Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Password Setup Tool #1686

Closed
928 changes: 928 additions & 0 deletions src/main/java/org/opensearch/security/tools/PasswordSetup.java

Large diffs are not rendered by default.

90 changes: 90 additions & 0 deletions src/test/java/org/opensearch/security/PasswordSetupTests.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
package org.opensearch.security;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.util.ArrayList;
import java.util.List;

import org.opensearch.security.tools.PasswordSetup;
import org.apache.http.HttpStatus;
import org.opensearch.common.settings.Settings;
import org.junit.Assert;
import org.junit.Test;

import org.opensearch.security.test.SingleClusterTest;
import org.opensearch.security.test.helper.file.FileHelper;
import org.opensearch.security.test.helper.rest.RestHelper;

public class PasswordSetupTests extends SingleClusterTest {
@Test
public void testPasswordSetup() throws Exception {
final Settings settings = Settings.builder()
.put("plugins.security.ssl.http.enabled",true)
.put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks"))
.put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks"))
.build();
setup(Settings.EMPTY, null, settings, false);

final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/";

List<String> argsAsList = new ArrayList<>();
argsAsList.add("-ts");
argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath());
argsAsList.add("-ks");
argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath());
argsAsList.add("-p");
argsAsList.add(String.valueOf(clusterInfo.httpPort));
argsAsList.add("-cn");
argsAsList.add(clusterInfo.clustername);
argsAsList.add("-cd");
argsAsList.add(new File("src/test/resources/password_setup/").getAbsolutePath());
argsAsList.add("-nhnv");

String userInput = "Admins#1\nKibanaServer@2\nKibanaro!3\nLogstash&4\nReadall%5\nSnapshotrestore$6";
ByteArrayInputStream input = new ByteArrayInputStream(userInput.getBytes());
System.setIn(input);

int returnCode = PasswordSetup.execute(argsAsList.toArray(new String[0]));
Assert.assertEquals(0, returnCode);

System.setIn(System.in);

RestHelper rh = restHelper();

Assert.assertEquals(HttpStatus.SC_OK, (rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode());
Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "Admins#1")).getStatusCode());
Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("kibanaserver", "KibanaServer@2")).getStatusCode());
}

@Test
public void testInvalidInput() throws Exception {
final Settings settings = Settings.builder()
.put("plugins.security.ssl.http.enabled",true)
.put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks"))
.put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks"))
.build();
setup(Settings.EMPTY, null, settings, false);

final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/";

List<String> argsAsList = new ArrayList<>();
argsAsList.add("-ts");
argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks").toFile().getAbsolutePath());
argsAsList.add("-ks");
argsAsList.add(FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks").toFile().getAbsolutePath());
argsAsList.add("-p");
argsAsList.add(String.valueOf(clusterInfo.httpPort));
argsAsList.add("-cn");
argsAsList.add(clusterInfo.clustername);
argsAsList.add("-cd");
argsAsList.add(new File("src/test/resources/password_setup/").getAbsolutePath());
argsAsList.add("-nhnv");

String userInput = "Admins#1";
ByteArrayInputStream input = new ByteArrayInputStream(userInput.getBytes());
System.setIn(input);

int returnCode = PasswordSetup.execute(argsAsList.toArray(new String[0]));
Assert.assertEquals(-1, returnCode);
}
}
160 changes: 160 additions & 0 deletions src/test/resources/password_setup/action_groups.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
---
_meta:
type: "actiongroups"
config_version: 2
OPENDISTRO_SECURITY_CLUSTER_ALL:
reserved: false
hidden: false
allowed_actions:
- "cluster:*"
type: "cluster"
description: "Migrated from v6"
ALL:
reserved: false
hidden: false
allowed_actions:
- "indices:*"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_CRUD:
reserved: false
hidden: false
allowed_actions:
- "OPENDISTRO_SECURITY_READ"
- "OPENDISTRO_SECURITY_WRITE"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_SEARCH:
reserved: false
hidden: false
allowed_actions:
- "indices:data/read/search*"
- "indices:data/read/msearch*"
- "OPENDISTRO_SECURITY_SUGGEST"
type: "index"
description: "Migrated from v6"
MONITOR:
reserved: false
hidden: false
allowed_actions:
- "indices:monitor/*"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_DATA_ACCESS:
reserved: false
hidden: false
allowed_actions:
- "indices:data/*"
- "indices:admin/mapping/put"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_CREATE_INDEX:
reserved: false
hidden: false
allowed_actions:
- "indices:admin/create"
- "indices:admin/mapping/put"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_WRITE:
reserved: false
hidden: false
allowed_actions:
- "indices:data/write*"
- "indices:admin/mapping/put"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_MANAGE_ALIASES:
reserved: false
hidden: false
allowed_actions:
- "indices:admin/aliases*"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_READ:
reserved: false
hidden: false
allowed_actions:
- "indices:data/read*"
- "indices:admin/resolve/index"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_DELETE:
reserved: false
hidden: false
allowed_actions:
- "indices:data/write/delete*"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS:
reserved: false
hidden: false
allowed_actions:
- "indices:data/write/bulk"
- "indices:admin/aliases*"
- "indices:data/write/reindex"
- "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO"
type: "cluster"
description: "Migrated from v6"
OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO:
reserved: false
hidden: false
allowed_actions:
- "indices:data/read/mget"
- "indices:data/read/msearch"
- "indices:data/read/mtv"
- "indices:data/read/coordinate-msearch*"
- "indices:admin/aliases/exists*"
- "indices:admin/aliases/get*"
type: "cluster"
description: "Migrated from v6"
OPENDISTRO_SECURITY_GET:
reserved: false
hidden: false
allowed_actions:
- "indices:data/read/get*"
- "indices:data/read/mget*"
- "indices:admin/resolve/index"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_MANAGE:
reserved: false
hidden: false
allowed_actions:
- "indices:monitor/*"
- "indices:admin/*"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_CLUSTER_MONITOR:
reserved: false
hidden: false
allowed_actions:
- "cluster:monitor/*"
type: "cluster"
description: "Migrated from v6"
OPENDISTRO_SECURITY_INDEX:
reserved: false
hidden: false
allowed_actions:
- "indices:data/write/index*"
- "indices:data/write/update*"
- "indices:admin/mapping/put"
type: "index"
description: "Migrated from v6"
OPENDISTRO_SECURITY_SUGGEST:
reserved: false
hidden: false
allowed_actions:
- "indices:data/read/suggest*"
type: "index"
description: "Migrated from v6"
DATASTREAM_ALL:
reserved: false
hidden: false
allowed_actions:
- "indices:admin/data_stream/get"
- "indices:admin/data_stream/create"
- "indices:admin/data_stream/delete"
- "indices:monitor/data_stream/stats"
type: "index"
description: "Migrated from v6"
46 changes: 46 additions & 0 deletions src/test/resources/password_setup/audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
_meta:
type: "audit"
config_version: 2

config:
# enable/disable auditlog
enabled: true

audit:
# rest
enable_rest: false
disabled_rest_categories: []

# transport
enable_transport: false
disabled_transport_categories: []

# ignore
ignore_users:
- kibanaserver
ignore_requests: []

# verbose attributes
resolve_bulk_requests: false
log_request_body: false
resolve_indices: false
exclude_sensitive_headers: false

compliance:
# enable/disable compliance
enabled: true

# configs
internal_config: true
external_config: false

# compliance read
read_metadata_only: false
read_watched_fields: {}
read_ignore_users: []

# compliance write
write_metadata_only: false
write_log_diffs: false
write_watched_indices: []
write_ignore_users: []
96 changes: 96 additions & 0 deletions src/test/resources/password_setup/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
filtered_alias_mode: "disallow"
disable_rest_auth: false
disable_intertransport_auth: false
respect_request_indices_options: false
kibana:
multitenancy_enabled: true
server_username: "kibanaserver"
index: ".kibana"
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
remoteIpHeader: "x-forwarded-for"


authc:
authentication_domain_kerb:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
challenge: true
type: "kerberos"
config: {}
authentication_backend:
type: "noop"
config: {}
description: "Migrated from v6"
authentication_domain_proxy:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
challenge: true
type: "proxy"
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: "noop"
config: {}
description: "Migrated from v6"
authentication_domain_clientcert:
http_enabled: false
transport_enabled: false
order: 1
http_authenticator:
challenge: true
type: "clientcert"
config: {}
authentication_backend:
type: "noop"
config: {}
description: "Migrated from v6"
authentication_domain_basic_internal:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
challenge: true
type: "basic"
config: {}
authentication_backend:
type: "intern"
config: {}
description: "Migrated from v6"
authz:
roles_from_xxx:
http_enabled: false
transport_enabled: false
authorization_backend:
type: "xxx"
config: {}
description: "Migrated from v6"
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
type: "ldap"
config:
rolesearch: "(uniqueMember={0})"
resolve_nested_roles: true
rolebase: "ou=groups,o=TEST"
rolename: "cn"
description: "Migrated from v6"
do_not_fail_on_forbidden: false
multi_rolespan_enabled: false
hosts_resolver_mode: "ip-only"
transport_userrname_attribute: null
Loading