From 061d2da8df46849a9d80c81151147dd140594177 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Tue, 27 Jun 2023 13:46:55 +0200 Subject: [PATCH] REST API code cleaning (Part 1) Removed redundant classes for the request content validation Signed-off-by: Andrey Pleskach --- .../AbstractConfigurationValidator.java | 353 ------------------ .../rest/validation/AccountValidator.java | 27 -- .../rest/validation/ActionGroupValidator.java | 37 -- .../rest/validation/AllowlistValidator.java | 26 -- .../dlic/rest/validation/AuditValidator.java | 83 ---- .../rest/validation/CredentialsValidator.java | 83 ---- .../validation/InternalUsersValidator.java | 37 -- .../MultiTenancyConfigValidator.java | 31 -- .../dlic/rest/validation/NoOpValidator.java | 24 -- .../rest/validation/NodesDnValidator.java | 27 -- .../validation/RolesMappingValidator.java | 41 -- .../dlic/rest/validation/RolesValidator.java | 85 ----- .../validation/SecurityConfigValidator.java | 26 -- .../dlic/rest/validation/TenantValidator.java | 49 --- .../rest/validation/WhitelistValidator.java | 26 -- 15 files changed, 955 deletions(-) delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/AccountValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/ActionGroupValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/InternalUsersValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/MultiTenancyConfigValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/NoOpValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/NodesDnValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/RolesMappingValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/RolesValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/SecurityConfigValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/TenantValidator.java delete mode 100644 src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java deleted file mode 100644 index 51d58d75f6..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java +++ /dev/null @@ -1,353 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import java.io.IOException; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Map.Entry; -import java.util.Set; - -import com.fasterxml.jackson.core.JsonFactory; -import com.fasterxml.jackson.core.JsonParser; -import com.fasterxml.jackson.core.JsonToken; -import com.fasterxml.jackson.databind.JsonNode; -import com.google.common.base.Joiner; -import com.google.common.collect.ImmutableList; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.common.xcontent.XContentHelper; -import org.opensearch.common.xcontent.XContentType; -import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestChannel; -import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestRequest.Method; -import org.opensearch.security.DefaultObjectMapper; -import org.opensearch.security.support.ConfigConstants; - -public abstract class AbstractConfigurationValidator { - - JsonFactory factory = new JsonFactory(); - - /* public for testing */ - public final static String INVALID_KEYS_KEY = "invalid_keys"; - - /* public for testing */ - public final static String MISSING_MANDATORY_KEYS_KEY = "missing_mandatory_keys"; - - /* public for testing */ - public final static String MISSING_MANDATORY_OR_KEYS_KEY = "specify_one_of"; - - protected final Logger log = LogManager.getLogger(this.getClass()); - - /** Define the various keys for this validator */ - protected final Map allowedKeys = new HashMap<>(); - - protected final Set mandatoryKeys = new HashSet<>(); - - protected final Set mandatoryOrKeys = new HashSet<>(); - - protected final Map wrongDatatypes = new HashMap<>(); - - /** Contain errorneous keys */ - protected final Set missingMandatoryKeys = new HashSet<>(); - - protected final Set invalidKeys = new HashSet<>(); - - protected final Set missingMandatoryOrKeys = new HashSet<>(); - - /** The error type */ - protected ErrorType errorType = ErrorType.NONE; - - /** Behaviour regarding payload */ - protected boolean payloadMandatory = false; - - protected boolean payloadAllowed = true; - - protected final Method method; - - protected final BytesReference content; - - protected final Settings opensearchSettings; - - protected final RestRequest request; - - protected final Object[] param; - - private JsonNode contentAsNode; - - public AbstractConfigurationValidator( - final RestRequest request, - final BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - this.content = ref; - this.method = request.method(); - this.opensearchSettings = opensearchSettings; - this.request = request; - this.param = param; - } - - public JsonNode getContentAsNode() { - return contentAsNode; - } - - /** - * - * @return false if validation fails - */ - public boolean validate() { - // no payload for DELETE and GET requests - if (method.equals(Method.DELETE) || method.equals(Method.GET)) { - return true; - } - - if (this.payloadMandatory && content.length() == 0) { - this.errorType = ErrorType.PAYLOAD_MANDATORY; - return false; - } - - if (!this.payloadMandatory && content.length() == 0) { - return true; - } - - if (this.payloadMandatory && content.length() > 0) { - - try { - if (DefaultObjectMapper.readTree(content.utf8ToString()).size() == 0) { - this.errorType = ErrorType.PAYLOAD_MANDATORY; - return false; - } - - } catch (IOException e) { - log.error(errorType.BODY_NOT_PARSEABLE.toString(), e); - this.errorType = ErrorType.BODY_NOT_PARSEABLE; - return false; - } - } - - if (!this.payloadAllowed && content.length() > 0) { - this.errorType = ErrorType.PAYLOAD_NOT_ALLOWED; - return false; - } - - // try to parse payload - Set requested = new HashSet(); - try { - contentAsNode = DefaultObjectMapper.readTree(content.utf8ToString()); - requested.addAll(ImmutableList.copyOf(contentAsNode.fieldNames())); - } catch (Exception e) { - log.error(errorType.BODY_NOT_PARSEABLE.toString(), e); - this.errorType = ErrorType.BODY_NOT_PARSEABLE; - return false; - } - - // mandatory settings, one of ... - if (Collections.disjoint(requested, mandatoryOrKeys)) { - this.missingMandatoryOrKeys.addAll(mandatoryOrKeys); - } - - // mandatory settings - Set mandatory = new HashSet<>(mandatoryKeys); - mandatory.removeAll(requested); - missingMandatoryKeys.addAll(mandatory); - - // invalid settings - Set allowed = new HashSet<>(allowedKeys.keySet()); - requested.removeAll(allowed); - this.invalidKeys.addAll(requested); - boolean valid = missingMandatoryKeys.isEmpty() && invalidKeys.isEmpty() && missingMandatoryOrKeys.isEmpty(); - if (!valid) { - this.errorType = ErrorType.INVALID_CONFIGURATION; - } - - // check types - try { - if (!checkDatatypes()) { - this.errorType = ErrorType.WRONG_DATATYPE; - return false; - } - } catch (Exception e) { - log.error(errorType.BODY_NOT_PARSEABLE.toString(), e); - this.errorType = ErrorType.BODY_NOT_PARSEABLE; - return false; - } - - // null element in the values of all the possible keys with DataType as ARRAY - for (Entry allowedKey : allowedKeys.entrySet()) { - JsonNode value = contentAsNode.get(allowedKey.getKey()); - if (value != null) { - if (hasNullArrayElement(value)) { - this.errorType = ErrorType.NULL_ARRAY_ELEMENT; - return false; - } - } - } - return valid; - } - - private boolean checkDatatypes() throws Exception { - String contentAsJson = XContentHelper.convertToJson(content, false, XContentType.JSON); - try (JsonParser parser = factory.createParser(contentAsJson)) { - JsonToken token = null; - while ((token = parser.nextToken()) != null) { - if (token.equals(JsonToken.FIELD_NAME)) { - String currentName = parser.getCurrentName(); - DataType dataType = allowedKeys.get(currentName); - if (dataType != null) { - JsonToken valueToken = parser.nextToken(); - switch (dataType) { - case STRING: - if (!valueToken.equals(JsonToken.VALUE_STRING)) { - wrongDatatypes.put(currentName, "String expected"); - } - break; - case ARRAY: - if (!valueToken.equals(JsonToken.START_ARRAY) && !valueToken.equals(JsonToken.END_ARRAY)) { - wrongDatatypes.put(currentName, "Array expected"); - } - break; - case OBJECT: - if (!valueToken.equals(JsonToken.START_OBJECT) && !valueToken.equals(JsonToken.END_OBJECT)) { - wrongDatatypes.put(currentName, "Object expected"); - } - break; - } - } - } - } - return wrongDatatypes.isEmpty(); - } - } - - public XContentBuilder errorsAsXContent(RestChannel channel) { - try { - final XContentBuilder builder = channel.newBuilder(); - builder.startObject(); - switch (this.errorType) { - case NONE: - builder.field("status", "error"); - builder.field("reason", errorType.getMessage()); - break; - case INVALID_CONFIGURATION: - builder.field("status", "error"); - builder.field("reason", ErrorType.INVALID_CONFIGURATION.getMessage()); - addErrorMessage(builder, INVALID_KEYS_KEY, invalidKeys); - addErrorMessage(builder, MISSING_MANDATORY_KEYS_KEY, missingMandatoryKeys); - addErrorMessage(builder, MISSING_MANDATORY_OR_KEYS_KEY, missingMandatoryKeys); - break; - case INVALID_PASSWORD: - builder.field("status", "error"); - builder.field( - "reason", - opensearchSettings.get( - ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, - "Password does not match minimum criteria" - ) - ); - break; - case WEAK_PASSWORD: - case SIMILAR_PASSWORD: - builder.field("status", "error"); - builder.field( - "reason", - opensearchSettings.get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, errorType.message) - ); - break; - case WRONG_DATATYPE: - builder.field("status", "error"); - builder.field("reason", ErrorType.WRONG_DATATYPE.getMessage()); - for (Entry entry : wrongDatatypes.entrySet()) { - builder.field(entry.getKey(), entry.getValue()); - } - break; - case NULL_ARRAY_ELEMENT: - builder.field("status", "error"); - builder.field("reason", ErrorType.NULL_ARRAY_ELEMENT.getMessage()); - break; - default: - builder.field("status", "error"); - builder.field("reason", errorType.getMessage()); - - } - builder.endObject(); - return builder; - } catch (IOException ex) { - log.error("Cannot build error settings", ex); - return null; - } - } - - private void addErrorMessage(final XContentBuilder builder, final String message, final Set keys) throws IOException { - if (!keys.isEmpty()) { - builder.startObject(message); - builder.field("keys", Joiner.on(",").join(keys.toArray(new String[0]))); - builder.endObject(); - } - } - - public static enum DataType { - STRING, - ARRAY, - OBJECT, - BOOLEAN; - } - - public static enum ErrorType { - NONE("ok"), - INVALID_CONFIGURATION("Invalid configuration"), - INVALID_PASSWORD("Invalid password"), - WEAK_PASSWORD("Weak password"), - SIMILAR_PASSWORD("Password is similar to user name"), - WRONG_DATATYPE("Wrong datatype"), - BODY_NOT_PARSEABLE("Could not parse content of request."), - PAYLOAD_NOT_ALLOWED("Request body not allowed for this action."), - PAYLOAD_MANDATORY("Request body required for this action."), - SECURITY_NOT_INITIALIZED("Security index not initialized"), - NULL_ARRAY_ELEMENT("`null` is not allowed as json array element"); - - private String message; - - private ErrorType(String message) { - this.message = message; - } - - public String getMessage() { - return message; - } - } - - protected final boolean hasParams() { - return param != null && param.length > 0; - } - - private boolean hasNullArrayElement(JsonNode node) { - for (JsonNode element : node) { - if (element.isNull()) { - if (node.isArray()) { - return true; - } - } else if (element.isContainerNode()) { - if (hasNullArrayElement(element)) { - return true; - } - } - } - return false; - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AccountValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AccountValidator.java deleted file mode 100644 index 32cf06078b..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AccountValidator.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -/** - * Validator for Account Api Action. - */ -public class AccountValidator extends CredentialsValidator { - public AccountValidator(RestRequest request, BytesReference ref, Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - allowedKeys.put("current_password", DataType.STRING); - mandatoryKeys.add("current_password"); - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/ActionGroupValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/ActionGroupValidator.java deleted file mode 100644 index a9f298fb15..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/ActionGroupValidator.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class ActionGroupValidator extends AbstractConfigurationValidator { - - public ActionGroupValidator( - final RestRequest request, - boolean isSuperAdmin, - BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("allowed_actions", DataType.ARRAY); - allowedKeys.put("description", DataType.STRING); - allowedKeys.put("type", DataType.STRING); - if (isSuperAdmin) allowedKeys.put("reserved", DataType.BOOLEAN); - - mandatoryKeys.add("allowed_actions"); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java deleted file mode 100644 index 5b53a1fb49..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AllowlistValidator.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class AllowlistValidator extends AbstractConfigurationValidator { - - public AllowlistValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("enabled", DataType.BOOLEAN); - allowedKeys.put("requests", DataType.OBJECT); - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java deleted file mode 100644 index 1bff373c0d..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import java.util.Set; - -import com.google.common.collect.ImmutableSet; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; -import org.opensearch.security.DefaultObjectMapper; -import org.opensearch.security.auditlog.config.AuditConfig; -import org.opensearch.security.auditlog.impl.AuditCategory; - -public class AuditValidator extends AbstractConfigurationValidator { - - private static final Set DISABLED_REST_CATEGORIES = ImmutableSet.of( - AuditCategory.BAD_HEADERS, - AuditCategory.SSL_EXCEPTION, - AuditCategory.AUTHENTICATED, - AuditCategory.FAILED_LOGIN, - AuditCategory.GRANTED_PRIVILEGES, - AuditCategory.MISSING_PRIVILEGES - ); - - private static final Set DISABLED_TRANSPORT_CATEGORIES = ImmutableSet.of( - AuditCategory.BAD_HEADERS, - AuditCategory.SSL_EXCEPTION, - AuditCategory.AUTHENTICATED, - AuditCategory.FAILED_LOGIN, - AuditCategory.GRANTED_PRIVILEGES, - AuditCategory.MISSING_PRIVILEGES, - AuditCategory.INDEX_EVENT, - AuditCategory.OPENDISTRO_SECURITY_INDEX_ATTEMPT - ); - - public AuditValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, final Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - this.allowedKeys.put("enabled", DataType.BOOLEAN); - this.allowedKeys.put("audit", DataType.OBJECT); - this.allowedKeys.put("compliance", DataType.OBJECT); - } - - @Override - public boolean validate() { - if (!super.validate()) { - return false; - } - - if ((request.method() == RestRequest.Method.PUT || request.method() == RestRequest.Method.PATCH) - && this.content != null - && this.content.length() > 0) { - try { - // try parsing to target type - final AuditConfig auditConfig = DefaultObjectMapper.readTree(getContentAsNode(), AuditConfig.class); - final AuditConfig.Filter filter = auditConfig.getFilter(); - if (!DISABLED_REST_CATEGORIES.containsAll(filter.getDisabledRestCategories())) { - throw new IllegalArgumentException("Invalid REST categories passed in the request"); - } - if (!DISABLED_TRANSPORT_CATEGORIES.containsAll(filter.getDisabledTransportCategories())) { - throw new IllegalArgumentException("Invalid transport categories passed in the request"); - } - } catch (Exception e) { - // this.content is not valid json - this.errorType = ErrorType.BODY_NOT_PARSEABLE; - log.error("Invalid content passed in the request", e); - return false; - } - } - return true; - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java deleted file mode 100644 index a0f67c97ce..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import java.util.Map; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.compress.NotXContentException; -import org.opensearch.common.settings.Settings; -import org.opensearch.common.xcontent.XContentHelper; -import org.opensearch.common.xcontent.XContentType; -import org.opensearch.core.common.Strings; -import org.opensearch.rest.RestRequest; -import org.opensearch.security.ssl.util.Utils; - -/** - * Validator for validating password and hash present in the payload - */ -public class CredentialsValidator extends AbstractConfigurationValidator { - - private final PasswordValidator passwordValidator; - - public CredentialsValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - this.passwordValidator = PasswordValidator.of(opensearchSettings); - allowedKeys.put("hash", DataType.STRING); - allowedKeys.put("password", DataType.STRING); - } - - /** - * Function to validate password in the content body. - * @return true if validation is successful else false - */ - @Override - public boolean validate() { - if (!super.validate()) { - return false; - } - if ((request.method() == RestRequest.Method.PUT || request.method() == RestRequest.Method.PATCH) - && this.content != null - && this.content.length() > 1) { - try { - final Map contentAsMap = XContentHelper.convertToMap(this.content, false, XContentType.JSON).v2(); - final String password = (String) contentAsMap.get("password"); - if (password != null) { - // Password is not allowed to be empty if present. - if (password.isEmpty()) { - this.errorType = ErrorType.INVALID_PASSWORD; - return false; - } - final String username = Utils.coalesce(request.param("name"), hasParams() ? (String) param[0] : null); - if (Strings.isNullOrEmpty(username)) { - if (log.isDebugEnabled()) { - log.debug("Unable to validate username because no user is given"); - } - return false; - } - final ErrorType passwordValidationResult = passwordValidator.validate(username, password); - if (passwordValidationResult != ErrorType.NONE) { - this.errorType = passwordValidationResult; - return false; - } - } - } catch (NotXContentException e) { - // this.content is not valid json/yaml - log.error("Invalid xContent: " + e, e); - return false; - } - } - return true; - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/InternalUsersValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/InternalUsersValidator.java deleted file mode 100644 index 9681c47232..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/InternalUsersValidator.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -/** - * Validator for Internal Users Api Action. - */ -public class InternalUsersValidator extends CredentialsValidator { - - public InternalUsersValidator( - final RestRequest request, - boolean isSuperAdmin, - BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - super(request, ref, opensearchSettings, param); - allowedKeys.put("backend_roles", DataType.ARRAY); - allowedKeys.put("attributes", DataType.OBJECT); - allowedKeys.put("description", DataType.STRING); - allowedKeys.put("opendistro_security_roles", DataType.ARRAY); - if (isSuperAdmin) allowedKeys.put("reserved", DataType.BOOLEAN); - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/MultiTenancyConfigValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/MultiTenancyConfigValidator.java deleted file mode 100644 index 42f86dbee5..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/MultiTenancyConfigValidator.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class MultiTenancyConfigValidator extends AbstractConfigurationValidator { - - public static final String DEFAULT_TENANT_JSON_PROPERTY = "default_tenant"; - public static final String PRIVATE_TENANT_ENABLED_JSON_PROPERTY = "private_tenant_enabled"; - public static final String MULTITENANCY_ENABLED_JSON_PROPERTY = "multitenancy_enabled"; - - public MultiTenancyConfigValidator(RestRequest request, BytesReference ref, Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put(DEFAULT_TENANT_JSON_PROPERTY, DataType.STRING); - allowedKeys.put(PRIVATE_TENANT_ENABLED_JSON_PROPERTY, DataType.BOOLEAN); - allowedKeys.put(MULTITENANCY_ENABLED_JSON_PROPERTY, DataType.BOOLEAN); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/NoOpValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/NoOpValidator.java deleted file mode 100644 index 7c64102091..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/NoOpValidator.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class NoOpValidator extends AbstractConfigurationValidator { - - public NoOpValidator(final RestRequest request, BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/NodesDnValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/NodesDnValidator.java deleted file mode 100644 index c98df1de0a..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/NodesDnValidator.java +++ /dev/null @@ -1,27 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class NodesDnValidator extends AbstractConfigurationValidator { - - public NodesDnValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - - allowedKeys.put("nodes_dn", DataType.ARRAY); - mandatoryKeys.add("nodes_dn"); - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/RolesMappingValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/RolesMappingValidator.java deleted file mode 100644 index 728c2e0ca0..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/RolesMappingValidator.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class RolesMappingValidator extends AbstractConfigurationValidator { - - public RolesMappingValidator( - final RestRequest request, - boolean isSuperAdmin, - final BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("backend_roles", DataType.ARRAY); - allowedKeys.put("and_backend_roles", DataType.ARRAY); - allowedKeys.put("hosts", DataType.ARRAY); - allowedKeys.put("users", DataType.ARRAY); - allowedKeys.put("description", DataType.STRING); - if (isSuperAdmin) allowedKeys.put("reserved", DataType.BOOLEAN); - - mandatoryOrKeys.add("backend_roles"); - mandatoryOrKeys.add("and_backend_roles"); - mandatoryOrKeys.add("hosts"); - mandatoryOrKeys.add("users"); - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/RolesValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/RolesValidator.java deleted file mode 100644 index 2e57730e41..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/RolesValidator.java +++ /dev/null @@ -1,85 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import java.util.List; - -import com.jayway.jsonpath.JsonPath; -import com.jayway.jsonpath.ReadContext; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; -import org.opensearch.security.configuration.MaskedField; -import org.opensearch.security.configuration.Salt; - -public class RolesValidator extends AbstractConfigurationValidator { - - private static final Salt SALT = new Salt(new byte[] { 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 6 }); - - public RolesValidator( - final RestRequest request, - boolean isSuperAdmin, - final BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("cluster_permissions", DataType.ARRAY); - allowedKeys.put("tenant_permissions", DataType.ARRAY); - allowedKeys.put("index_permissions", DataType.ARRAY); - allowedKeys.put("description", DataType.STRING); - if (isSuperAdmin) allowedKeys.put("reserved", DataType.BOOLEAN); - } - - @Override - public boolean validate() { - - if (!super.validate()) { - return false; - } - - boolean valid = true; - - if (this.content != null && this.content.length() > 0) { - - final ReadContext ctx = JsonPath.parse(this.content.utf8ToString()); - final List maskedFields = ctx.read("$..masked_fields[*]"); - - if (maskedFields != null) { - - for (String mf : maskedFields) { - if (!validateMaskedFieldSyntax(mf)) { - valid = false; - } - } - } - } - - if (!valid) { - this.errorType = ErrorType.WRONG_DATATYPE; - } - - return valid; - } - - private boolean validateMaskedFieldSyntax(String mf) { - try { - new MaskedField(mf, SALT).isValid(); - } catch (Exception e) { - wrongDatatypes.put("Masked field not valid: " + mf, e.getMessage()); - return false; - } - return true; - } -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/SecurityConfigValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/SecurityConfigValidator.java deleted file mode 100644 index cd2ee56b4a..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/SecurityConfigValidator.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class SecurityConfigValidator extends AbstractConfigurationValidator { - - public SecurityConfigValidator(final RestRequest request, BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("dynamic", DataType.OBJECT); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/TenantValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/TenantValidator.java deleted file mode 100644 index 51e0e97264..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/TenantValidator.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright 2015-2017 floragunn GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class TenantValidator extends AbstractConfigurationValidator { - - public TenantValidator( - final RestRequest request, - boolean isSuperAdmin, - BytesReference ref, - final Settings opensearchSettings, - Object... param - ) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("description", DataType.STRING); - if (isSuperAdmin) allowedKeys.put("reserved", DataType.BOOLEAN); - } - -} diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java deleted file mode 100644 index cf85b248d4..0000000000 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/WhitelistValidator.java +++ /dev/null @@ -1,26 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.validation; - -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.settings.Settings; -import org.opensearch.rest.RestRequest; - -public class WhitelistValidator extends AbstractConfigurationValidator { - - public WhitelistValidator(final RestRequest request, final BytesReference ref, final Settings opensearchSettings, Object... param) { - super(request, ref, opensearchSettings, param); - this.payloadMandatory = true; - allowedKeys.put("enabled", DataType.BOOLEAN); - allowedKeys.put("requests", DataType.OBJECT); - } -}