Merge branch 'main' of github.com:opensearch-project/alerting into lo…

…caluri-debug

.github/workflows/bwc-test-workflow.yml

@@ -0,0 +1,37 @@
+name: BWC Test Workflow
+# This workflow is triggered on pull requests and pushes to main or an OpenSearch release branch
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "*"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        java: [ 14 ]
+    # Job name
+    name: Build and test Alerting
+    # This job runs on Linux
+    runs-on: ubuntu-latest
+    steps:
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+      # This step uses the checkout Github action: https://github.com/actions/checkout
+      - name: Checkout Branch
+        uses: actions/checkout@v2
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK 14
+        uses: actions/setup-java@v1
+        with:
+          java-version: 14
+      - name: Run Alerting Backwards Compatibility Tests
+        run: |
+          echo "Running backwards compatibility tests..."
+          ./gradlew bwcTestSuite

.github/workflows/multi-node-test-workflow.yml

@@ -1,5 +1,5 @@
-name: Multi node test workflow
-# This workflow is triggered on pull requests to main
+name: Multi-node Test Workflow
+# This workflow is triggered on pull requests and pushes to main or an OpenSearch release branch
 on:
   pull_request:
     branches:
@@ -14,7 +14,7 @@ jobs:
       matrix:
         java: [ 14 ]
     # Job name
-    name: Build Alerting
+    name: Build and test Alerting
     # This job runs on Linux
     runs-on: ubuntu-latest
     steps:
@@ -33,53 +33,3 @@ jobs:
           java-version: 14
       - name: Run integration tests with multi node config
         run: ./gradlew integTest -PnumNodes=3 -Dopensearch.version=1.3.0-SNAPSHOT
-      - name: Pull and Run Docker
-        run: |
-          plugin=`ls alerting/build/distributions/*.zip`
-          list_of_files=`ls`
-          list_of_all_files=`ls alerting/build/distributions/`
-          version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-3`
-          plugin_version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-4`
-          candidate_version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-1`
-          echo $version $plugin_version $candidate_version
-          echo $ls $list_of_all_files
-
-          if docker pull opensearchstaging/opensearch:$version-$candidate_version
-          then
-            echo "FROM opensearchstaging/opensearch:$version-$candidate_version" >> Dockerfile
-            echo "RUN if [ -d /usr/share/opensearch/plugins/opensearch-alerting ]; then /usr/share/opensearch/bin/opensearch-plugin remove opensearch-alerting; fi" >> Dockerfile
-            echo "ADD alerting/build/distributions/opensearch-alerting-$plugin_version-$candidate_version.zip /tmp/" >> Dockerfile
-            echo "RUN /usr/share/opensearch/bin/opensearch-plugin install --batch file:/tmp/opensearch-alerting-$plugin_version-$candidate_version.zip" >> Dockerfile
-
-            docker build -t opensearch-alerting:test .
-            echo "imagePresent=true" >> $GITHUB_ENV
-          else
-            echo "imagePresent=false" >> $GITHUB_ENV
-          fi
-
-      - name: Run Docker Image
-        if: env.imagePresent == 'true'
-        run: |
-          cd ..
-          docker run -p 9200:9200 -d -p 9600:9600 -e "discovery.type=single-node" opensearch-alerting:test
-          sleep 120
-
-      - name: Run Alerting Test for security enabled test cases
-        if: env.imagePresent == 'true'
-        run: |
-          cluster_running=`curl -XGET https://localhost:9200/_cat/plugins -u admin:admin --insecure`
-          echo $cluster_running
-          security=`curl -XGET https://localhost:9200/_cat/plugins -u admin:admin --insecure |grep opensearch-security|wc -l`
-          echo $security
-          if [ $security -gt 0 ]
-          then
-            echo "Security plugin is available"
-            ./gradlew :alerting:integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dsecurity=true -Dhttps=true -Duser=admin -Dpassword=admin
-          else
-            echo "Security plugin is NOT available skipping this run as tests without security have already been run"
-          fi
-
-      - name: Run Alerting Backwards Compatibility Tests
-        run: |
-          echo "Running backwards compatibility tests ..."
-          ./gradlew bwcTestSuite

.github/workflows/security-test-workflow.yml

@@ -0,0 +1,81 @@
+name: Security Test Workflow
+# This workflow is triggered on pull requests and pushes to main or an OpenSearch release branch
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "*"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        java: [ 14 ]
+    # Job name
+    name: Build and test Alerting
+    # This job runs on Linux
+    runs-on: ubuntu-latest
+    steps:
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+      # This step uses the checkout Github action: https://github.com/actions/checkout
+      - name: Checkout Branch
+        uses: actions/checkout@v2
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK 14
+        uses: actions/setup-java@v1
+        with:
+          java-version: 14
+      - name: Build Alerting
+        # Only assembling since the full build is governed by other workflows
+        run: ./gradlew assemble -Dopensearch.version=1.3.0-SNAPSHOT
+      - name: Pull and Run Docker
+        run: |
+          plugin=`ls alerting/build/distributions/*.zip`
+          list_of_files=`ls`
+          list_of_all_files=`ls alerting/build/distributions/`
+          version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-3`
+          plugin_version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-4`
+          candidate_version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-1`
+          echo $version $plugin_version $candidate_version
+          echo $ls $list_of_all_files
+
+          if docker pull opensearchstaging/opensearch:$version
+          then
+            echo "FROM opensearchstaging/opensearch:$version" >> Dockerfile
+            echo "RUN if [ -d /usr/share/opensearch/plugins/opensearch-alerting ]; then /usr/share/opensearch/bin/opensearch-plugin remove opensearch-alerting; fi" >> Dockerfile
+            echo "ADD alerting/build/distributions/opensearch-alerting-$plugin_version-$candidate_version.zip /tmp/" >> Dockerfile
+            echo "RUN /usr/share/opensearch/bin/opensearch-plugin install --batch file:/tmp/opensearch-alerting-$plugin_version-$candidate_version.zip" >> Dockerfile
+
+            docker build -t opensearch-alerting:test .
+            echo "imagePresent=true" >> $GITHUB_ENV
+          else
+            echo "imagePresent=false" >> $GITHUB_ENV
+          fi
+
+      - name: Run Docker Image
+        if: env.imagePresent == 'true'
+        run: |
+          cd ..
+          docker run -p 9200:9200 -d -p 9600:9600 -e "discovery.type=single-node" opensearch-alerting:test
+          sleep 120
+
+      - name: Run Alerting Test for security enabled test cases
+        if: env.imagePresent == 'true'
+        run: |
+          cluster_running=`curl -XGET https://localhost:9200/_cat/plugins -u admin:admin --insecure`
+          echo $cluster_running
+          security=`curl -XGET https://localhost:9200/_cat/plugins -u admin:admin --insecure |grep opensearch-security|wc -l`
+          echo $security
+          if [ $security -gt 0 ]
+          then
+            echo "Security plugin is available"
+            ./gradlew :alerting:integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dsecurity=true -Dhttps=true -Duser=admin -Dpassword=admin
+          else
+            echo "Security plugin is NOT available skipping this run as tests without security have already been run"
+          fi

.github/workflows/test-workflow.yml

@@ -1,5 +1,5 @@
 name: Test Workflow
-# This workflow is triggered on pull requests and pushes to main or an opensearch release branch
+# This workflow is triggered on pull requests and pushes to main or an OpenSearch release branch
 on:
   pull_request:
     branches:
@@ -26,26 +26,20 @@ jobs:
         uses: actions/setup-java@v1
         with:
           java-version: ${{ matrix.java }}
-
-
       - name: Build and run with Gradle
         run: ./gradlew build -Dopensearch.version=1.3.0-SNAPSHOT
-
-#      - name: Create Artifact Path
-#        run: |
-#          mkdir -p alerting-artifacts
-#          cp ./alerting/build/distributions/*.zip alerting-artifacts
+      - name: Create Artifact Path
+        run: |
+          mkdir -p alerting-artifacts
+          cp ./alerting/build/distributions/*.zip alerting-artifacts
       # This step uses the codecov-action Github action: https://github.com/codecov/codecov-action
       - name: Upload Coverage Report
         uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-#      # This step uses the upload-artifact Github action: https://github.com/actions/upload-artifact
-#      - name: Upload Artifacts
-#        uses: actions/upload-artifact@v1
-#        with:
-#          name: alerting-plugin
-#          path: alerting-artifacts
-      # Publish to local maven
-      - name: Publish to Maven Local
-        run: ./gradlew publishToMavenLocal -Dopensearch.version=1.3.0-SNAPSHOT
+      # This step uses the upload-artifact Github action: https://github.com/actions/upload-artifact
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: alerting-plugin
+          path: alerting-artifacts

.whitesource

@@ -0,0 +1,15 @@
+{
+  "scanSettings": {
+    "configMode": "AUTO",
+    "configExternalURL": "",
+    "projectToken": "",
+    "baseBranches": []
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure",
+    "displayMode": "diff"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW"
+  }
+}

alerting/src/main/kotlin/org/opensearch/alerting/MonitorRunner.kt

@@ -10,7 +10,6 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.launch
-import kotlinx.coroutines.runBlocking
 import kotlinx.coroutines.withContext
 import org.apache.logging.log4j.LogManager
 import org.opensearch.action.bulk.BackoffPolicy
@@ -20,6 +19,7 @@ import org.opensearch.alerting.core.JobRunner
 import org.opensearch.alerting.core.model.ScheduledJob
 import org.opensearch.alerting.elasticapi.InjectorContextElement
 import org.opensearch.alerting.elasticapi.retry
+import org.opensearch.alerting.elasticapi.withClosableContext
 import org.opensearch.alerting.model.ActionRunResult
 import org.opensearch.alerting.model.Alert
 import org.opensearch.alerting.model.AlertingConfigAccessor
@@ -274,7 +274,7 @@ object MonitorRunner : JobRunner, CoroutineScope, AbstractLifecycleComponent() {
             return monitorResult.copy(error = e)
         }
         if (!isADMonitor(monitor)) {
-            runBlocking(InjectorContextElement(monitor.id, settings, threadPool.threadContext, roles)) {
+            withClosableContext(InjectorContextElement(monitor.id, settings, threadPool.threadContext, roles)) {
                 monitorResult = monitorResult.copy(inputResults = inputService.collectInputResults(monitor, periodStart, periodEnd))
             }
         } else {
@@ -363,7 +363,7 @@ object MonitorRunner : JobRunner, CoroutineScope, AbstractLifecycleComponent() {
             //  If a setting is imposed that limits buckets that can be processed for Bucket-Level Monitors, we'd need to iterate over
             //  the buckets until we hit that threshold. In that case, we'd want to exit the execution without creating any alerts since the
             //  buckets we iterate over before hitting the limit is not deterministic. Is there a better way to fail faster in this case?
-            runBlocking(InjectorContextElement(monitor.id, settings, threadPool.threadContext, roles)) {
+            withClosableContext(InjectorContextElement(monitor.id, settings, threadPool.threadContext, roles)) {
                 // Storing the first page of results in the case of pagination input results to prevent empty results
                 // in the final output of monitorResult which occurs when all pages have been exhausted.
                 // If it's favorable to return the last page, will need to check how to accomplish that with multiple aggregation paths

alerting/src/main/kotlin/org/opensearch/alerting/model/Monitor.kt

@@ -221,11 +221,11 @@ data class Monitor(
         @JvmOverloads
         @Throws(IOException::class)
         fun parse(xcp: XContentParser, id: String = NO_ID, version: Long = NO_VERSION): Monitor {
-            lateinit var name: String
+            var name: String? = null
             // Default to QUERY_LEVEL_MONITOR to cover Monitors that existed before the addition of MonitorType
             var monitorType: String = MonitorType.QUERY_LEVEL_MONITOR.toString()
             var user: User? = null
-            lateinit var schedule: Schedule
+            var schedule: Schedule? = null
             var lastUpdateTime: Instant? = null
             var enabledTime: Instant? = null
             var uiMetadata: Map<String, Any> = mapOf()

alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt

@@ -86,6 +86,8 @@ interface SecureTransportAction {
                     )
                 )
                 return false
+            } else if (isAdmin(user)) {
+                return true
             } else if (user.backendRoles.isNullOrEmpty()) {
                 actionListener.onFailure(
                     AlertingException.wrap(
@@ -112,12 +114,16 @@ interface SecureTransportAction {
         resourceId: String
     ): Boolean {
 
-        if (!filterByEnabled) return true
+        if (!doFilterForUser(requesterUser)) return true
 
         val resourceBackendRoles = resourceUser?.backendRoles
         val requesterBackendRoles = requesterUser?.backendRoles
 
-        if (resourceBackendRoles == null || requesterBackendRoles == null || resourceBackendRoles.intersect(requesterBackendRoles).isEmpty()) {
+        if (
+            resourceBackendRoles == null ||
+            requesterBackendRoles == null ||
+            resourceBackendRoles.intersect(requesterBackendRoles).isEmpty()
+        ) {
             actionListener.onFailure(
                 AlertingException.wrap(
                     OpenSearchStatusException(

alerting/src/test/kotlin/org/opensearch/alerting/ADTestHelpers.kt

@@ -503,6 +503,6 @@ fun randomADMonitor(
 fun randomADUser(backendRole: String = OpenSearchRestTestCase.randomAlphaOfLength(10)): User {
     return User(
         OpenSearchRestTestCase.randomAlphaOfLength(10), listOf(backendRole),
-        listOf(OpenSearchRestTestCase.randomAlphaOfLength(10), "all_access"), listOf("test_attr=test")
+        listOf(OpenSearchRestTestCase.randomAlphaOfLength(10), ALL_ACCESS_ROLE), listOf("test_attr=test")
     )
 }

alerting/src/test/kotlin/org/opensearch/alerting/AccessRoles.kt

@@ -0,0 +1,44 @@
+package org.opensearch.alerting
+
+val ALL_ACCESS_ROLE = "all_access"
+val ALERTING_FULL_ACCESS_ROLE = "alerting_full_access"
+val ALERTING_READ_ONLY_ACCESS = "alerting_read_access"
+val ALERTING_NO_ACCESS_ROLE = "no_access"
+val ALERTING_INDEX_EMAIL_ACCOUNT_ACCESS = "alerting_index_email_account_access"
+val ALERTING_GET_EMAIL_ACCOUNT_ACCESS = "alerting_get_email_account_access"
+val ALERTING_SEARCH_EMAIL_ACCOUNT_ACCESS = "alerting_search_email_account_access"
+val ALERTING_DELETE_EMAIL_ACCOUNT_ACCESS = "alerting_delete_email_account_access"
+val ALERTING_INDEX_EMAIL_GROUP_ACCESS = "alerting_index_email_group_access"
+val ALERTING_GET_EMAIL_GROUP_ACCESS = "alerting_get_email_group_access"
+val ALERTING_SEARCH_EMAIL_GROUP_ACCESS = "alerting_search_email_group_access"
+val ALERTING_DELETE_EMAIL_GROUP_ACCESS = "alerting_delete_email_group_access"
+val ALERTING_INDEX_MONITOR_ACCESS = "alerting_index_monitor_access"
+val ALERTING_GET_MONITOR_ACCESS = "alerting_get_monitor_access"
+val ALERTING_SEARCH_MONITOR_ONLY_ACCESS = "alerting_search_monitor_access"
+val ALERTING_EXECUTE_MONITOR_ACCESS = "alerting_execute_monitor_access"
+val ALERTING_DELETE_MONITOR_ACCESS = "alerting_delete_monitor_access"
+val ALERTING_INDEX_DESTINATION_ACCESS = "alerting_index_destination_access"
+val ALERTING_GET_DESTINATION_ACCESS = "alerting_get_destination_access"
+val ALERTING_DELETE_DESTINATION_ACCESS = "alerting_delete_destination_access"
+val ALERTING_GET_ALERTS_ACCESS = "alerting_get_alerts_access"
+
+val ROLE_TO_PERMISSION_MAPPING = mapOf(
+    ALERTING_NO_ACCESS_ROLE to "",
+    ALERTING_INDEX_EMAIL_ACCOUNT_ACCESS to "cluster:admin/opendistro/alerting/destination/email_account/write",
+    ALERTING_GET_EMAIL_ACCOUNT_ACCESS to "cluster:admin/opendistro/alerting/destination/email_account/get",
+    ALERTING_SEARCH_EMAIL_ACCOUNT_ACCESS to "cluster:admin/opendistro/alerting/destination/email_account/search",
+    ALERTING_DELETE_EMAIL_ACCOUNT_ACCESS to "cluster:admin/opendistro/alerting/destination/email_account/delete",
+    ALERTING_INDEX_EMAIL_GROUP_ACCESS to "cluster:admin/opendistro/alerting/destination/email_group/write",
+    ALERTING_GET_EMAIL_GROUP_ACCESS to "cluster:admin/opendistro/alerting/destination/email_group/get",
+    ALERTING_SEARCH_EMAIL_GROUP_ACCESS to "cluster:admin/opendistro/alerting/destination/email_group/search",
+    ALERTING_DELETE_EMAIL_GROUP_ACCESS to "cluster:admin/opendistro/alerting/destination/email_group/delete",
+    ALERTING_INDEX_MONITOR_ACCESS to "cluster:admin/opendistro/alerting/monitor/write",
+    ALERTING_GET_MONITOR_ACCESS to "cluster:admin/opendistro/alerting/monitor/get",
+    ALERTING_SEARCH_MONITOR_ONLY_ACCESS to "cluster:admin/opendistro/alerting/monitor/search",
+    ALERTING_EXECUTE_MONITOR_ACCESS to "cluster:admin/opendistro/alerting/monitor/execute",
+    ALERTING_DELETE_MONITOR_ACCESS to "cluster:admin/opendistro/alerting/monitor/delete",
+    ALERTING_INDEX_DESTINATION_ACCESS to "cluster:admin/opendistro/alerting/destination/write",
+    ALERTING_GET_DESTINATION_ACCESS to "cluster:admin/opendistro/alerting/destination/get",
+    ALERTING_DELETE_DESTINATION_ACCESS to "cluster:admin/opendistro/alerting/destination/delete",
+    ALERTING_GET_ALERTS_ACCESS to "cluster:admin/opendistro/alerting/alerts/get"
+)