Merge branch 'main' into format-feature-extensions-apply

peternied · Jun 9, 2023 · efcadd4 · efcadd4
2 parents 1a09a87 + ceb5ad2
commit efcadd4
Show file tree

Hide file tree

Showing 60 changed files with 5,692 additions and 4,343 deletions.
diff --git a/build.gradle b/build.gradle
@@ -52,7 +52,7 @@ plugins {
     id 'idea'
     id 'jacoco'
     id 'maven-publish'
-    id 'com.diffplug.spotless' version '6.18.0'
+    id 'com.diffplug.spotless' version '6.19.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.1.0"
     id "org.gradle.test-retry" version "1.5.2"
@@ -342,6 +342,7 @@ configurations {
             force "io.netty:netty-transport:${versions.netty}"
             force "io.netty:netty-transport-native-unix-common:${versions.netty}"
             force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
+            force "com.github.luben:zstd-jni:${versions.zstd}"
         }
     }
 
@@ -387,7 +388,6 @@ task integrationTest(type: Test) {
 check.dependsOn integrationTest
 
 dependencies {
-    implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
     implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
     implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
     implementation "org.apache.httpcomponents.client5:httpclient5-cache:${versions.httpclient5}"
@@ -465,7 +465,7 @@ dependencies {
     runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.4.0'
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5'
     runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
-    runtimeOnly 'com.github.luben:zstd-jni:1.5.2-1'
+    runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
     runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
     runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
 

diff --git a/config/roles.yml b/config/roles.yml
@@ -205,6 +205,8 @@ index_management_full_access:
     - "cluster:admin/opendistro/ism/*"
     - "cluster:admin/opendistro/rollup/*"
     - "cluster:admin/opendistro/transform/*"
+    - "cluster:admin/opensearch/controlcenter/lron/*"
+    - "cluster:admin/opensearch/notifications/channels/get"
     - "cluster:admin/opensearch/notifications/feature/publish"
   index_permissions:
     - index_patterns:

diff --git a/gradle/formatting.gradle b/gradle/formatting.gradle
@@ -56,40 +56,40 @@ import org.opensearch.gradle.BuildPlugin
  */
 
 org.opensearch.gradle.BuildPlugin {
-    plugins.withType(BuildPlugin).whenPluginAdded {
-        project.apply plugin: "com.diffplug.spotless"
+	plugins.withType(BuildPlugin).whenPluginAdded {
+		project.apply plugin: "com.diffplug.spotless"
 
-        spotless {
-            java {
-                // Normally this isn't necessary, but we have Java sources in
-                // non-standard places
-                target '**/*.java'
+		spotless {
+			java {
+				// Normally this isn't necessary, but we have Java sources in
+				// non-standard places
+				target '**/*.java'
 
-                removeUnusedImports()
-                eclipse().configFile rootProject.file('buildSrc/formatterConfig.xml')
-                trimTrailingWhitespace()
-                endWithNewline()
+				removeUnusedImports()
+				eclipse().configFile rootProject.file('buildSrc/formatterConfig.xml')
+				trimTrailingWhitespace()
+				endWithNewline()
 
-                custom 'Refuse wildcard imports', {
-                    // Wildcard imports can't be resolved; fail the build
-                    if (it =~ /\s+import .*\*;/) {
-                        throw new AssertionError("Do not use wildcard imports.  'spotlessApply' cannot resolve this issue.")
-                    }
-                }
+				custom 'Refuse wildcard imports', {
+					// Wildcard imports can't be resolved; fail the build
+					if (it =~ /\s+import .*\*;/) {
+						throw new AssertionError("Do not use wildcard imports.  'spotlessApply' cannot resolve this issue.")
+					}
+				}
 
-                // See DEVELOPER_GUIDE.md for details of when to enable this.
-                if (System.getProperty('spotless.paddedcell') != null) {
-                    paddedCell()
-                }
-            }
-            format 'misc', {
-                target '*.md', '*.gradle', '**/*.yaml', '**/*.yml', '**/*.svg'
+				// See DEVELOPER_GUIDE.md for details of when to enable this.
+				if (System.getProperty('spotless.paddedcell') != null) {
+					paddedCell()
+				}
+			}
+			format 'misc', {
+				target '*.md', '*.gradle', '**/*.yaml', '**/*.yml', '**/*.svg'
 
-                trimTrailingWhitespace()
-                endWithNewline()
-            }
-        }
+				trimTrailingWhitespace()
+				endWithNewline()
+			}
+		}
 
-        precommit.dependsOn 'spotlessJavaCheck'
-    }
+		precommit.dependsOn 'spotlessJavaCheck'
+	}
 }
diff --git a/release-notes/opensearch-security.release-notes-2.8.0.0.md b/release-notes/opensearch-security.release-notes-2.8.0.0.md
@@ -0,0 +1,30 @@
+## 2023-06-06 Version 2.8.0.0
+
+Compatible with OpenSearch 2.8.0
+
+### Features
+
+* Identify extension Transport requests and permit handshake and extension registration actions ([#2599](https://github.com/opensearch-project/security/pull/2599))
+* Use ExtensionsManager.lookupExtensionSettingsById when verifying extension unique id ([#2749](https://github.com/opensearch-project/security/pull/2749))
+* Generate auth tokens for service accounts ([#2716](https://github.com/opensearch-project/security/pull/2716))
+* Security User Refactor ([#2594](https://github.com/opensearch-project/security/pull/2594))
+* Add score based password verification ([#2557](https://github.com/opensearch-project/security/pull/2557))
+* Usage of JWKS with JWT (w/o OpenID connect) ([#2808](https://github.com/opensearch-project/security/pull/2808))
+
+### Bug Fixes
+
+* `deserializeSafeFromHeader` uses `context.getHeader(headerName)` instead of `context.getHeaders()` ([#2768](https://github.com/opensearch-project/security/pull/2768))
+* Fix multitency config update ([#2758](https://github.com/opensearch-project/security/pull/2758))
+
+### Enhancements
+
+* Add default roles for SQL plugin: PPL and cross-cluster search ([#2729](https://github.com/opensearch-project/security/pull/2729))
+* Update security-analytics roles to add correlation engine apis ([#2732](https://github.com/opensearch-project/security/pull/2732))
+* Changes in role.yml for long-running operation notification feature in Index-Management repo ([#2789](https://github.com/opensearch-project/security/pull/2789))
+* Rest admin permissions ([#2411](https://github.com/opensearch-project/security/pull/2411))
+* Separate config option to enable restapi: permissions ([#2605](https://github.com/opensearch-project/security/pull/2605))
+
+### Maintenance
+
+* Update to Gradle 8.1.1 ([#2738](https://github.com/opensearch-project/security/pull/2738))
+* Upgrade spring-core from 5.3.26 to 5.3.27 ([#2717](https://github.com/opensearch-project/security/pull/2717))
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -55,9 +55,11 @@ public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator
     private final String jwtUrlParameter;
     private final String subjectKey;
     private final String rolesKey;
+    private final String requiredAudience;
+    private final String requiredIssuer;
 
     public static final int DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS = 30;
-    private final int clockSkewToleranceSeconds ;
+    private final int clockSkewToleranceSeconds;
 
     public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
         jwtUrlParameter = settings.get("jwt_url_parameter");
@@ -66,10 +68,12 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
         rolesKey = settings.get("roles_key");
         subjectKey = settings.get("subject_key");
         clockSkewToleranceSeconds = settings.getAsInt("jwt_clock_skew_tolerance_seconds", DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS);
+        requiredAudience = settings.get("required_audience");
+        requiredIssuer = settings.get("required_issuer");
 
         try {
             this.keyProvider = this.initKeyProvider(settings, configPath);
-            jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds );
+            jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds, requiredIssuer, requiredAudience);
 
         } catch (Exception e) {
             log.error("Error creating JWT authenticator. JWT authentication will not work", e);
@@ -79,8 +83,7 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
 
     @Override
     @SuppressWarnings("removal")
-    public AuthCredentials extractCredentials(RestRequest request, ThreadContext context)
-            throws OpenSearchSecurityException {
+    public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws OpenSearchSecurityException {
         final SecurityManager sm = System.getSecurityManager();
 
         if (sm != null) {
@@ -182,8 +185,11 @@ public String extractSubject(JwtClaims claims) {
             // warning
             if (!(subjectObject instanceof String)) {
                 log.warn(
-                        "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
-                        subjectKey, subjectObject, subjectObject.getClass());
+                    "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
+                    subjectKey,
+                    subjectObject,
+                    subjectObject.getClass()
+                );
                 subject = String.valueOf(subjectObject);
             } else {
                 subject = (String) subjectObject;
@@ -203,8 +209,9 @@ public String[] extractRoles(JwtClaims claims) {
 
         if (rolesObject == null) {
             log.warn(
-                    "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
-                    rolesKey);
+                "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
+                rolesKey
+            );
             return new String[0];
         }
 
@@ -214,8 +221,11 @@ public String[] extractRoles(JwtClaims claims) {
         // String but issue a warning
         if (!(rolesObject instanceof String) && !(rolesObject instanceof Collection<?>)) {
             log.warn(
-                    "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
-                    rolesKey, rolesObject, rolesObject.getClass());
+                "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
+                rolesKey,
+                rolesObject,
+                rolesObject.getClass()
+            );
         } else if (rolesObject instanceof Collection<?>) {
             roles = ((Collection<String>) rolesObject).toArray(new String[0]);
         }
@@ -233,4 +243,12 @@ public boolean reRequestAuthentication(RestChannel channel, AuthCredentials auth
         return true;
     }
 
+    public String getRequiredAudience() {
+        return requiredAudience;
+    }
+
+    public String getRequiredIssuer() {
+        return requiredIssuer;
+    }
+
 }