Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bwc ssl #3

Merged
merged 10 commits into from
Jul 27, 2023
4 changes: 2 additions & 2 deletions .github/actions/create-bwc-build/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ runs:
- name: Build
uses: gradle/gradle-build-action@v2
with:
arguments: assemble -Dbuild.snapshot=false
arguments: assemble
build-root-directory: ${{ inputs.plugin-branch }}

- id: get-opensearch-version
Expand All @@ -46,5 +46,5 @@ runs:
- name: Copy current distro into the expected folder
run: |
mkdir -p ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}-SNAPSHOT.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
shell: bash
13 changes: 13 additions & 0 deletions TRIAGING.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,19 @@ While we are always happy to help the community, the best resource for implement

There you can find answers to many common questions as well as speak with implementation experts.

### What are the issue labels associated with triaging?

Yes, there are several labels that are used to identify the 'state' of issues filed in OpenSearch and the Security Plugin.

| Label | When applied | Meaning |
| ----- | ------------ | ------- |
| Untriaged | When issues are created or re-opened. | Issues labeled as 'Untriaged' require the attention of the repository maintainers and may need to be prioritized for quicker resolution. It's crucial to keep the count of 'Untriaged' labels low to ensure all potential security issues are addressed in a timely manner. See [SECURITY.md](https://github.com/opensearch-project/security/blob/main/SECURITY.md) for more details on handling these issues. |
| Triaged | During triage meetings. | Issues labeled as 'Triaged' have been reviewed and are deemed actionable. Opening a pull request for an issue with the 'Triaged' label has a higher likelihood of approval from the project maintainers, particularly in novel areas. |
| Neither Label | During triage meetings. | This category is for issues that lack sufficient details to formulate a potential solution. Until more details are provided, it's difficult to ascertain if a proposed solution would be acceptable. When dealing with an 'Untriaged' issue that falls into this category, the triage team should provide further insights so the issue can be appropriately closed or labeled as 'Triaged'. Issues in this state are reviewed during every triage meeting. |
| Help Wanted | Anytime. | Issues marked as 'Help Wanted' signal that they are actionable and not the current focus of the project maintainers. Community contributions are especially encouraged for these issues. |
| Good First Issue | Anytime. | Issues labeled as 'Good First Issue' are small in scope and can be resolved with a single pull request. These are recommended starting points for newcomers looking to make their first contributions. |


### What if my issue is critical to OpenSearch operations, do I have to wait for the weekly meeting for it to be addressed?

All new issues for the [security](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3Auntriaged) repo and [security-dashboards](https://github.com/opensearch-project/security-dashboards-plugin/issues?q=is%3Aissue+is%3Aopen+-label%3Atriaged) repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.
Expand Down
10 changes: 5 additions & 5 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ plugins {
id 'maven-publish'
id 'com.diffplug.spotless' version '6.19.0'
id 'checkstyle'
id 'com.netflix.nebula.ospackage' version "11.1.0"
id 'com.netflix.nebula.ospackage' version "11.3.0"
id "org.gradle.test-retry" version "1.5.2"
id 'eclipse'
id "com.github.spotbugs" version "5.0.14"
Expand Down Expand Up @@ -525,12 +525,12 @@ dependencies {
runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
runtimeOnly 'commons-codec:commons-codec:1.16.0'
runtimeOnly 'org.cryptacular:cryptacular:1.2.4'
runtimeOnly 'com.google.errorprone:error_prone_annotations:2.3.4'
runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0'
runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0'
runtimeOnly 'org.ow2.asm:asm:9.1'

testImplementation 'org.apache.camel:camel-xmlsecurity:3.14.2'
testImplementation 'org.apache.camel:camel-xmlsecurity:3.21.0'

//OpenSAML
implementation 'net.shibboleth.utilities:java-support:8.4.0'
Expand All @@ -551,7 +551,7 @@ dependencies {
runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}"
implementation "org.opensaml:opensaml-storage-api:${open_saml_version}"

implementation "com.nulab-inc:zxcvbn:1.7.0"
implementation "com.nulab-inc:zxcvbn:1.8.0"

runtimeOnly 'com.google.guava:failureaccess:1.0.1'
runtimeOnly 'org.apache.commons:commons-text:1.10.0'
Expand All @@ -569,7 +569,7 @@ dependencies {
runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.2.5'
runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
runtimeOnly 'org.checkerframework:checker-qual:3.36.0'
runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'

Expand Down
12 changes: 6 additions & 6 deletions bwc-test/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,9 @@ repositories {
}

dependencies {
testImplementation 'com.google.guava:guava:30.0-jre'
testImplementation "com.google.guava:guava:${versions.guava}"
testImplementation "org.opensearch.test:framework:${opensearch_version}"
testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1'
testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
}

loggerUsageCheck.enabled = false
Expand All @@ -84,8 +84,8 @@ String baseName = "securityBwcCluster"
String bwcFilePath = "src/test/resources/"
String projectVersion = nextVersion

String previousOpenSearch = extractVersion(previousVersion);
String nextOpenSearch = extractVersion(nextVersion);
String previousOpenSearch = extractVersion(previousVersion) + "-SNAPSHOT";
String nextOpenSearch = extractVersion(nextVersion) + "-SNAPSHOT";

println previousOpenSearch + nextOpenSearch;

Expand Down Expand Up @@ -125,7 +125,7 @@ def String extractVersion(versionStr) {
node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem"))
node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem"))
node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem"))
node.setting("plugins.security.disabled", "true")
node.setting("plugins.security.disabled", "false")
node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem")
node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem")
node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem")
Expand All @@ -137,7 +137,7 @@ def String extractVersion(versionStr) {
node.setting("plugins.security.allow_unsafe_democertificates", "true")
node.setting("plugins.security.allow_default_init_securityindex", "true")
node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de")
node.setting("plugins.security.audit.type", "internal_elasticsearch")
node.setting("plugins.security.audit.type", "internal_opensearch")
node.setting("plugins.security.enable_snapshot_restore_privilege", "true")
node.setting("plugins.security.check_snapshot_restore_write_privileges", "true")
node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]")
Expand Down
58 changes: 58 additions & 0 deletions bwc-test/src/test/java/ConfigConstants.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/

package org.opensearch.commons;

import org.opensearch.common.settings.SecureSetting;
import org.opensearch.common.settings.Setting;
import org.opensearch.core.common.settings.SecureString;

public class ConfigConstants {

public static final String HTTPS = "https";
public static final String HTTP = "http";
public static final String HOST_DEFAULT = "localhost";
public static final String HTTP_PORT = "http.port";
public static final int HTTP_PORT_DEFAULT = 9200;
public static final String CONTENT_TYPE = "content-type";
public static final String CONTENT_TYPE_DEFAULT = "application/json";
public static final String AUTHORIZATION = "Authorization";

// These reside in security plugin.
public static final String OPENSEARCH_SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "plugins.security.ssl.http.pemcert_filepath";
public static final String OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "plugins.security.ssl.http.keystore_filepath";
/**
* @deprecated in favor of the {@link #OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SETTING} secure setting
*/
@Deprecated
public static final String OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "plugins.security.ssl.http.keystore_password";

/**
* @deprecated in favor of the {@link #OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD_SETTING} secure setting
*/
@Deprecated
public static final String OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "plugins.security.ssl.http.keystore_keypassword";
private static final String SECURE_SUFFIX = "_secure";

private static Setting<SecureString> createFallbackInsecureSetting(String key) {
return new Setting<>(key, (settings) -> "", (strValue) -> new SecureString(strValue.toCharArray()));
}

public static final Setting<SecureString> OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD_SETTING = SecureSetting
.secureString(
OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD + SECURE_SUFFIX,
createFallbackInsecureSetting(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD)
);
public static final Setting<SecureString> OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD_SETTING = SecureSetting
.secureString(
OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD + SECURE_SUFFIX,
createFallbackInsecureSetting(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD)
);
public static final String OPENSEARCH_SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles";
public static final String INJECTED_USER = "injected_user";
public static final String OPENSEARCH_SECURITY_USE_INJECTED_USER_FOR_PLUGINS = "plugins.security_use_injected_user_for_plugins";
public static final String OPENSEARCH_SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled";
public static final String OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT = "_opendistro_security_user_info";
}
Loading
Loading