Merge remote-tracking branch 'origin/main' into javac-lint-warnings

Signed-off-by: Peter Nied <petern@amazon.com>

.github/actions/start-opensearch-with-one-plugin/action.yml

@@ -14,6 +14,10 @@ inputs:
     description: 'The name of the setup script you want to run i.e. "setup" (do not include file extension). Leave empty to indicate one should not be run.'
     required: false
 
+  admin-password:
+    description: 'The admin password uses for the cluster'
+    required: true
+
 runs:
   using: "composite"
   steps:
@@ -67,6 +71,11 @@ runs:
         'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip
       shell: pwsh
 
+    - name: Write password to initialAdminPassword location
+      run:
+        echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt
+      shell: bash
+
     # Run any configuration scripts
     - name: Run Setup Script for Linux
       if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }}
@@ -101,13 +110,13 @@ runs:
     # Verify that the server is operational
     - name: Check OpenSearch Running on Linux
       if: ${{ runner.os != 'Windows'}}
-      run: curl https://localhost:9200/_cat/plugins -u 'admin:admin' -k -v
+      run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v --fail-with-body
       shell: bash
 
     - name: Check OpenSearch Running on Windows
       if: ${{ runner.os == 'Windows'}}
       run: |
-        $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:admin")
+        $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:${{ inputs.admin-password }}")
         $encodedCredentials = [Convert]::ToBase64String($credentialBytes)
         $baseCredentials = "Basic $encodedCredentials"
         $Headers = @{ Authorization = $baseCredentials }

.github/workflows/auto-release.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v2.0.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}
@@ -22,7 +22,12 @@ jobs:
         id: tag
         uses: dawidd6/action-get-tag@v1
       - uses: actions/checkout@v4
+      - name: Download release notes
+        run: |
+          curl -s -o release-notes.md https://raw.githubusercontent.com/opensearch-project/security/main/release-notes/opensearch-security.release-notes-${{ steps.tag.outputs.tag }}.md
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - uses: ncipollo/release-action@v1
         with:
           github_token: ${{ steps.github_app_token.outputs.token }}
-          bodyFile: release-notes/opensearch-security.release-notes-${{steps.tag.outputs.tag}}.md
+          bodyFile: release-notes.md

.github/workflows/automatic-merges.yml

@@ -0,0 +1,32 @@
+name: automatic-merges
+
+on:
+  workflow_run:
+    workflows:
+      - CI
+      - Plugin Install
+      - Code Hygiene
+    types: completed
+
+jobs:
+  automatic-merge-version-bumps:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: find-triggering-pr
+        uses: peternied/find-triggering-pr@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: peternied/discerning-merger@v1
+        if: steps.find-triggering-pr.outputs.pr-number != null
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ steps.find-triggering-pr.outputs.pr-number }}
+          allowed-authors: |
+            dependabot[bot]
+            opensearch-trigger-bot[bot]
+          allowed-files: |
+            build.gradle
+            .github/workflows/*.yml

.github/workflows/backport.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       - name: GitHub App token
         id: github_app_token
-        uses: tibdex/github-app-token@v2.0.0
+        uses: tibdex/github-app-token@v2.1.0
         with:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/ci.yml

@@ -10,6 +10,7 @@ on:
 
 env:
   GRADLE_OPTS: -Dhttp.keepAlive=false
+  CI_ENVIRONMENT: normal
 
 jobs:
   generate-test-list:
@@ -86,8 +87,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [17]
-        platform: [ubuntu-latest, windows-latest]
+        jdk: [11, 17]
+        platform: [ubuntu-latest] # Removed windows https://github.com/opensearch-project/security/issues/3423
     runs-on: ${{ matrix.platform }}
 
     steps:
@@ -102,12 +103,56 @@ jobs:
 
     - name: Build and Test
       uses: gradle/gradle-build-action@v2
-      continue-on-error: true # Until retries are enable do not fail the workflow https://github.com/opensearch-project/security/issues/2184
       with:
         cache-disabled: true
         arguments: |
           integrationTest -Dbuild.snapshot=false
 
+  resource-tests:
+    env:
+      CI_ENVIRONMENT: resource-test
+    strategy:
+      fail-fast: false
+      matrix:
+        jdk: [17]
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
+
+    steps:
+    - name: Set up JDK for build and test
+      uses: actions/setup-java@v3
+      with:
+        distribution: temurin # Temurin is a distribution of adoptium
+        java-version: ${{ matrix.jdk }}
+
+    - name: Checkout security
+      uses: actions/checkout@v4
+
+    - name: Build and Test
+      uses: gradle/gradle-build-action@v2
+      with:
+        cache-disabled: true
+        arguments: |
+            integrationTest -Dbuild.snapshot=false --tests org.opensearch.security.ResourceFocusedTests
+
+  backward-compatibility-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-java@v3
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: 17
+
+      - name: Checkout Security Repo
+        uses: actions/checkout@v4
+
+      - name: Build BWC tests
+        uses: gradle/gradle-build-action@v2
+        with:
+          cache-disabled: true
+          arguments: |
+            -p bwc-test build -x test -x integTest
+
   backward-compatibility:
     strategy:
       fail-fast: false

.github/workflows/code-hygiene.yml

@@ -43,7 +43,7 @@ jobs:
       - uses: gradle/gradle-build-action@v2
         with:
           cache-disabled: true
-          arguments: checkstyleMain checkstyleTest
+          arguments: checkstyleMain checkstyleTest checkstyleIntegrationTest
 
   spotbugs:
     runs-on: ubuntu-latest

.github/workflows/plugin_install.yml

@@ -16,6 +16,9 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
+      - id: random-password
+        uses: peternied/random-name@v1
+
       - name: Set up JDK
         uses: actions/setup-java@v3
         with:
@@ -57,9 +60,10 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           setup-script-name: setup
+          admin-password: ${{ steps.random-password.outputs.generated_name }}
 
       - name: Run sanity tests
         uses: gradle/gradle-build-action@v2
         with:
           cache-disabled: true
-          arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=admin
+          arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.generated_name }} -i

DEVELOPER_GUIDE.md

@@ -28,15 +28,14 @@ On MacOS / PC the OpenSearch distribution can be run with Docker. This distribut
 
 To get started, follow the [getting started section](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#getting-started) of OpenSearch's developer guide. This will get OpenSearch up and running built from source code. You can skip the `./gradlew check` step to save some time. You should follow the steps until you reach the point where you can run a successful `curl localhost:9200` call. Great! now kill the server with `Ctrl+C`.
 
-Next, run the following commands to copy the built code (snapshot) to a new folder in a different location. (This where you'll be running the OpenSearch service). Run this from the base directory of the OpenSearch fork you cloned above:
+Next, inside `OpenSearch` folder run the following commands to copy the built code (snapshot) to a new folder in a different location (this where you'll be running the OpenSearch service). Here **`darwin-tar`** is an example running on MacOS, adjust `$OPENSEARCH_BUILD` path based on your version and Operating System.
+
 ```bash
-export OPENSEARCH_HOME=~/<your-folder-location>/opensearch-*
-export OPENSEARCH_BUILD=distribution/archives/darwin-tar/build/install/opensearch-*
-cp -Rf $OPENSEARCH_BUILD $OPENSEARCH_HOME
+export OPENSEARCH_HOME=`pwd`/opensearch-$(./gradlew properties -q | grep -E '^version:' | awk '{print $2}' | sed 's/-SNAPSHOT//g')
+export OPENSEARCH_BUILD=distribution/archives/darwin-tar/build/install/opensearch-$(./gradlew properties -q | grep -E '^version:' | awk '{print $2}')
+cp -Rf $OPENSEARCH_BUILD/* $OPENSEARCH_HOME
 ```
 
-Choose `$OPENSEARCH_HOME` as the base folder where your server will live, and adjust `$OPENSEARCH_BUILD` based on your version and OS (this is an example running on MacOS, hence `darwin`.)
-
 Let's test and see if we can run the server!
 
 ```bash
@@ -69,12 +68,12 @@ To install the built plugin into the OpenSearch server run:
 
 ```bash
 export OPENSEARCH_SECURITY_HOME=$OPENSEARCH_HOME/plugins/opensearch-security
-mkdir $OPENSEARCH_SECURITY_HOME
+mkdir -p $OPENSEARCH_SECURITY_HOME
 cp build/distributions/opensearch-security-*.zip $OPENSEARCH_SECURITY_HOME
 cd $OPENSEARCH_SECURITY_HOME
 unzip opensearch-security-*.zip
 rm opensearch-security-*.zip
-mkdir $OPENSEARCH_HOME/config/opensearch-security
+mkdir -p $OPENSEARCH_HOME/config/opensearch-security
 mv config/* $OPENSEARCH_HOME/config/opensearch-security/
 rm -rf config/
 ```