStream trin = new FileInputStream(trustedCas)) { Collection cert = (Collection) CertificateFactory.getInstance("X.509").generateCertificates(trin); validator = new CertificateValidator(cert.toArray(new X509Certificate[0]), crls); diff --git a/src/main/java/org/opensearch/security/support/PemKeyReader.java b/src/main/java/org/opensearch/security/support/PemKeyReader.java index 66d1af8799..fb3a595f9e 100644 --- a/src/main/java/org/opensearch/security/support/PemKeyReader.java +++ b/src/main/java/org/opensearch/security/support/PemKeyReader.java @@ -329,8 +329,8 @@ public static String resolve(String originalPath, String propName, Settings sett final Environment env = new Environment(settings, configPath); if(env != null && originalPath != null && originalPath.length() > 0) { - path = env.configFile().resolve(originalPath).toAbsolutePath().toString(); - log.debug("Resolved {} to {} against {}", originalPath, path, env.configFile().toAbsolutePath().toString()); + path = env.configDir().resolve(originalPath).toAbsolutePath().toString(); + log.debug("Resolved {} to {} against {}", originalPath, path, env.configDir().toAbsolutePath().toString()); } if(mustBeValid) { diff --git a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java index 8a4129e32b..06f7d31507 100644 --- a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java @@ -49,7 +49,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class RolesInjectorIntegTest extends SingleClusterTest { @@ -97,7 +97,7 @@ public void testRolesInject() throws Exception { .build(); //1. Without roles injection. - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); @@ -110,7 +110,7 @@ public void testRolesInject() throws Exception { //2. With invalid roles, must throw security exception. RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -124,7 +124,7 @@ public void testRolesInject() throws Exception { //3. With valid roles - which has permission to create index. RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); diff --git a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java index 57a2d45a28..36626b3428 100644 --- a/src/test/java/org/opensearch/security/RolesValidationIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesValidationIntegTest.java @@ -43,7 +43,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class RolesValidationIntegTest extends SingleClusterTest { @@ -88,7 +88,7 @@ public void testRolesValidation() throws Exception { .build(); // 1. Without roles validation - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -100,7 +100,7 @@ public void testRolesValidation() throws Exception { OpenSearchSecurityException exception = null; // 2. with roles invalid to the user RolesValidationPlugin.rolesValidation = "invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -112,7 +112,7 @@ public void testRolesValidation() throws Exception { // 3. with roles valid to the user RolesValidationPlugin.rolesValidation = "opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet(); diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index fd01dc7bdd..c08e3e3fd6 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -47,7 +47,7 @@ import org.opensearch.security.test.helper.cluster.ClusterConfiguration; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public class SlowIntegrationTests extends SingleClusterTest { @@ -84,7 +84,7 @@ public void testNodeClientAllowedWithServerCertificate() throws Exception { log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Assert.assertFalse(node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes(String.valueOf(clusterInfo.numNodes+1))).actionGet().isTimedOut()); Assert.assertEquals(clusterInfo.numNodes+1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } @@ -113,7 +113,7 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Thread.sleep(10000); Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } catch (Exception e) { @@ -144,7 +144,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception log.debug("Start node client"); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { Thread.sleep(10000); Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); } catch (Exception e) { diff --git a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java index 4f3105501f..8ad576be53 100644 --- a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java @@ -41,7 +41,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.security.test.SingleClusterTest; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.watcher.ResourceWatcherService; public class TransportUserInjectorIntegTest extends SingleClusterTest { @@ -88,7 +88,7 @@ public void testSecurityUserInjection() throws Exception { // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -99,7 +99,7 @@ public void testSecurityUserInjection() throws Exception { // 2. with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; Exception exception = null; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -113,7 +113,7 @@ public void testSecurityUserInjection() throws Exception { // 3. with valid backend roles for injected user UserInjectorPlugin.injectedUser = "injectedadmin|injecttest"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); @@ -141,7 +141,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { .build(); // 1. without user injection - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet(); @@ -150,7 +150,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { // with invalid backend roles UserInjectorPlugin.injectedUser = "ttt|kkk"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) { waitForInit(node.client()); CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet(); diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index acd5e37b68..69141be6e6 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -59,7 +59,7 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsString; @@ -1021,7 +1021,7 @@ public void testCcsWithRoleInjection() throws Exception { System.out.println("###################### with invalid role injection"); //1. With invalid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); @@ -1041,7 +1041,7 @@ public void testCcsWithRoleInjection() throws Exception { System.out.println("###################### with valid role injection"); //2. With valid roles injection RolesInjectorIntegTest.RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, RolesInjectorIntegTest.RolesInjectorPlugin.class).start()) { waitForInit(node.client()); Client remoteClient = node.client().getRemoteClusterClient("cross_cluster_two"); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java index 720f59980d..fb557f038b 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/CCReplicationTest.java @@ -64,7 +64,7 @@ import org.opensearch.security.test.DynamicSecurityConfig; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; import org.opensearch.transport.TransportService; import org.opensearch.watcher.ResourceWatcherService; // CS-ENFORCE-SINGLE @@ -199,7 +199,7 @@ public void testReplication() throws Exception { // Set roles for the user MockReplicationPlugin.injectedRoles = "ccr_user|opendistro_security_human_resources_trainee"; - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-dls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -209,7 +209,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-fls"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -219,7 +219,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-masking"); Assert.fail("Expecting exception"); } catch (OpenSearchSecurityException ex) { @@ -229,7 +229,7 @@ public void testReplication() throws Exception { Assert.assertEquals(ex.status(), RestStatus.FORBIDDEN); } - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MockReplicationPlugin.class).start()) { waitOrThrow(node.client(), "hr-normal"); AcknowledgedResponse res = node.client().execute(MockReplicationAction.INSTANCE, new MockReplicationRequest("hr-normal")).actionGet(); Assert.assertTrue(res.isAcknowledged()); diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java index 961eadeab5..7b97112a27 100644 --- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java @@ -43,7 +43,7 @@ import org.opensearch.security.test.AbstractSecurityUnitTest; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public class OpenSSLTest extends SSLTest { private static final String USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY = "opensearch.unsafe.use_netty_default_allocator"; @@ -218,7 +218,7 @@ public void testNodeClientSSLwithOpenSslTLSv13() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index ab28b4a88f..e028ac82e3 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -60,7 +60,7 @@ import org.opensearch.security.test.SingleClusterTest; import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; @SuppressWarnings({"resource", "unchecked"}) public class SSLTest extends SingleClusterTest { @@ -507,7 +507,7 @@ public void testNodeClientSSL() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(15))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); @@ -698,7 +698,7 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { .put(settings)// ----- .build(); - try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) { + try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet(); Assert.assertFalse(res.isTimedOut()); Assert.assertEquals(4, res.getNumberOfNodes()); diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java index 05815c55f3..871cf5a59d 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterConfiguration.java @@ -34,15 +34,15 @@ import com.google.common.collect.Lists; -import org.opensearch.index.reindex.ReindexPlugin; -import org.opensearch.join.ParentJoinPlugin; -import org.opensearch.percolator.PercolatorPlugin; +import org.opensearch.index.reindex.ReindexModulePlugin; +import org.opensearch.join.ParentJoinModulePlugin; +import org.opensearch.percolator.PercolatorModulePlugin; import org.opensearch.plugins.Plugin; -import org.opensearch.script.mustache.MustachePlugin; -import org.opensearch.search.aggregations.matrix.MatrixAggregationPlugin; +import org.opensearch.script.mustache.MustacheModulePlugin; +import org.opensearch.search.aggregations.matrix.MatrixAggregationModulePlugin; import org.opensearch.security.OpenSearchSecurityPlugin; import org.opensearch.security.test.plugin.UserInjectorPlugin; -import org.opensearch.transport.Netty4Plugin; +import org.opensearch.transport.Netty4ModulePlugin; public enum ClusterConfiguration { //first one needs to be a cluster manager @@ -109,7 +109,7 @@ public int getClientNodes() { public static class NodeSettings { public boolean clusterManagerNode; public boolean dataNode; - public List> plugins = Lists.newArrayList(Netty4Plugin.class, OpenSearchSecurityPlugin.class, MatrixAggregationPlugin.class, MustachePlugin.class, ParentJoinPlugin.class, PercolatorPlugin.class, ReindexPlugin.class); + public List> plugins = Lists.newArrayList(Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class, MatrixAggregationModulePlugin.class, MustacheModulePlugin.class, ParentJoinModulePlugin.class, PercolatorModulePlugin.class, ReindexModulePlugin.class); public NodeSettings(boolean clusterManagerNode, boolean dataNode) { super();