From 5c11264f122bb9305cd5b9a99fe88439869d7fe2 Mon Sep 17 00:00:00 2001 From: Jochen Kressin Date: Wed, 23 Mar 2022 11:15:18 +0100 Subject: [PATCH 1/6] Remove code related to TransportClient auth/auth (#1578) Signed-off-by: Jochen Kressin --- .../security/OpenSearchSecurityPlugin.java | 2 +- .../security/auth/BackendRegistry.java | 255 ------------------ .../security/configuration/AdminDNs.java | 6 - .../security/filter/SecurityFilter.java | 20 +- .../securityconf/DynamicConfigModel.java | 3 - .../security/ssl/util/ExceptionUtils.java | 4 + .../transport/SecurityInterceptor.java | 2 +- .../transport/SecurityRequestHandler.java | 63 +---- .../ccstest/CrossClusterSearchTests.java | 2 +- .../security/filter/SecurityFilterTest.java | 10 +- .../test/AbstractSecurityUnitTest.java | 2 +- 11 files changed, 17 insertions(+), 352 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 136e40014c..2a5ced08cb 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -801,7 +801,7 @@ public Collection createComponents(Client localClient, ClusterService cl evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog, settings, privilegesInterceptor, cih, irr, dlsFlsEnabled, namedXContentRegistry); - sf = new SecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry, namedXContentRegistry); + sf = new SecurityFilter(settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr); final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 5e58c1ac9f..0f9ce30cc8 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -42,10 +42,6 @@ import java.util.concurrent.Callable; import java.util.concurrent.TimeUnit; -import javax.naming.InvalidNameException; -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; - import org.slf4j.LoggerFactory; import org.slf4j.Logger; import org.opensearch.OpenSearchSecurityException; @@ -64,12 +60,9 @@ import org.opensearch.security.securityconf.DynamicConfigModel; import org.opensearch.security.ssl.util.Utils; import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.support.HTTPHelper; import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.user.User; -import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.TransportRequest; import org.greenrobot.eventbus.Subscribe; import com.google.common.base.Strings; @@ -84,8 +77,6 @@ public class BackendRegistry { protected final Logger log = LoggerFactory.getLogger(this.getClass()); private SortedSet restAuthDomains; private Set restAuthorizers; - private SortedSet transportAuthDomains; - private Set transportAuthorizers; private List ipAuthFailureListeners; private Multimap authBackendFailureListeners; @@ -105,15 +96,8 @@ public class BackendRegistry { private final int ttlInMin; private Cache userCache; //rest standard private Cache restImpersonationCache; //used for rest impersonation - private Cache userCacheTransport; //transport no creds, possibly impersonated - private Cache authenticatedUserCacheTransport; //transport creds, no impersonation - - private Cache> transportRoleCache; // private Cache> restRoleCache; // - private Cache transportImpersonationCache; //used for transport impersonation - private volatile String transportUsernameAttribute = null; - private void createCaches() { userCache = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) .removalListener(new RemovalListener() { @@ -123,22 +107,6 @@ public void onRemoval(RemovalNotification notification) { } }).build(); - userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) - .removalListener(new RemovalListener() { - @Override - public void onRemoval(RemovalNotification notification) { - log.debug("Clear user cache for {} due to {}", notification.getKey(), notification.getCause()); - } - }).build(); - - authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) - .removalListener(new RemovalListener() { - @Override - public void onRemoval(RemovalNotification notification) { - log.debug("Clear user cache for {} due to {}", notification.getKey().getUsername(), notification.getCause()); - } - }).build(); - restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) .removalListener(new RemovalListener() { @Override @@ -147,14 +115,6 @@ public void onRemoval(RemovalNotification notification) { } }).build(); - transportRoleCache = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) - .removalListener(new RemovalListener>() { - @Override - public void onRemoval(RemovalNotification> notification) { - log.debug("Clear user cache for {} due to {}", notification.getKey(), notification.getCause()); - } - }).build(); - restRoleCache = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) .removalListener(new RemovalListener>() { @Override @@ -163,14 +123,6 @@ public void onRemoval(RemovalNotification> notification) { } }).build(); - transportImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(ttlInMin, TimeUnit.MINUTES) - .removalListener(new RemovalListener() { - @Override - public void onRemoval(RemovalNotification notification) { - log.debug("Clear user cache for {} due to {}", notification.getKey(), notification.getCause()); - } - }).build(); - } public BackendRegistry(final Settings settings, final AdminDNs adminDns, @@ -197,26 +149,19 @@ public boolean isInitialized() { public void invalidateCache() { userCache.invalidateAll(); - userCacheTransport.invalidateAll(); - authenticatedUserCacheTransport.invalidateAll(); restImpersonationCache.invalidateAll(); restRoleCache.invalidateAll(); - transportRoleCache.invalidateAll(); - transportImpersonationCache.invalidateAll(); } @Subscribe public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { invalidateCache(); - transportUsernameAttribute = dcm.getTransportUsernameAttribute();// config.dynamic.transport_userrname_attribute; anonymousAuthEnabled = dcm.isAnonymousAuthenticationEnabled()//config.dynamic.http.anonymous_auth_enabled && !opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false); restAuthDomains = Collections.unmodifiableSortedSet(dcm.getRestAuthDomains()); - transportAuthDomains = Collections.unmodifiableSortedSet(dcm.getTransportAuthDomains()); restAuthorizers = Collections.unmodifiableSet(dcm.getRestAuthorizers()); - transportAuthorizers = Collections.unmodifiableSet(dcm.getTransportAuthorizers()); ipAuthFailureListeners = dcm.getIpAuthFailureListeners(); authBackendFailureListeners = dcm.getAuthBackendFailureListeners(); @@ -227,123 +172,6 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { initialized = !restAuthDomains.isEmpty() || anonymousAuthEnabled || injectedUserEnabled; } - public User authenticate(final TransportRequest request, final String sslPrincipal, final Task task, final String action) { - final boolean isDebugEnabled = log.isDebugEnabled(); - if(isDebugEnabled && request.remoteAddress() != null) { - log.debug("Transport authentication request from {}", request.remoteAddress()); - } - - if (request.remoteAddress() != null && isBlocked(request.remoteAddress().address().getAddress())) { - if (isDebugEnabled) { - log.debug("Rejecting transport request because of blocked address: {}", request.remoteAddress()); - } - return null; - } - - User injectedUser = userInjector.getInjectedUser(); - - if(injectedUser != null) { - auditLog.logSucceededLogin(injectedUser.getName(), true, null, request, action, task); - return injectedUser; - } - - if(sslPrincipal == null) { - return null; - } - - User origPKIUser = new User(sslPrincipal); - - if(adminDns.isAdmin(origPKIUser)) { - auditLog.logSucceededLogin(origPKIUser.getName(), true, null, request, action, task); - return origPKIUser; - } - - if (!isInitialized()) { - log.error("Not yet initialized (you may need to run securityadmin)"); - return null; - } - - final String authorizationHeader = threadPool.getThreadContext().getHeader("Authorization"); - //Use either impersonation OR credentials authentication - //if both is supplied credentials authentication win - final AuthCredentials creds = HTTPHelper.extractCredentials(authorizationHeader, log); - - User impersonatedTransportUser = null; - - if(creds != null) { - if (isDebugEnabled) { - log.debug("User {} submitted also basic credentials: {}", origPKIUser.getName(), creds); - } - } - - //loop over all transport auth domains - for (final AuthDomain authDomain: transportAuthDomains) { - - if (isDebugEnabled) { - log.debug("Check transport authdomain {}/{} or {} in total", authDomain.getBackend().getType(), authDomain.getOrder(), transportAuthDomains.size()); - } - - User authenticatedUser = null; - - if(creds == null) { - //no credentials submitted - //impersonation possible - impersonatedTransportUser = impersonate(request, origPKIUser); - origPKIUser = resolveTransportUsernameAttribute(origPKIUser); - authenticatedUser = checkExistsAndAuthz(userCacheTransport, - impersonatedTransportUser == null ? origPKIUser : impersonatedTransportUser, authDomain.getBackend(), transportAuthorizers); - } else { - //auth credentials submitted - //impersonation not possible, if requested it will be ignored - authenticatedUser = authcz(authenticatedUserCacheTransport, transportRoleCache, creds, authDomain.getBackend(), transportAuthorizers); - } - - if (authenticatedUser == null) { - for (AuthFailureListener authFailureListener : authBackendFailureListeners.get(authDomain.getBackend().getClass().getName())) { - authFailureListener.onAuthFailure(request.remoteAddress() != null ? request.remoteAddress().address().getAddress() : null, creds, - request); - } - - if (isDebugEnabled) { - log.debug("Cannot authenticate transport user {} (or add roles) with authdomain {}/{} of {}, try next", creds==null?(impersonatedTransportUser==null?origPKIUser.getName():impersonatedTransportUser.getName()):creds.getUsername(), authDomain.getBackend().getType(), authDomain.getOrder(), transportAuthDomains.size()); - } - continue; - } - - if(adminDns.isAdmin(authenticatedUser)) { - log.error("Cannot authenticate transport user because admin user is not permitted to login"); - auditLog.logFailedLogin(authenticatedUser.getName(), true, null, request, task); - return null; - } - - if (isDebugEnabled) { - log.debug("Transport user '{}' is authenticated", authenticatedUser); - } - - auditLog.logSucceededLogin(authenticatedUser.getName(), false, impersonatedTransportUser == null ? null : origPKIUser.getName(), request, - action, task); - - return authenticatedUser; - }//end looping auth domains - - - //auditlog - if(creds == null) { - auditLog.logFailedLogin(impersonatedTransportUser == null ? origPKIUser.getName() : impersonatedTransportUser.getName(), false, - impersonatedTransportUser == null ? null : origPKIUser.getName(), request, task); - } else { - auditLog.logFailedLogin(creds.getUsername(), false, null, request, task); - } - - log.warn("Transport authentication finally failed for {} from {}", - creds == null ? impersonatedTransportUser == null ? origPKIUser.getName() : impersonatedTransportUser.getName() : creds.getUsername(), - request.remoteAddress()); - - notifyIpAuthFailureListeners(request.remoteAddress() != null ? request.remoteAddress().address().getAddress() : null, creds, request); - - return null; - } - /** * * @param request @@ -567,9 +395,6 @@ private void notifyIpAuthFailureListeners(InetAddress remoteAddress, AuthCredent /** * no auditlog, throw no exception, does also authz for all authorizers * - * @param cache - * @param ac - * @param authDomain * @return null if user cannot b authenticated */ private User checkExistsAndAuthz(final Cache cache, final User user, final AuthenticationBackend authenticationBackend, @@ -646,9 +471,6 @@ private void authz(User authenticatedUser, Cache> roleCache, f /** * no auditlog, throw no exception, does also authz for all authorizers * - * @param cache - * @param ac - * @param authDomain * @return null if user cannot b authenticated */ private User authcz(final Cache cache, Cache> roleCache, final AuthCredentials ac, @@ -686,65 +508,6 @@ public User call() throws Exception { } } - private User impersonate(final TransportRequest tr, final User origPKIuser) throws OpenSearchSecurityException { - - final String impersonatedUser = threadPool.getThreadContext().getHeader("opendistro_security_impersonate_as"); - - if(Strings.isNullOrEmpty(impersonatedUser)) { - return null; //nothing to do - } - - if (!isInitialized()) { - throw new OpenSearchSecurityException("Could not check for impersonation because OpenSearch Security is not yet initialized"); - } - - if (origPKIuser == null) { - throw new OpenSearchSecurityException("no original PKI user found"); - } - - User aU = origPKIuser; - - if (adminDns.isAdminDN(impersonatedUser)) { - throw new OpenSearchSecurityException( - "'" + origPKIuser.getName() + "' is not allowed to impersonate as an adminuser '" + impersonatedUser + "'"); - } - - try { - if (impersonatedUser != null && !adminDns.isTransportImpersonationAllowed(new LdapName(origPKIuser.getName()), impersonatedUser)) { - throw new OpenSearchSecurityException( - "'"+origPKIuser.getName() + "' is not allowed to impersonate as '" + impersonatedUser+"'"); - } else if (impersonatedUser != null) { - final boolean isDebugEnabled = log.isDebugEnabled(); - //loop over all transport auth domains - for (final AuthDomain authDomain : transportAuthDomains) { - final AuthenticationBackend authenticationBackend = authDomain.getBackend(); - final User impersonatedUserObject = checkExistsAndAuthz(transportImpersonationCache, new User(impersonatedUser), - authenticationBackend, transportAuthorizers); - - if (impersonatedUserObject == null) { - log.debug( - "Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", - origPKIuser.getName(), impersonatedUser, authenticationBackend.getType()); - continue; - } - - if (isDebugEnabled) { - log.debug("Impersonate transport user from '{}' to '{}'", origPKIuser.getName(), impersonatedUser); - } - return impersonatedUserObject; - } - - log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists", - origPKIuser.getName(), impersonatedUser); - throw new OpenSearchSecurityException("No such transport user: " + impersonatedUser, RestStatus.FORBIDDEN); - } - } catch (final InvalidNameException e1) { - throw new OpenSearchSecurityException("PKI does not have a valid name ('" + origPKIuser.getName() + "'), should never happen", e1); - } - - return aU; - } - private User impersonate(final RestRequest request, final User originalUser) throws OpenSearchSecurityException { final String impersonatedUserHeader = request.header("opendistro_security_impersonate_as"); @@ -794,24 +557,6 @@ private User impersonate(final RestRequest request, final User originalUser) thr } - private User resolveTransportUsernameAttribute(User pkiUser) { - //#547 - if(transportUsernameAttribute != null && !transportUsernameAttribute.isEmpty()) { - try { - final LdapName sslPrincipalAsLdapName = new LdapName(pkiUser.getName()); - for(final Rdn rdn: sslPrincipalAsLdapName.getRdns()) { - if(rdn.getType().equals(transportUsernameAttribute)) { - return new User((String) rdn.getValue()); - } - } - } catch (InvalidNameException e) { - //cannot happen - } - } - - return pkiUser; - } - private boolean isBlocked(InetAddress address) { if (this.ipClientBlockRegistries == null || this.ipClientBlockRegistries.isEmpty()) { return false; diff --git a/src/main/java/org/opensearch/security/configuration/AdminDNs.java b/src/main/java/org/opensearch/security/configuration/AdminDNs.java index 32c81193af..e6265d8e50 100644 --- a/src/main/java/org/opensearch/security/configuration/AdminDNs.java +++ b/src/main/java/org/opensearch/security/configuration/AdminDNs.java @@ -158,12 +158,6 @@ private boolean isAdminDN(LdapName dn) { return isAdmin; } - public boolean isTransportImpersonationAllowed(LdapName dn, String impersonated) { - if(dn == null) return false; - - return isAdminDN(dn) || allowedDnsImpersonations.getOrDefault(dn, WildcardMatcher.NONE).test(impersonated); - } - public boolean isRestImpersonationAllowed(final String originalUser, final String impersonated) { return (originalUser != null) ? allowedRestImpersonations.getOrDefault(originalUser, WildcardMatcher.NONE).test(impersonated) : false; } diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 09c683b1cb..7e1d1c5ca1 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -40,7 +40,6 @@ import org.opensearch.security.support.WildcardMatcher; import com.google.common.annotations.VisibleForTesting; import com.google.common.collect.ImmutableSet; -import org.opensearch.security.auth.BackendRegistry; import org.slf4j.LoggerFactory; import org.slf4j.Logger; @@ -72,13 +71,11 @@ import org.opensearch.action.support.ActionFilter; import org.opensearch.action.support.ActionFilterChain; import org.opensearch.action.update.UpdateRequest; -import org.opensearch.client.Client; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.logging.LoggerMessageFormat; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.common.util.concurrent.ThreadContext.StoredContext; -import org.opensearch.common.xcontent.NamedXContentRegistry; import org.opensearch.index.reindex.DeleteByQueryRequest; import org.opensearch.index.reindex.UpdateByQueryRequest; import org.opensearch.rest.RestStatus; @@ -116,15 +113,10 @@ public class SecurityFilter implements ActionFilter { private final IndexResolverReplacer indexResolverReplacer; private final WildcardMatcher immutableIndicesMatcher; private final RolesInjector rolesInjector; - private final Client client; - private final BackendRegistry backendRegistry; - private final NamedXContentRegistry namedXContentRegistry; - public SecurityFilter(final Client client, final Settings settings, final PrivilegesEvaluator evalp, final AdminDNs adminDns, + public SecurityFilter(final Settings settings, final PrivilegesEvaluator evalp, final AdminDNs adminDns, DlsFlsRequestValve dlsFlsValve, AuditLog auditLog, ThreadPool threadPool, ClusterService cs, - final CompatConfig compatConfig, final IndexResolverReplacer indexResolverReplacer, BackendRegistry backendRegistry, - NamedXContentRegistry namedXContentRegistry) { - this.client = client; + final CompatConfig compatConfig, final IndexResolverReplacer indexResolverReplacer) { this.evalp = evalp; this.adminDns = adminDns; this.dlsFlsValve = dlsFlsValve; @@ -135,8 +127,6 @@ public SecurityFilter(final Client client, final Settings settings, final Privil this.indexResolverReplacer = indexResolverReplacer; this.immutableIndicesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList())); this.rolesInjector = new RolesInjector(auditLog); - this.backendRegistry = backendRegistry; - this.namedXContentRegistry = namedXContentRegistry; log.info("{} indices are made immutable.", immutableIndicesMatcher); } @@ -176,12 +166,7 @@ private void ap attachSourceFieldContext(request); } final Set injectedRoles = rolesInjector.injectUserAndRoles(request, action, task, threadContext); - boolean enforcePrivilegesEvaluation = false; User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - if(user == null && (user = backendRegistry.authenticate(request, null, task, action)) != null) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); - enforcePrivilegesEvaluation = true; - } final boolean userIsAdmin = isUserAdmin(user, adminDns); final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadContext); @@ -264,7 +249,6 @@ private void ap if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadContext)) && (injectedRoles == null) - && !enforcePrivilegesEvaluation ) { chain.proceed(task, action, request, listener); diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java index eb98d6e5c2..a0f0b0cfad 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java @@ -61,9 +61,6 @@ public abstract class DynamicConfigModel { protected final Logger log = LoggerFactory.getLogger(this.getClass()); public abstract SortedSet getRestAuthDomains(); public abstract Set getRestAuthorizers(); - public abstract SortedSet getTransportAuthDomains(); - public abstract Set getTransportAuthorizers(); - public abstract String getTransportUsernameAttribute(); public abstract boolean isAnonymousAuthenticationEnabled(); public abstract boolean isXffEnabled(); public abstract String getInternalProxies(); diff --git a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java index fd014dd7c0..f06c4d9808 100644 --- a/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java +++ b/src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java @@ -58,4 +58,8 @@ public static OpenSearchException createBadHeaderException() { + "is spoofing requests. Check your TLS certificate setup as described here: " + "See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/"); } + + public static OpenSearchException createTransportClientNoLongerSupportedException() { + return new OpenSearchException("Transport client authentication no longer supported."); + } } diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java index 3e2608e7f3..7a5956115e 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java +++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java @@ -113,7 +113,7 @@ public SecurityInterceptor(final Settings settings, public SecurityRequestHandler getHandler(String action, TransportRequestHandler actualHandler) { - return new SecurityRequestHandler(action, actualHandler, threadPool, backendRegistry, auditLog, + return new SecurityRequestHandler(action, actualHandler, threadPool, auditLog, principalExtractor, requestEvalProvider, cs, SSLConfig, sslExceptionHandler); } diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 114f6002d3..2f7888f862 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -45,10 +45,8 @@ import org.opensearch.common.transport.TransportAddress; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.search.internal.ShardSearchRequest; -import org.opensearch.security.action.whoami.WhoAmIAction; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.util.ExceptionUtils; -import org.opensearch.security.ssl.util.SSLRequestHelper; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.TransportChannel; @@ -57,13 +55,11 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; -import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.ssl.SslExceptionHandler; import org.opensearch.security.support.Base64Helper; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.HeaderHelper; import org.opensearch.security.user.User; -import org.opensearch.security.ssl.transport.SecuritySSLRequestHandler; import org.opensearch.security.ssl.transport.SSLConfig; import com.google.common.base.Strings; @@ -72,16 +68,13 @@ public class SecurityRequestHandler extends SecuritySSLRequestHandler { - private final BackendRegistry backendRegistry; private final AuditLog auditLog; private final InterClusterRequestEvaluator requestEvalProvider; private final ClusterService cs; - private final SSLConfig SSLConfig; SecurityRequestHandler(String action, final TransportRequestHandler actualHandler, final ThreadPool threadPool, - final BackendRegistry backendRegistry, final AuditLog auditLog, final PrincipalExtractor principalExtractor, final InterClusterRequestEvaluator requestEvalProvider, @@ -89,11 +82,9 @@ public class SecurityRequestHandler extends Security final SSLConfig SSLConfig, final SslExceptionHandler sslExceptionHandler) { super(action, actualHandler, threadPool, principalExtractor, SSLConfig, sslExceptionHandler); - this.backendRegistry = backendRegistry; this.auditLog = auditLog; this.requestEvalProvider = requestEvalProvider; this.cs = cs; - this.SSLConfig = SSLConfig; } @Override @@ -274,56 +265,12 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) { //this is a netty request from a non-server node (maybe also be internal: or a shard request) //and therefore issued by a transport client - if(SSLRequestHelper.containsBadHeader(getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_CONFIG_PREFIX)) { - final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); - auditLog.logBadHeaders(request, task.getAction(), task); - log.error(exception.toString()); - transportChannel.sendResponse(exception); - return; - } - - //TODO OpenSearch Security exception handling, introduce authexception - User user; - //try { - if((user = backendRegistry.authenticate(request, principal, task, task.getAction())) == null) { - org.apache.logging.log4j.ThreadContext.remove("user"); - - if(task.getAction().equals(WhoAmIAction.NAME)) { - super.messageReceivedDecorate(request, handler, transportChannel, task); - return; - } - - if(task.getAction().equals("cluster:monitor/nodes/liveness") - || task.getAction().equals("internal:transport/handshake")) { - super.messageReceivedDecorate(request, handler, transportChannel, task); - return; - } + //since OS 2.0 we do not support this any longer because transport client no longer available - - log.error("Cannot authenticate {} for {}", getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER), task.getAction()); - transportChannel.sendResponse(new OpenSearchSecurityException("Cannot authenticate "+getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER))); - return; - } else { - // make it possible to filter logs by username - org.apache.logging.log4j.ThreadContext.put("user", user.getName()); - } - //} catch (Exception e) { - // log.error("Error authentication transport user "+e, e); - //auditLog.logFailedLogin(principal, false, null, request); - //transportChannel.sendResponse(ExceptionsHelper.convertToOpenSearchException(e)); - //return; - //} - - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); - TransportAddress originalRemoteAddress = request.remoteAddress(); - - if(originalRemoteAddress != null && (originalRemoteAddress instanceof TransportAddress)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, originalRemoteAddress); - } else { - log.error("Request has no proper remote address {}", originalRemoteAddress); - transportChannel.sendResponse(new OpenSearchException("Request has no proper remote address")); - return; - } + final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException(); + log.error(exception.toString()); + transportChannel.sendResponse(exception); + return; } if (isActionTraceEnabled()) { diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index fa98cd5e0c..c69bf010e5 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -945,7 +945,7 @@ public void testCcsWithDiffCertsWithNoNodesDnUpdate() throws Exception { HttpResponse ccs = rh1.executeGetRequest(uri, encodeBasicHeader("twitter", "nagilum")); System.out.println(ccs.getBody()); assertThat(ccs.getStatusCode(), equalTo(HttpStatus.SC_INTERNAL_SERVER_ERROR)); - assertThat(ccs.getBody(), containsString("no OID or security.nodes_dn incorrect configured")); + assertThat(ccs.getBody(), containsString("Transport client authentication no longer supported")); } @Test diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index 3454a6d2e9..e9e5940153 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -79,7 +79,6 @@ public static Collection data() { @Test public void testImmutableIndicesWildcardMatcher() { final SecurityFilter filter = new SecurityFilter( - mock(Client.class), settings, mock(PrivilegesEvaluator.class), mock(AdminDNs.class), @@ -88,9 +87,7 @@ public void testImmutableIndicesWildcardMatcher() { mock(ThreadPool.class), mock(ClusterService.class), mock(CompatConfig.class), - mock(IndexResolverReplacer.class), - mock(BackendRegistry.class), - mock(NamedXContentRegistry.class) + mock(IndexResolverReplacer.class) ); assertEquals(expected, filter.getImmutableIndicesMatcher()); } @@ -104,7 +101,6 @@ public void testUnexepectedCausesAreNotSendToCallers() { final ActionListener listener = mock(ActionListener.class); final SecurityFilter filter = new SecurityFilter( - mock(Client.class), settings, mock(PrivilegesEvaluator.class), mock(AdminDNs.class), @@ -113,9 +109,7 @@ public void testUnexepectedCausesAreNotSendToCallers() { new ThreadPool(Settings.builder().put("node.name", "mock").build()), mock(ClusterService.class), mock(CompatConfig.class), - mock(IndexResolverReplacer.class), - mock(BackendRegistry.class), - mock(NamedXContentRegistry.class) + mock(IndexResolverReplacer.class) ); // Act diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index a9ed1e07ec..2e259b3ea8 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -228,7 +228,7 @@ protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslO builder.putList("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); builder.put(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false); } - + builder.put("cluster.routing.allocation.disk.threshold_enabled", false); builder.put(other); return builder; From 30d73157e75f984a9dcf61ebee74a369b58183b1 Mon Sep 17 00:00:00 2001 From: Jochen Kressin Date: Wed, 23 Mar 2022 16:31:44 +0100 Subject: [PATCH 2/6] Remove Transport Auth auditlog categories (#1578) Signed-off-by: Jochen Kressin --- .../security/auditlog/AuditLog.java | 2 -- .../security/auditlog/NullAuditLog.java | 10 ------ .../auditlog/impl/AbstractAuditLog.java | 32 ------------------- .../security/auditlog/impl/AuditLogImpl.java | 14 -------- .../security/auth/RolesInjector.java | 1 - .../securityconf/DynamicConfigModelV6.java | 12 ------- .../securityconf/DynamicConfigModelV7.java | 12 ------- .../auditlog/impl/DisabledCategoriesTest.java | 15 +-------- 8 files changed, 1 insertion(+), 97 deletions(-) diff --git a/src/main/java/org/opensearch/security/auditlog/AuditLog.java b/src/main/java/org/opensearch/security/auditlog/AuditLog.java index 58740de6c0..a7cda20025 100644 --- a/src/main/java/org/opensearch/security/auditlog/AuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/AuditLog.java @@ -48,9 +48,7 @@ public interface AuditLog extends Closeable { //login - void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, Task task); void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request); - void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, String action, Task task); void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request); //privs diff --git a/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java b/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java index 20b1faa909..06761f5636 100644 --- a/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java @@ -52,21 +52,11 @@ public void close() throws IOException { //noop, intentionally left empty } - @Override - public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, Task task) { - //noop, intentionally left empty - } - @Override public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request) { //noop, intentionally left empty } - @Override - public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, String action, Task task) { - //noop, intentionally left empty - } - @Override public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request) { //noop, intentionally left empty diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index 54bdfb9b50..b8f888c779 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -133,23 +133,6 @@ public ComplianceConfig getComplianceConfig() { return this.complianceConfig; } - @Override - public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, Task task) { - final String action = null; - - if(!checkTransportFilter(AuditCategory.FAILED_LOGIN, action, effectiveUser, request)) { - return; - } - - final TransportAddress remoteAddress = getRemoteAddress(); - final List msgs = RequestResolver.resolve(AuditCategory.FAILED_LOGIN, getOrigin(), action, null, effectiveUser, securityadmin, initiatingUser, remoteAddress, request, getThreadContextHeaders(), task, resolver, clusterService, settings, auditConfigFilter.shouldLogRequestBody(), auditConfigFilter.shouldResolveIndices(), auditConfigFilter.shouldResolveBulkRequests(), securityIndex, auditConfigFilter.shouldExcludeSensitiveHeaders(), null); - - for(AuditMessage msg: msgs) { - save(msg); - } - } - - @Override public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request) { @@ -168,21 +151,6 @@ public void logFailedLogin(String effectiveUser, boolean securityadmin, String i save(msg); } - @Override - public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, TransportRequest request, String action, Task task) { - - if(!checkTransportFilter(AuditCategory.AUTHENTICATED, action, effectiveUser, request)) { - return; - } - - final TransportAddress remoteAddress = getRemoteAddress(); - final List msgs = RequestResolver.resolve(AuditCategory.AUTHENTICATED, getOrigin(), action, null, effectiveUser, securityadmin, initiatingUser,remoteAddress, request, getThreadContextHeaders(), task, resolver, clusterService, settings, auditConfigFilter.shouldLogRequestBody(), auditConfigFilter.shouldResolveIndices(), auditConfigFilter.shouldResolveBulkRequests(), securityIndex, auditConfigFilter.shouldExcludeSensitiveHeaders(), null); - - for(AuditMessage msg: msgs) { - save(msg); - } - } - @Override public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, RestRequest request) { diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java index 1bb802f291..516ae7a980 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java @@ -128,13 +128,6 @@ protected void save(final AuditMessage msg) { } } - @Override - public void logFailedLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, TransportRequest request, Task task) { - if (enabled) { - super.logFailedLogin(effectiveUser, securityAdmin, initiatingUser, request, task); - } - } - @Override public void logFailedLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, RestRequest request) { if (enabled) { @@ -142,13 +135,6 @@ public void logFailedLogin(String effectiveUser, boolean securityAdmin, String i } } - @Override - public void logSucceededLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, TransportRequest request, String action, Task task) { - if (enabled) { - super.logSucceededLogin(effectiveUser, securityAdmin, initiatingUser, request, action, task); - } - } - @Override public void logSucceededLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, RestRequest request) { if (enabled) { diff --git a/src/main/java/org/opensearch/security/auth/RolesInjector.java b/src/main/java/org/opensearch/security/auth/RolesInjector.java index 734a4547fa..af7824b83d 100644 --- a/src/main/java/org/opensearch/security/auth/RolesInjector.java +++ b/src/main/java/org/opensearch/security/auth/RolesInjector.java @@ -82,6 +82,5 @@ private void addUser(final User user, final TransportRequest transportRequest, return; threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); - auditLog.logSucceededLogin(user.getName(), false, null, transportRequest, action, task); } } diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java index 2b72aa5212..ec4286f3e9 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java @@ -99,18 +99,6 @@ public Set getRestAuthorizers() { return Collections.unmodifiableSet(restAuthorizers); } @Override - public SortedSet getTransportAuthDomains() { - return Collections.unmodifiableSortedSet(transportAuthDomains); - } - @Override - public Set getTransportAuthorizers() { - return Collections.unmodifiableSet(transportAuthorizers); - } - @Override - public String getTransportUsernameAttribute() { - return config.dynamic.transport_userrname_attribute; - } - @Override public boolean isAnonymousAuthenticationEnabled() { return config.dynamic.http.anonymous_auth_enabled; } diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java index aa4950398a..66fcf9c4ec 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java @@ -99,18 +99,6 @@ public Set getRestAuthorizers() { return Collections.unmodifiableSet(restAuthorizers); } @Override - public SortedSet getTransportAuthDomains() { - return Collections.unmodifiableSortedSet(transportAuthDomains); - } - @Override - public Set getTransportAuthorizers() { - return Collections.unmodifiableSet(transportAuthorizers); - } - @Override - public String getTransportUsernameAttribute() { - return config.dynamic.transport_userrname_attribute; - } - @Override public boolean isAnonymousAuthenticationEnabled() { return config.dynamic.http.anonymous_auth_enabled; } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java index 454a6a43c2..a6b348733f 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java @@ -116,10 +116,8 @@ public void enableAllCategoryTest() throws Exception { Assert.assertTrue(AuditCategory.values()+"#"+result, categoriesPresentInLog(result, filterComplianceCategories(AuditCategory.values()))); - Assert.assertThat(result, containsString("testuser.transport.succeededlogin")); Assert.assertThat(result, containsString("testuser.rest.succeededlogin")); Assert.assertThat(result, containsString("testuser.rest.failedlogin")); - Assert.assertThat(result, containsString("testuser.transport.failedlogin")); Assert.assertThat(result, containsString("privilege.missing")); Assert.assertThat(result, containsString("action.indexattempt")); Assert.assertThat(result, containsString("action.transport.ssl")); @@ -195,7 +193,7 @@ protected boolean categoriesPresentInLog(String result, AuditCategory... categor } protected void logAll(AuditLog auditLog) { - //11 requests + //10 requests logRestFailedLogin(auditLog); logRestBadHeaders(auditLog); logRestSSLException(auditLog); @@ -207,8 +205,6 @@ protected void logAll(AuditLog auditLog) { logTransportSSLException(auditLog); logTransportBadHeaders(auditLog); - logTransportFailedLogin(auditLog); - logTransportSucceededLogin(auditLog); logIndexEvent(auditLog); } @@ -217,19 +213,10 @@ protected void logRestSucceededLogin(AuditLog auditLog) { auditLog.logSucceededLogin("testuser.rest.succeededlogin", false, "testuser.rest.succeededlogin", new MockRestRequest()); } - protected void logTransportSucceededLogin(AuditLog auditLog) { - auditLog.logSucceededLogin("testuser.transport.succeededlogin", false, "testuser.transport.succeededlogin", new TransportRequest.Empty(), "test/action", new Task(0, "x", "ac", "", null, null)); - } - - protected void logRestFailedLogin(AuditLog auditLog) { auditLog.logFailedLogin("testuser.rest.failedlogin", false, "testuser.rest.failedlogin", new MockRestRequest()); } - protected void logTransportFailedLogin(AuditLog auditLog) { - auditLog.logFailedLogin("testuser.transport.failedlogin", false, "testuser.transport.failedlogin", new TransportRequest.Empty(), null); - } - protected void logMissingPrivileges(AuditLog auditLog) { auditLog.logMissingPrivileges("privilege.missing", new TransportRequest.Empty(), null); } From 0d4d14f9c56f429733fb7a7738bbe67eb1cad130 Mon Sep 17 00:00:00 2001 From: Jochen Kressin Date: Wed, 23 Mar 2022 23:59:31 +0100 Subject: [PATCH 3/6] Code cosmetic - removed obsolete comment Signed-off-by: Jochen Kressin --- .../security/auditlog/impl/DisabledCategoriesTest.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java index a6b348733f..07f75501fb 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java @@ -193,7 +193,6 @@ protected boolean categoriesPresentInLog(String result, AuditCategory... categor } protected void logAll(AuditLog auditLog) { - //10 requests logRestFailedLogin(auditLog); logRestBadHeaders(auditLog); logRestSSLException(auditLog); From bbd7636bd6862018cd2b8f9d20d97c0dc20eab0d Mon Sep 17 00:00:00 2001 From: Jochen Kressin Date: Sun, 10 Apr 2022 16:16:18 +0200 Subject: [PATCH 4/6] Enforce privileges evaluation for injected user (#1578) While we do not need any transport client auth/auth code anymore, we still need to check the privileges of an injected user on transport layer. This functionality was removed by mistake and is reenabled by this commit. Signed-off-by: Jochen Kressin --- .../security/OpenSearchSecurityPlugin.java | 112 ++++++------------ .../security/auth/UserInjector.java | 21 ++-- .../security/filter/SecurityFilter.java | 47 +++++--- .../security/filter/SecurityFilterTest.java | 36 +++--- 4 files changed, 93 insertions(+), 123 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 2a5ced08cb..fa9270dfef 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -30,45 +30,7 @@ package org.opensearch.security; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.LinkOption; -import java.nio.file.Path; -import java.nio.file.attribute.PosixFilePermission; -import java.security.AccessController; -import java.security.MessageDigest; -import java.security.PrivilegedAction; -import java.security.Security; -import java.util.*; -import java.util.function.Function; -import java.util.function.Predicate; -import java.util.function.Supplier; -import java.util.function.UnaryOperator; -import java.util.stream.Collectors; -import java.util.stream.Stream; - -import org.opensearch.security.auditlog.NullAuditLog; -import org.opensearch.security.auditlog.impl.AuditLogImpl; -import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl; -import org.opensearch.security.configuration.DlsFlsValveImpl; -import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper; -import org.opensearch.security.configuration.PrivilegesInterceptorImpl; -import org.opensearch.security.configuration.Salt; -import org.opensearch.security.dlic.rest.api.SecurityRestApiActions; -import org.opensearch.security.filter.SecurityRestFilter; -import org.opensearch.security.http.SecurityHttpServerTransport; -import org.opensearch.security.rest.SecurityConfigUpdateAction; -import org.opensearch.security.rest.SecurityWhoAmIAction; -import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; -import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction; -import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; -import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; -import org.opensearch.security.transport.SecurityInterceptor; -import org.opensearch.security.setting.OpensearchDynamicSetting; -import org.opensearch.security.setting.TransportPassiveAuthSetting; - -import org.slf4j.LoggerFactory; -import org.slf4j.Logger; +import com.google.common.collect.Lists; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -92,12 +54,8 @@ import org.opensearch.common.logging.DeprecationLogger; import org.opensearch.common.network.NetworkModule; import org.opensearch.common.network.NetworkService; -import org.opensearch.common.settings.ClusterSettings; -import org.opensearch.common.settings.IndexScopedSettings; -import org.opensearch.common.settings.Setting; +import org.opensearch.common.settings.*; import org.opensearch.common.settings.Setting.Property; -import org.opensearch.common.settings.Settings; -import org.opensearch.common.settings.SettingsFilter; import org.opensearch.common.util.BigArrays; import org.opensearch.common.util.PageCacheRecycler; import org.opensearch.common.util.concurrent.ThreadContext; @@ -131,54 +89,62 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditLogSslExceptionHandler; +import org.opensearch.security.auditlog.NullAuditLog; +import org.opensearch.security.auditlog.impl.AuditLogImpl; import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.compliance.ComplianceIndexingOperationListener; +import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl; +import org.opensearch.security.configuration.*; +import org.opensearch.security.dlic.rest.api.SecurityRestApiActions; import org.opensearch.security.filter.SecurityFilter; +import org.opensearch.security.filter.SecurityRestFilter; +import org.opensearch.security.http.SecurityHttpServerTransport; import org.opensearch.security.http.SecurityNonSslHttpServerTransport; import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.privileges.PrivilegesInterceptor; import org.opensearch.security.resolver.IndexResolverReplacer; -import org.opensearch.security.rest.DashboardsInfoAction; -import org.opensearch.security.rest.SecurityHealthAction; -import org.opensearch.security.rest.SecurityInfoAction; -import org.opensearch.security.rest.TenantInfoAction; +import org.opensearch.security.rest.*; import org.opensearch.security.securityconf.DynamicConfigFactory; +import org.opensearch.security.setting.OpensearchDynamicSetting; +import org.opensearch.security.setting.TransportPassiveAuthSetting; +import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; import org.opensearch.security.ssl.SslExceptionHandler; +import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; +import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; +import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction; +import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport; import org.opensearch.security.ssl.util.SSLConfigConstants; +import org.opensearch.security.support.*; import org.opensearch.security.transport.DefaultInterClusterRequestEvaluator; import org.opensearch.security.transport.InterClusterRequestEvaluator; +import org.opensearch.security.transport.SecurityInterceptor; import org.opensearch.security.user.User; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.RemoteClusterService; -import org.opensearch.transport.Transport; +import org.opensearch.transport.*; import org.opensearch.transport.Transport.Connection; -import org.opensearch.transport.TransportChannel; -import org.opensearch.transport.TransportInterceptor; -import org.opensearch.transport.TransportRequest; -import org.opensearch.transport.TransportRequestHandler; -import org.opensearch.transport.TransportRequestOptions; -import org.opensearch.transport.TransportResponse; -import org.opensearch.transport.TransportResponseHandler; -import org.opensearch.transport.TransportService; import org.opensearch.watcher.ResourceWatcherService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.configuration.ClusterInfoHolder; -import org.opensearch.security.configuration.CompatConfig; -import org.opensearch.security.configuration.ConfigurationRepository; -import org.opensearch.security.configuration.DlsFlsRequestValve; -import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.support.HeaderHelper; -import org.opensearch.security.support.ModuleInfo; -import org.opensearch.security.support.ReflectionHelper; -import org.opensearch.security.support.WildcardMatcher; -import org.opensearch.security.support.SecurityUtils; -import org.opensearch.security.support.SecuritySettings; -import com.google.common.collect.Lists; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.LinkOption; +import java.nio.file.Path; +import java.nio.file.attribute.PosixFilePermission; +import java.security.AccessController; +import java.security.MessageDigest; +import java.security.PrivilegedAction; +import java.security.Security; +import java.util.*; +import java.util.function.Function; +import java.util.function.Predicate; +import java.util.function.Supplier; +import java.util.function.UnaryOperator; +import java.util.stream.Collectors; +import java.util.stream.Stream; public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin { @@ -801,7 +767,7 @@ public Collection createComponents(Client localClient, ClusterService cl evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog, settings, privilegesInterceptor, cih, irr, dlsFlsEnabled, namedXContentRegistry); - sf = new SecurityFilter(settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr); + sf = new SecurityFilter(settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, xffResolver); final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); diff --git a/src/main/java/org/opensearch/security/auth/UserInjector.java b/src/main/java/org/opensearch/security/auth/UserInjector.java index e6ea690906..6d3303393d 100644 --- a/src/main/java/org/opensearch/security/auth/UserInjector.java +++ b/src/main/java/org/opensearch/security/auth/UserInjector.java @@ -30,14 +30,7 @@ package org.opensearch.security.auth; -import java.io.ObjectStreamException; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Arrays; -import java.util.Map; - -import org.slf4j.LoggerFactory; -import org.slf4j.Logger; +import com.google.common.base.Strings; import org.opensearch.common.settings.Settings; import org.opensearch.common.transport.TransportAddress; import org.opensearch.rest.RestRequest; @@ -47,8 +40,14 @@ import org.opensearch.security.support.SecurityUtils; import org.opensearch.security.user.User; import org.opensearch.threadpool.ThreadPool; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -import com.google.common.base.Strings; +import java.io.ObjectStreamException; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.Arrays; +import java.util.Map; public class UserInjector { @@ -59,7 +58,7 @@ public class UserInjector { private final XFFResolver xffResolver; private final Boolean injectUserEnabled; - UserInjector(Settings settings, ThreadPool threadPool, AuditLog auditLog, XFFResolver xffResolver) { + public UserInjector(Settings settings, ThreadPool threadPool, AuditLog auditLog, XFFResolver xffResolver) { this.threadPool = threadPool; this.auditLog = auditLog; this.xffResolver = xffResolver; @@ -102,7 +101,7 @@ public void setTransportAddress(String addr) throws UnknownHostException, Illega } } - InjectedUser getInjectedUser() { + public InjectedUser getInjectedUser() { if (!injectUserEnabled) { return null; } diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 7e1d1c5ca1..b8cbbea736 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -30,22 +30,11 @@ package org.opensearch.security.filter; -import java.util.Collections; -import java.util.Set; -import java.util.UUID; -import java.util.stream.Collectors; - -import org.opensearch.security.auth.RolesInjector; -import org.opensearch.security.resolver.IndexResolverReplacer; -import org.opensearch.security.support.WildcardMatcher; import com.google.common.annotations.VisibleForTesting; import com.google.common.collect.ImmutableSet; -import org.slf4j.LoggerFactory; -import org.slf4j.Logger; - +import org.opensearch.ExceptionsHelper; import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; -import org.opensearch.ExceptionsHelper; import org.opensearch.ResourceAlreadyExistsException; import org.opensearch.action.ActionListener; import org.opensearch.action.ActionRequest; @@ -82,20 +71,27 @@ import org.opensearch.security.action.whoami.WhoAmIAction; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; +import org.opensearch.security.auth.RolesInjector; +import org.opensearch.security.auth.UserInjector; import org.opensearch.security.compliance.ComplianceConfig; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; +import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.privileges.PrivilegesEvaluatorResponse; +import org.opensearch.security.resolver.IndexResolverReplacer; +import org.opensearch.security.support.*; +import org.opensearch.security.user.User; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -import org.opensearch.security.support.Base64Helper; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.support.HeaderHelper; -import org.opensearch.security.support.SourceFieldsContext; -import org.opensearch.security.user.User; +import java.util.Collections; +import java.util.Set; +import java.util.UUID; +import java.util.stream.Collectors; import static org.opensearch.security.OpenSearchSecurityPlugin.isActionTraceEnabled; import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction; @@ -111,12 +107,14 @@ public class SecurityFilter implements ActionFilter { private final ClusterService cs; private final CompatConfig compatConfig; private final IndexResolverReplacer indexResolverReplacer; + private final XFFResolver xffResolver; private final WildcardMatcher immutableIndicesMatcher; private final RolesInjector rolesInjector; + private final UserInjector userInjector; public SecurityFilter(final Settings settings, final PrivilegesEvaluator evalp, final AdminDNs adminDns, DlsFlsRequestValve dlsFlsValve, AuditLog auditLog, ThreadPool threadPool, ClusterService cs, - final CompatConfig compatConfig, final IndexResolverReplacer indexResolverReplacer) { + final CompatConfig compatConfig, final IndexResolverReplacer indexResolverReplacer, final XFFResolver xffResolver) { this.evalp = evalp; this.adminDns = adminDns; this.dlsFlsValve = dlsFlsValve; @@ -125,8 +123,10 @@ public SecurityFilter(final Settings settings, final PrivilegesEvaluator evalp, this.cs = cs; this.compatConfig = compatConfig; this.indexResolverReplacer = indexResolverReplacer; + this.xffResolver = xffResolver; this.immutableIndicesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList())); this.rolesInjector = new RolesInjector(auditLog); + this.userInjector = new UserInjector(settings, threadPool, auditLog, xffResolver); log.info("{} indices are made immutable.", immutableIndicesMatcher); } @@ -166,8 +166,16 @@ private void ap attachSourceFieldContext(request); } final Set injectedRoles = rolesInjector.injectUserAndRoles(request, action, task, threadContext); + boolean enforcePrivilegesEvaluation = false; User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - + if(user == null && (user = userInjector.getInjectedUser()) != null) { + threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); + // since there is no support for TransportClient auth/auth in 2.0 anymore, usually we + // can skip any checks on transport in case of trusted requests. + // However, if another plugin injected a user in the ThreadContext, we still need + // to perform privileges checks. + enforcePrivilegesEvaluation = true; + } final boolean userIsAdmin = isUserAdmin(user, adminDns); final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadContext); final boolean trustedClusterRequest = HeaderHelper.isTrustedClusterRequest(threadContext); @@ -249,6 +257,7 @@ private void ap if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadContext)) && (injectedRoles == null) + && !enforcePrivilegesEvaluation ) { chain.proceed(task, action, request, listener); diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index e9e5940153..29eb923226 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -15,40 +15,34 @@ package org.opensearch.security.filter; +import com.google.common.collect.ImmutableSet; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.mockito.ArgumentCaptor; import org.opensearch.OpenSearchSecurityException; +import org.opensearch.action.ActionListener; +import org.opensearch.action.ActionResponse; +import org.opensearch.cluster.service.ClusterService; +import org.opensearch.common.settings.Settings; import org.opensearch.security.auditlog.AuditLog; -import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; +import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.resolver.IndexResolverReplacer; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.WildcardMatcher; -import com.google.common.collect.ImmutableSet; - -import org.opensearch.action.ActionListener; -import org.opensearch.action.ActionResponse; -import org.opensearch.client.Client; -import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.settings.Settings; -import org.opensearch.common.xcontent.NamedXContentRegistry; import org.opensearch.threadpool.ThreadPool; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; -import org.mockito.ArgumentCaptor; import java.util.Arrays; import java.util.Collection; import static org.junit.Assert.assertEquals; -import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.mockito.Mockito.*; @RunWith(Parameterized.class) public class SecurityFilterTest { @@ -87,7 +81,8 @@ public void testImmutableIndicesWildcardMatcher() { mock(ThreadPool.class), mock(ClusterService.class), mock(CompatConfig.class), - mock(IndexResolverReplacer.class) + mock(IndexResolverReplacer.class), + mock(XFFResolver.class) ); assertEquals(expected, filter.getImmutableIndicesMatcher()); } @@ -109,7 +104,8 @@ public void testUnexepectedCausesAreNotSendToCallers() { new ThreadPool(Settings.builder().put("node.name", "mock").build()), mock(ClusterService.class), mock(CompatConfig.class), - mock(IndexResolverReplacer.class) + mock(IndexResolverReplacer.class), + mock(XFFResolver.class) ); // Act From 3cebc7a1a749860e00946346c25eadbae0026aec Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 12 Apr 2022 16:22:03 +0000 Subject: [PATCH 5/6] Clean up import statement changes Signed-off-by: Peter Nied --- .../security/OpenSearchSecurityPlugin.java | 111 ++++++++++++------ .../security/auth/UserInjector.java | 13 +- .../security/filter/SecurityFilter.java | 33 ++++-- .../security/filter/SecurityFilterTest.java | 30 +++-- 4 files changed, 117 insertions(+), 70 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 4ea9a1e82e..ba0d4ea25a 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -30,7 +30,45 @@ package org.opensearch.security; -import com.google.common.collect.Lists; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.LinkOption; +import java.nio.file.Path; +import java.nio.file.attribute.PosixFilePermission; +import java.security.AccessController; +import java.security.MessageDigest; +import java.security.PrivilegedAction; +import java.security.Security; +import java.util.*; +import java.util.function.Function; +import java.util.function.Predicate; +import java.util.function.Supplier; +import java.util.function.UnaryOperator; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +import org.opensearch.security.auditlog.NullAuditLog; +import org.opensearch.security.auditlog.impl.AuditLogImpl; +import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl; +import org.opensearch.security.configuration.DlsFlsValveImpl; +import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper; +import org.opensearch.security.configuration.PrivilegesInterceptorImpl; +import org.opensearch.security.configuration.Salt; +import org.opensearch.security.dlic.rest.api.SecurityRestApiActions; +import org.opensearch.security.filter.SecurityRestFilter; +import org.opensearch.security.http.SecurityHttpServerTransport; +import org.opensearch.security.rest.SecurityConfigUpdateAction; +import org.opensearch.security.rest.SecurityWhoAmIAction; +import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; +import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction; +import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; +import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; +import org.opensearch.security.transport.SecurityInterceptor; +import org.opensearch.security.setting.OpensearchDynamicSetting; +import org.opensearch.security.setting.TransportPassiveAuthSetting; + +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.LogManager; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -54,8 +92,12 @@ import org.opensearch.common.logging.DeprecationLogger; import org.opensearch.common.network.NetworkModule; import org.opensearch.common.network.NetworkService; -import org.opensearch.common.settings.*; +import org.opensearch.common.settings.ClusterSettings; +import org.opensearch.common.settings.IndexScopedSettings; +import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Setting.Property; +import org.opensearch.common.settings.Settings; +import org.opensearch.common.settings.SettingsFilter; import org.opensearch.common.util.BigArrays; import org.opensearch.common.util.PageCacheRecycler; import org.opensearch.common.util.concurrent.ThreadContext; @@ -89,63 +131,54 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditLogSslExceptionHandler; -import org.opensearch.security.auditlog.NullAuditLog; -import org.opensearch.security.auditlog.impl.AuditLogImpl; import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.compliance.ComplianceIndexingOperationListener; -import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl; -import org.opensearch.security.configuration.*; -import org.opensearch.security.dlic.rest.api.SecurityRestApiActions; import org.opensearch.security.filter.SecurityFilter; -import org.opensearch.security.filter.SecurityRestFilter; -import org.opensearch.security.http.SecurityHttpServerTransport; import org.opensearch.security.http.SecurityNonSslHttpServerTransport; import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.privileges.PrivilegesInterceptor; import org.opensearch.security.resolver.IndexResolverReplacer; -import org.opensearch.security.rest.*; +import org.opensearch.security.rest.DashboardsInfoAction; +import org.opensearch.security.rest.SecurityHealthAction; +import org.opensearch.security.rest.SecurityInfoAction; +import org.opensearch.security.rest.TenantInfoAction; import org.opensearch.security.securityconf.DynamicConfigFactory; -import org.opensearch.security.setting.OpensearchDynamicSetting; -import org.opensearch.security.setting.TransportPassiveAuthSetting; -import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; import org.opensearch.security.ssl.SslExceptionHandler; -import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; -import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; -import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction; -import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport; import org.opensearch.security.ssl.util.SSLConfigConstants; -import org.opensearch.security.support.*; import org.opensearch.security.transport.DefaultInterClusterRequestEvaluator; import org.opensearch.security.transport.InterClusterRequestEvaluator; -import org.opensearch.security.transport.SecurityInterceptor; import org.opensearch.security.user.User; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import org.opensearch.transport.*; +import org.opensearch.transport.RemoteClusterService; +import org.opensearch.transport.Transport; import org.opensearch.transport.Transport.Connection; +import org.opensearch.transport.TransportChannel; +import org.opensearch.transport.TransportInterceptor; +import org.opensearch.transport.TransportRequest; +import org.opensearch.transport.TransportRequestHandler; +import org.opensearch.transport.TransportRequestOptions; +import org.opensearch.transport.TransportResponse; +import org.opensearch.transport.TransportResponseHandler; +import org.opensearch.transport.TransportService; import org.opensearch.watcher.ResourceWatcherService; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; - -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.LinkOption; -import java.nio.file.Path; -import java.nio.file.attribute.PosixFilePermission; -import java.security.AccessController; -import java.security.MessageDigest; -import java.security.PrivilegedAction; -import java.security.Security; -import java.util.*; -import java.util.function.Function; -import java.util.function.Predicate; -import java.util.function.Supplier; -import java.util.function.UnaryOperator; -import java.util.stream.Collectors; -import java.util.stream.Stream; +import org.opensearch.security.configuration.AdminDNs; +import org.opensearch.security.configuration.ClusterInfoHolder; +import org.opensearch.security.configuration.CompatConfig; +import org.opensearch.security.configuration.ConfigurationRepository; +import org.opensearch.security.configuration.DlsFlsRequestValve; +import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; +import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.support.HeaderHelper; +import org.opensearch.security.support.ModuleInfo; +import org.opensearch.security.support.ReflectionHelper; +import org.opensearch.security.support.WildcardMatcher; +import org.opensearch.security.support.SecurityUtils; +import org.opensearch.security.support.SecuritySettings; +import com.google.common.collect.Lists; public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin { diff --git a/src/main/java/org/opensearch/security/auth/UserInjector.java b/src/main/java/org/opensearch/security/auth/UserInjector.java index 173a93c20e..d85ab610ea 100644 --- a/src/main/java/org/opensearch/security/auth/UserInjector.java +++ b/src/main/java/org/opensearch/security/auth/UserInjector.java @@ -30,7 +30,12 @@ package org.opensearch.security.auth; -import com.google.common.base.Strings; +import java.io.ObjectStreamException; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.util.Arrays; +import java.util.Map; + import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.LogManager; import org.opensearch.common.settings.Settings; @@ -43,11 +48,7 @@ import org.opensearch.security.user.User; import org.opensearch.threadpool.ThreadPool; -import java.io.ObjectStreamException; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.util.Arrays; -import java.util.Map; +import com.google.common.base.Strings; public class UserInjector { diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 6ff39b70ef..2fa7935166 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -30,13 +30,23 @@ package org.opensearch.security.filter; -import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; +import java.util.Collections; +import java.util.Set; +import java.util.UUID; +import java.util.stream.Collectors; + +import org.opensearch.security.auth.RolesInjector; +import org.opensearch.security.resolver.IndexResolverReplacer; +import org.opensearch.security.support.WildcardMatcher; import com.google.common.annotations.VisibleForTesting; import com.google.common.collect.ImmutableSet; -import org.opensearch.ExceptionsHelper; +import org.opensearch.security.auth.BackendRegistry; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.LogManager; + import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; +import org.opensearch.ExceptionsHelper; import org.opensearch.ResourceAlreadyExistsException; import org.opensearch.action.ActionListener; import org.opensearch.action.ActionRequest; @@ -62,36 +72,33 @@ import org.opensearch.action.support.ActionFilter; import org.opensearch.action.support.ActionFilterChain; import org.opensearch.action.update.UpdateRequest; +import org.opensearch.client.Client; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.logging.LoggerMessageFormat; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.common.util.concurrent.ThreadContext.StoredContext; +import org.opensearch.common.xcontent.NamedXContentRegistry; import org.opensearch.index.reindex.DeleteByQueryRequest; import org.opensearch.index.reindex.UpdateByQueryRequest; import org.opensearch.rest.RestStatus; import org.opensearch.security.action.whoami.WhoAmIAction; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; -import org.opensearch.security.auth.RolesInjector; -import org.opensearch.security.auth.UserInjector; import org.opensearch.security.compliance.ComplianceConfig; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; -import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.privileges.PrivilegesEvaluatorResponse; -import org.opensearch.security.resolver.IndexResolverReplacer; -import org.opensearch.security.support.*; -import org.opensearch.security.user.User; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; -import java.util.Collections; -import java.util.Set; -import java.util.UUID; -import java.util.stream.Collectors; +import org.opensearch.security.support.Base64Helper; +import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.support.HeaderHelper; +import org.opensearch.security.support.SourceFieldsContext; +import org.opensearch.security.user.User; import static org.opensearch.security.OpenSearchSecurityPlugin.isActionTraceEnabled; import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction; diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index 29eb923226..101605b01b 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -15,34 +15,40 @@ package org.opensearch.security.filter; -import com.google.common.collect.ImmutableSet; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; -import org.mockito.ArgumentCaptor; import org.opensearch.OpenSearchSecurityException; -import org.opensearch.action.ActionListener; -import org.opensearch.action.ActionResponse; -import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.settings.Settings; import org.opensearch.security.auditlog.AuditLog; +import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; -import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.resolver.IndexResolverReplacer; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.WildcardMatcher; +import com.google.common.collect.ImmutableSet; + +import org.opensearch.action.ActionListener; +import org.opensearch.action.ActionResponse; +import org.opensearch.client.Client; +import org.opensearch.cluster.service.ClusterService; +import org.opensearch.common.settings.Settings; +import org.opensearch.common.xcontent.NamedXContentRegistry; import org.opensearch.threadpool.ThreadPool; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.mockito.ArgumentCaptor; import java.util.Arrays; import java.util.Collection; import static org.junit.Assert.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNull; -import static org.mockito.Mockito.*; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoMoreInteractions; @RunWith(Parameterized.class) public class SecurityFilterTest { From ac78bd94b837def74c7919ba837c0039bedf1ce5 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 12 Apr 2022 16:41:02 +0000 Subject: [PATCH 6/6] Readd dropped imports Signed-off-by: Peter Nied --- .../java/org/opensearch/security/filter/SecurityFilter.java | 2 ++ .../java/org/opensearch/security/filter/SecurityFilterTest.java | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 2fa7935166..7fee09b379 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -83,12 +83,14 @@ import org.opensearch.index.reindex.UpdateByQueryRequest; import org.opensearch.rest.RestStatus; import org.opensearch.security.action.whoami.WhoAmIAction; +import org.opensearch.security.auth.UserInjector; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.compliance.ComplianceConfig; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; +import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.privileges.PrivilegesEvaluatorResponse; import org.opensearch.tasks.Task; diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index 101605b01b..3d002cde53 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -17,10 +17,12 @@ import org.opensearch.OpenSearchSecurityException; import org.opensearch.security.auditlog.AuditLog; +import org.opensearch.security.auth.UserInjector; import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.configuration.CompatConfig; import org.opensearch.security.configuration.DlsFlsRequestValve; +import org.opensearch.security.http.XFFResolver; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.resolver.IndexResolverReplacer; import org.opensearch.security.support.ConfigConstants;