From cc577101240a65b5932ebaf9193f3a8968ecba64 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 19 Dec 2023 12:59:08 -0500
Subject: [PATCH 001/143] Add render search template as a cluster permission
 (#3689)

### Description

Companion PRs in core:

- https://github.com/opensearch-project/OpenSearch/pull/11170
- https://github.com/opensearch-project/OpenSearch/pull/11591

This PR adds render search template as a cluster perm so that its
separately permissioned from a SearchTemplateRequest which needs a set
of indices to authorize the request. The companion PR in core separates
the transport actions that handle search template request and render
search template request so that they can be authorized separately.

I am opening this in Draft until the core PR is merged because this PR
depends on the core PR.

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Bug fix

### Issues Resolved

- https://github.com/opensearch-project/security/issues/3672

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../privileges/PrivilegesEvaluatorTest.java   | 37 ++++++++++++++++++-
 .../privileges/PrivilegesEvaluator.java       |  4 +-
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
index 2315c979ea..561b4a0742 100644
--- a/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
+++ b/src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
@@ -18,6 +18,7 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.script.mustache.MustacheModulePlugin;
+import org.opensearch.script.mustache.RenderSearchTemplateAction;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -49,15 +50,25 @@ public class PrivilegesEvaluatorTest {
         new Role("search_template_role").indexPermissions("read").on("services").clusterPermissions("cluster_composite_ops")
     );
 
+    protected final static TestSecurityConfig.User RENDER_SEARCH_TEMPLATE = new TestSecurityConfig.User("render_search_template_user")
+        .roles(
+            new Role("render_search_template_role").indexPermissions("read")
+                .on("services")
+                .clusterPermissions(RenderSearchTemplateAction.NAME)
+        );
+
     private String TEST_QUERY =
         "{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}";
 
     private String TEST_DOC = "{\"source\": {\"title\": \"Spirited Away\"}}";
 
+    private String TEST_RENDER_SEARCH_TEMPLATE_QUERY =
+        "{\"params\":{\"status\":[\"pending\",\"published\"]},\"source\":\"{\\\"query\\\": {\\\"terms\\\": {\\\"status\\\": [\\\"{{#status}}\\\",\\\"{{.}}\\\",\\\"{{/status}}\\\"]}}}\"}";
+
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
+        .users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE, RENDER_SEARCH_TEMPLATE, TestSecurityConfig.User.USER_ADMIN)
         .plugin(MustacheModulePlugin.class)
         .build();
 
@@ -118,4 +129,28 @@ public void testSearchTemplateRequestUnauthorizedAllIndices() {
             assertThat(searchOnAllIndicesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
         }
     }
+
+    @Test
+    public void testRenderSearchTemplateRequestFailure() {
+        try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
+            final String renderSearchTemplate = "_render/template";
+            final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
+                renderSearchTemplate,
+                TEST_RENDER_SEARCH_TEMPLATE_QUERY
+            );
+            assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+        }
+    }
+
+    @Test
+    public void testRenderSearchTemplateRequestSuccess() {
+        try (TestRestClient client = cluster.getRestClient(RENDER_SEARCH_TEMPLATE)) {
+            final String renderSearchTemplate = "_render/template";
+            final TestRestClient.HttpResponse renderSearchTemplateResponse = client.postJson(
+                renderSearchTemplate,
+                TEST_RENDER_SEARCH_TEMPLATE_QUERY
+            );
+            assertThat(renderSearchTemplateResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 1d09932131..0f8d132e3e 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -81,6 +81,7 @@
 import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.index.reindex.ReindexAction;
+import org.opensearch.script.mustache.RenderSearchTemplateAction;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.configuration.ClusterInfoHolder;
 import org.opensearch.security.configuration.ConfigurationRepository;
@@ -696,8 +697,7 @@ public static boolean isClusterPerm(String action0) {
             || (action0.startsWith(MultiSearchAction.NAME))
             || (action0.equals(MultiTermVectorsAction.NAME))
             || (action0.equals(ReindexAction.NAME))
-
-        );
+            || (action0.equals(RenderSearchTemplateAction.NAME)));
     }
 
     @SuppressWarnings("unchecked")

From 7f1febfbe5e0c979e069660997984f96fac347db Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Fri, 22 Dec 2023 08:36:39 -0600
Subject: [PATCH 002/143] Revert "Bump actions/download-artifact from 3 to 4"
 (#3892)

Reverts opensearch-project/security#3860
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49995947cf..51268baed4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -74,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
         with:
           path: downloaded-artifacts
 

From 83723432cca6e78d23e034b5149ff72d5907fde3 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 22 Dec 2023 13:14:14 -0500
Subject: [PATCH 003/143] Fix the CI / report-coverage check by switching to
 corresponding actions/upload-artifact@v4 (#3893)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/ci.yml | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 51268baed4..0f64a0408b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,7 +60,7 @@ jobs:
         arguments: |
           ${{ matrix.gradle_task }} -Dbuild.snapshot=false
 
-    - uses: alehechka/upload-tartifact@v2
+    - uses: actions/upload-artifact@v4
       if: always()
       with:
         name: ${{ matrix.platform }}-JDK${{ matrix.jdk }}-${{ matrix.gradle_task }}-reports
@@ -68,13 +68,11 @@ jobs:
           ./build/reports/
 
   report-coverage:
-    needs:
-      - "test"
-      - "integration-tests"
+    needs: ["test", "integration-tests"]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           path: downloaded-artifacts
 
@@ -82,17 +80,6 @@ jobs:
         run: ls -R
         working-directory: downloaded-artifacts
 
-      - name: Extract downloaded artifacts
-        run: |
-          for archive in ./*/artifact.tar; do
-            (cd "$(dirname "$archive")" && tar -xvf artifact.tar)
-          done
-        working-directory: downloaded-artifacts
-
-      - name: Display structure of downloaded files
-        run: ls -R
-        working-directory: downloaded-artifacts
-
       - name: Upload Coverage with retry
         uses: Wandalen/wretry.action@v1.3.0
         with:

From 3c566a42a1676acfe391886df7ecfe8de3e4349f Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Fri, 22 Dec 2023 13:46:45 -0600
Subject: [PATCH 004/143] Add deprecation check for `jwt_header` setting
 (#3887)

### Description
Add deprecation check for `jwt_header` setting

### Issues Resolved
- Related https://github.com/opensearch-project/security/issues/3886

### Check List
- [ ] ~New functionality includes testing~
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java | 9 +++++++++
 .../amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java  | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
index 8c6af4279b..ea0a6378d7 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -28,6 +28,7 @@
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.SpecialPermission;
+import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.Strings;
@@ -48,6 +49,7 @@
 
 public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator {
     private final static Logger log = LogManager.getLogger(AbstractHTTPJwtAuthenticator.class);
+    private final static DeprecationLogger deprecationLog = DeprecationLogger.getLogger(AbstractHTTPJwtAuthenticator.class);
 
     private static final String BEARER = "bearer ";
     private static final Pattern BASIC = Pattern.compile("^\\s*Basic\\s.*", Pattern.CASE_INSENSITIVE);
@@ -75,6 +77,13 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
         requiredAudience = settings.get("required_audience");
         requiredIssuer = settings.get("required_issuer");
 
+        if (!jwtHeaderName.equals(AUTHORIZATION)) {
+            deprecationLog.deprecate(
+                "jwt_header",
+                "The 'jwt_header' setting will be removed in the next major version of OpenSearch.  Consult https://github.com/opensearch-project/security/issues/3886 for more details."
+            );
+        }
+
         try {
             this.keyProvider = this.initKeyProvider(settings, configPath);
             jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds, requiredIssuer, requiredAudience);
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
index c5c3e0ddc5..9bf22bf7f3 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
@@ -26,6 +26,7 @@
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.SpecialPermission;
+import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.auth.HTTPAuthenticator;
@@ -44,6 +45,7 @@
 public class HTTPJwtAuthenticator implements HTTPAuthenticator {
 
     protected final Logger log = LogManager.getLogger(this.getClass());
+    protected final DeprecationLogger deprecationLog = DeprecationLogger.getLogger(this.getClass());
 
     private static final Pattern BASIC = Pattern.compile("^\\s*Basic\\s.*", Pattern.CASE_INSENSITIVE);
     private static final String BEARER = "bearer ";
@@ -69,6 +71,13 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
         requireAudience = settings.get("required_audience");
         requireIssuer = settings.get("required_issuer");
 
+        if (!jwtHeaderName.equals(AUTHORIZATION)) {
+            deprecationLog.deprecate(
+                "jwt_header",
+                "The 'jwt_header' setting will be removed in the next major version of OpenSearch.  Consult https://github.com/opensearch-project/security/issues/3886 for more details."
+            );
+        }
+
         final JwtParserBuilder jwtParserBuilder = KeyUtils.createJwtParserBuilderFromSigningKey(signingKey, log);
         if (jwtParserBuilder == null) {
             jwtParser = null;

From e8b215d10c62785cf65dd950385378e963332314 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Dec 2023 09:52:53 -0500
Subject: [PATCH 005/143] Bump io.dropwizard.metrics:metrics-core from 4.2.22
 to 4.2.23 (#3899)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[io.dropwizard.metrics:metrics-core](https://github.com/dropwizard/metrics)
from 4.2.22 to 4.2.23.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dropwizard/metrics/releases">io.dropwizard.metrics:metrics-core's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.23</h2>
<h2>What's Changed</h2>
<ul>
<li>Update dependency org.apache.maven.plugins:maven-surefire-plugin to
v3.2.2 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3713">dropwizard/metrics#3713</a></li>
<li>Update dependency org.apache.maven.plugins:maven-javadoc-plugin to
v3.6.2 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3712">dropwizard/metrics#3712</a></li>
<li>Update github/codeql-action digest to 689fdc5 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3726">dropwizard/metrics#3726</a></li>
<li>Update github/codeql-action digest to 66b90a5 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3732">dropwizard/metrics#3732</a></li>
<li>Update dependency net.bytebuddy:byte-buddy to v1.14.10
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3739">dropwizard/metrics#3739</a></li>
<li>Update log4j2.version to v2.22.0 (release/4.2.x) (minor) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3740">dropwizard/metrics#3740</a></li>
<li>Update dependency
org.apache.maven.plugins:maven-project-info-reports-plugin to v3.5.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3744">dropwizard/metrics#3744</a></li>
<li>Update dependency org.apache.commons:commons-lang3 to v3.14.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3743">dropwizard/metrics#3743</a></li>
<li>Update dependency org.apache.httpcomponents.client5:httpclient5 to
v5.2.2 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3745">dropwizard/metrics#3745</a></li>
<li>Update github/codeql-action digest to 407ffaf (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3749">dropwizard/metrics#3749</a></li>
<li>Update dependency org.codehaus.mojo:build-helper-maven-plugin to
v3.5.0 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3753">dropwizard/metrics#3753</a></li>
<li>Update dependency org.apache.httpcomponents.core5:httpcore5 to
v5.2.4 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3758">dropwizard/metrics#3758</a></li>
<li>Update logback14.version to v1.4.12 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3760">dropwizard/metrics#3760</a></li>
<li>Update logback13.version to v1.3.12 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3759">dropwizard/metrics#3759</a></li>
<li>Update logback13.version to v1.3.13 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3767">dropwizard/metrics#3767</a></li>
<li>Update logback14.version to v1.4.13 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3768">dropwizard/metrics#3768</a></li>
<li>Update dependency org.jdbi:jdbi3-core to v3.42.0 (release/4.2.x) by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3770">dropwizard/metrics#3770</a></li>
<li>Update actions/setup-java action to v4 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3773">dropwizard/metrics#3773</a></li>
<li>Update dependency maven to v3.9.6 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3774">dropwizard/metrics#3774</a></li>
<li>Update dependency org.apache.httpcomponents.client5:httpclient5 to
v5.2.3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3775">dropwizard/metrics#3775</a></li>
<li>Update dependency org.apache.maven.plugins:maven-javadoc-plugin to
v3.6.3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3776">dropwizard/metrics#3776</a></li>
<li>Update dependency org.glassfish.jersey:jersey-bom to v3.1.4
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3777">dropwizard/metrics#3777</a></li>
<li>Update logback.version to v1.2.13 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3779">dropwizard/metrics#3779</a></li>
<li>Update logback13.version to v1.3.14 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3780">dropwizard/metrics#3780</a></li>
<li>Update jetty12.version to v12.0.4 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3778">dropwizard/metrics#3778</a></li>
<li>Update logback14.version to v1.4.14 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3781">dropwizard/metrics#3781</a></li>
<li>Update dependency org.checkerframework:checker-qual to v3.41.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3782">dropwizard/metrics#3782</a></li>
<li>Update dependency org.mockito:mockito-core to v5.8.0 (release/4.2.x)
by <a href="https://github.com/renovate"><code>@​renovate</code></a> in
<a
href="https://redirect.github.com/dropwizard/metrics/pull/3784">dropwizard/metrics#3784</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/dropwizard/metrics/compare/v4.2.22...v4.2.23">https://github.com/dropwizard/metrics/compare/v4.2.22...v4.2.23</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dropwizard/metrics/commit/46cf51d8408a4a2d81aa84767d4f53b5257c4988"><code>46cf51d</code></a>
[maven-release-plugin] prepare release v4.2.23</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/dde28a09a0faa9443b3e5f2357243ed28d965579"><code>dde28a0</code></a>
Update dependency org.mockito:mockito-core to v5.8.0 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3784">#3784</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/03a15438682e1550df98a0f9c0ecb1e1f80fbe34"><code>03a1543</code></a>
Update dependency org.checkerframework:checker-qual to v3.41.0 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3782">#3782</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/dae4a8cf30683968cee4c2cc61c6e9ac1346d50a"><code>dae4a8c</code></a>
Update logback14.version to v1.4.14 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3781">#3781</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/38c43398b4c60d7b8d555676dc45840518412f2d"><code>38c4339</code></a>
Update jetty12.version to v12.0.4 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3778">#3778</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/4c90ccdf3a4928837eba14c1b45db8fb53d12907"><code>4c90ccd</code></a>
Update logback13.version to v1.3.14 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3780">#3780</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/6217e67579f80eb17da62100e63e5e48021af741"><code>6217e67</code></a>
Update logback.version to v1.2.13</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/da71539d0956a36f3ccde7cc05c2e891e4dc76c9"><code>da71539</code></a>
Update dependency org.glassfish.jersey:jersey-bom to v3.1.4</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/eb8e31d655aa450cd3152f5eac2e02b9df53948d"><code>eb8e31d</code></a>
Update dependency org.apache.maven.plugins:maven-javadoc-plugin to
v3.6.3</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/40f1fadf77e11c76943de718777351a06c4224f2"><code>40f1fad</code></a>
Update dependency org.apache.httpcomponents.client5:httpclient5 to
v5.2.3</li>
<li>Additional commits viewable in <a
href="https://github.com/dropwizard/metrics/compare/v4.2.22...v4.2.23">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.dropwizard.metrics:metrics-core&package-manager=gradle&previous-version=4.2.22&new-version=4.2.23)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 84e6eb19f0..8717b5a508 100644
--- a/build.gradle
+++ b/build.gradle
@@ -643,7 +643,7 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.22'
+    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.23'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'

From c134ddf75d12659c9da95d442b874a27508caede Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Dec 2023 09:53:17 -0500
Subject: [PATCH 006/143] Bump com.google.googlejavaformat:google-java-format
 from 1.18.1 to 1.19.1 (#3898)

Bumps
[com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format)
from 1.18.1 to 1.19.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/google-java-format/releases">com.google.googlejavaformat:google-java-format's
releases</a>.</em></p>
<blockquote>
<h2>v1.19.1</h2>
<h2>Changes</h2>
<ul>
<li>Fix support for Java 21 features by enabling JDK 21 for release
builds (<a
href="https://redirect.github.com/google/google-java-format/issues/1014">#1014</a>).</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google/google-java-format/compare/v1.19.0...v1.19.1">https://github.com/google/google-java-format/compare/v1.19.0...v1.19.1</a></p>
<h2>v1.19.0</h2>
<h2>Changes</h2>
<p>This release adds initial support for more Java 21 features,
including:</p>
<ul>
<li>String templates (<a
href="https://redirect.github.com/google/google-java-format/issues/981">#981</a>)</li>
<li>Unnamed variables (<a
href="https://redirect.github.com/google/google-java-format/issues/978">#978</a>)</li>
<li>Pattern matching and guard clauses in switch expressions (<a
href="https://redirect.github.com/google/google-java-format/issues/937">#937</a>,
<a
href="https://redirect.github.com/google/google-java-format/issues/880">#880</a>,
<a
href="https://redirect.github.com/google/google-java-format/issues/983">#983</a>,
<a
href="https://redirect.github.com/google/google-java-format/issues/988">#988</a>)</li>
</ul>
<p>Other changes:</p>
<ul>
<li>Handle type annotations on method reference qualifiers
(53390d99b56edae23cfab5adcafd7df28d9984c8)</li>
<li>Avoid reflowing text blocks (<a
href="https://redirect.github.com/google/google-java-format/issues/976">#976</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google/google-java-format/compare/v1.18.1...v1.19.0">https://github.com/google/google-java-format/compare/v1.18.1...v1.19.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/google-java-format/commit/8cafdb3772130ba92028b644bbe57dabec4ec839"><code>8cafdb3</code></a>
Release google-java-format 1.19.1</li>
<li><a
href="https://github.com/google/google-java-format/commit/8afdfcad56c41637fe946c80764355d6788099ba"><code>8afdfca</code></a>
chore: bump checkout/setup-java to v4 (use nodejs20 runtime)</li>
<li><a
href="https://github.com/google/google-java-format/commit/627c97e63c563ae04eca9aa1baeca99eac6c365a"><code>627c97e</code></a>
chore: fix <code>SyntaxWarning: invalid escape sequence +</code> for
py3.12</li>
<li><a
href="https://github.com/google/google-java-format/commit/0e7cc6ff3763621f3dd9d28fbac74b857bb73c19"><code>0e7cc6f</code></a>
Upgrade jdk used by release action to 21</li>
<li><a
href="https://github.com/google/google-java-format/commit/b5feefe4ab4dbdbba393d769eb1815f26896104b"><code>b5feefe</code></a>
Initial support for string templates</li>
<li><a
href="https://github.com/google/google-java-format/commit/dc8b461b8599df1f043d6a1efaadfc44dfa6b823"><code>dc8b461</code></a>
Make g-j-f native image more compatible</li>
<li><a
href="https://github.com/google/google-java-format/commit/b92435acb86e549300bf74bb75ff674db70682e7"><code>b92435a</code></a>
Support unnamed variables</li>
<li><a
href="https://github.com/google/google-java-format/commit/430ba3b0e237b746157a3392663da4b4bb7c733d"><code>430ba3b</code></a>
Initial support for pattern matching in switches</li>
<li><a
href="https://github.com/google/google-java-format/commit/b86c508be5f42e7ed0d55cd1abe2c04d2db66676"><code>b86c508</code></a>
Add support for guard clauses in Java 21 switch expressions</li>
<li><a
href="https://github.com/google/google-java-format/commit/ad771541474eebceb2c6666cb61d4836bf6d8560"><code>ad77154</code></a>
Bump Guava to 32.1.3</li>
<li>Additional commits viewable in <a
href="https://github.com/google/google-java-format/compare/v1.18.1...v1.19.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.googlejavaformat:google-java-format&package-manager=gradle&previous-version=1.18.1&new-version=1.19.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 8717b5a508..b52cd26d59 100644
--- a/build.gradle
+++ b/build.gradle
@@ -740,7 +740,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.18.1') {
+    implementation('com.google.googlejavaformat:google-java-format:1.19.1') {
         exclude group: 'com.google.guava'
     }
 }

From 7734fde172aa7e514866fba2532bee4acf5389d3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Dec 2023 09:53:54 -0500
Subject: [PATCH 007/143] Bump com.google.errorprone:error_prone_annotations
 from 2.23.0 to 2.24.0 (#3897)

Bumps
[com.google.errorprone:error_prone_annotations](https://github.com/google/error-prone)
from 2.23.0 to 2.24.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/error-prone/releases">com.google.errorprone:error_prone_annotations's
releases</a>.</em></p>
<blockquote>
<h2>Error Prone 2.24.0</h2>
<p>New checks:</p>
<ul>
<li><a
href="https://errorprone.info/bugpattern/MultipleNullnessAnnotations"><code>MultipleNullnessAnnotations</code></a>:
Discourage multiple nullness annotations</li>
<li><a
href="https://errorprone.info/bugpattern/NullableTypeParameter"><code>NullableTypeParameter</code></a>:
Discourage nullness annotations on type parameters</li>
<li><a
href="https://errorprone.info/bugpattern/NullableWildcard"><code>NullableWildcard</code></a>:
Discourage nullness annotations on wildcards</li>
<li><a
href="https://errorprone.info/bugpattern/SuperCallToObjectMethod"><code>SuperCallToObjectMethod</code></a>:
Generalization of <code>SuperEqualsIsObjectEquals</code>, now covers
<code>hashCode</code></li>
</ul>
<p>Full Changelog: <a
href="https://github.com/google/error-prone/compare/v2.23.0...v2.24.0">https://github.com/google/error-prone/compare/v2.23.0...v2.24.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/error-prone/commit/2cc850485e861ab415a75223bb722284de39fd8c"><code>2cc8504</code></a>
Release Error Prone 2.24.0</li>
<li><a
href="https://github.com/google/error-prone/commit/21c190a6fc76f3ad3c895639dc66b7a3f570c55d"><code>21c190a</code></a>
Document that javadoc shouldn't appear between annotations and the
documented...</li>
<li><a
href="https://github.com/google/error-prone/commit/d272dfa8da5f6ed09bb97acc153f9a7169185ab7"><code>d272dfa</code></a>
Automated rollback of commit
654d1dbf1e6dd652cd6e8ca003643ddf02266ec2.</li>
<li><a
href="https://github.com/google/error-prone/commit/654d1dbf1e6dd652cd6e8ca003643ddf02266ec2"><code>654d1db</code></a>
Handle Joiner.on(...) in AbstractToString.</li>
<li><a
href="https://github.com/google/error-prone/commit/da7be27b3c4a9f7d232072fdf3dc95e553156b6d"><code>da7be27</code></a>
Descend into VariableTrees when looking for variables to check.</li>
<li><a
href="https://github.com/google/error-prone/commit/affa37ac76a9bd726e46ad6108a707436fdfeded"><code>affa37a</code></a>
Do not flag unused parameters on <em>abstract</em> methods.</li>
<li><a
href="https://github.com/google/error-prone/commit/d78dd6d355db050d1420b2b88068566f515cfd1e"><code>d78dd6d</code></a>
Don't report NonFinalStaticField findings for fields modified in
`@BeforeClas...</li>
<li><a
href="https://github.com/google/error-prone/commit/aadfdc3094310639c5e2b5ebe0119dc672910f84"><code>aadfdc3</code></a>
WellKnownThreadSafety: Add common PKIX types to known thread-safe
list.</li>
<li><a
href="https://github.com/google/error-prone/commit/ac52ca90fe3b84ed64026cdda243fb0c44afecbd"><code>ac52ca9</code></a>
AutoValueFinalMethods: support method-level suppression.</li>
<li><a
href="https://github.com/google/error-prone/commit/336323ab42c947ed71e395ba4c85956d36db3a0a"><code>336323a</code></a>
Import eisop/checker-framework from GitHub.</li>
<li>Additional commits viewable in <a
href="https://github.com/google/error-prone/compare/v2.23.0...v2.24.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.errorprone:error_prone_annotations&package-manager=gradle&previous-version=2.23.0&new-version=2.24.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index b52cd26d59..7e2fb5ef26 100644
--- a/build.gradle
+++ b/build.gradle
@@ -499,7 +499,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.23.0"
+            force "com.google.errorprone:error_prone_annotations:2.24.0"
             force "org.checkerframework:checker-qual:3.42.0"
             force "ch.qos.logback:logback-classic:1.2.13"
         }
@@ -609,7 +609,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.23.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.24.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
     runtimeOnly 'org.ow2.asm:asm:9.6'

From 26e62d5b77300695e3bd94352a5e297e28828b15 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 2 Jan 2024 11:50:52 +0100
Subject: [PATCH 008/143] Bump org.apache.camel:camel-xmlsecurity from 3.21.3
 to 3.22.0 (#3904)

Bumps org.apache.camel:camel-xmlsecurity from 3.21.3 to 3.22.0.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.camel:camel-xmlsecurity&package-manager=gradle&previous-version=3.21.3&new-version=3.22.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 7e2fb5ef26..4fb2d50ab5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -614,7 +614,7 @@ dependencies {
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
     runtimeOnly 'org.ow2.asm:asm:9.6'
 
-    testImplementation 'org.apache.camel:camel-xmlsecurity:3.21.3'
+    testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.0'
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.0'

From 31f1625742792b7033fa8a24781b95695ef2e1a2 Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Wed, 3 Jan 2024 14:10:22 -0600
Subject: [PATCH 009/143] Switched to more reliable OpenSearch Lucene snapshot
 location (#3912)

### Description
Switched to more reliable OpenSearch Lucene snapshot location

### Issues Resolved
- Resolves https://github.com/opensearch-project/security/issues/3597

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Peter Nied <petern@amazon.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 4fb2d50ab5..3a368bc8a7 100644
--- a/build.gradle
+++ b/build.gradle
@@ -47,7 +47,7 @@ buildscript {
         mavenCentral()
         maven { url "https://plugins.gradle.org/m2/" }
         maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
-        maven { url "https://d1nvenhzbhpy0q.cloudfront.net/snapshots/lucene/" }
+        maven { url "https://artifacts.opensearch.org/snapshots/lucene/" }
         maven { url "https://build.shibboleth.net/nexus/content/groups/public" }
         maven { url "https://build.shibboleth.net/nexus/content/repositories/releases" }
     }
@@ -451,7 +451,7 @@ repositories {
     mavenCentral()
     maven { url "https://plugins.gradle.org/m2/" }
     maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
-    maven { url "https://d1nvenhzbhpy0q.cloudfront.net/snapshots/lucene/" }
+    maven { url "https://artifacts.opensearch.org/snapshots/lucene/" }
     maven { url "https://build.shibboleth.net/nexus/content/repositories/releases" }
 }
 

From f216743b16f0f7cbc7007bba5dde39a39072e3b4 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 4 Jan 2024 04:46:59 -0500
Subject: [PATCH 010/143] Re-enable disabled PIT integration tests (#3871)

### Description

Re-enables 2 PIT integration tests that were previously disabled. This
adds a @Before method to clean up all PITs created from previous test
cases to ensure each test case runs pristinely.

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Test fix

### Issues Resolved

- https://github.com/opensearch-project/security/issues/3424

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
[Please provide details of testing done: unit testing, integration
testing and manual testing]

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/PointInTimeOperationTest.java    | 31 +++++--------------
 1 file changed, 8 insertions(+), 23 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/PointInTimeOperationTest.java b/src/integrationTest/java/org/opensearch/security/PointInTimeOperationTest.java
index ce934a8e16..8d900639c2 100644
--- a/src/integrationTest/java/org/opensearch/security/PointInTimeOperationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/PointInTimeOperationTest.java
@@ -14,13 +14,12 @@
 import com.carrotsearch.randomizedtesting.RandomizedRunner;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import org.apache.commons.lang3.tuple.Pair;
+import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.admin.indices.alias.IndicesAliasesRequest;
 import org.opensearch.action.index.IndexRequest;
 import org.opensearch.action.search.CreatePitRequest;
@@ -33,7 +32,6 @@
 import org.opensearch.client.Client;
 import org.opensearch.client.RestHighLevelClient;
 import org.opensearch.common.unit.TimeValue;
-import org.opensearch.core.rest.RestStatus;
 import org.opensearch.search.builder.PointInTimeBuilder;
 import org.opensearch.search.builder.SearchSourceBuilder;
 import org.opensearch.test.framework.TestSecurityConfig;
@@ -133,6 +131,13 @@ public static void createTestData() {
         }
     }
 
+    @Before
+    public void cleanUpPits() throws IOException {
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
+            restHighLevelClient.deleteAllPits(DEFAULT);
+        }
+    }
+
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .anonymousAuth(false)
@@ -180,11 +185,9 @@ public void createPitWithIndexAlias_negative() throws IOException {
         }
     }
 
-    @Ignore("Pretty sure cleanUpPits is returning before all of the PITs have actually been deleted")
     @Test
     public void listAllPits_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(POINT_IN_TIME_USER)) {
-            cleanUpPits();
             String firstIndexPit = createPitForIndices(FIRST_SONG_INDEX);
             String secondIndexPit = createPitForIndices(SECOND_SONG_INDEX);
 
@@ -247,11 +250,9 @@ public void deletePitCreatedWithIndexAlias_negative() throws IOException {
         }
     }
 
-    @Ignore("Pretty sure cleanUpPits is returning before all of the PITs have actually been deleted")
     @Test
     public void deleteAllPits_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(POINT_IN_TIME_USER)) {
-            cleanUpPits();
             String firstIndexPit = createPitForIndices(FIRST_SONG_INDEX);
             String secondIndexPit = createPitForIndices(SECOND_SONG_INDEX);
 
@@ -410,20 +411,4 @@ private String createPitForIndices(String... indices) throws IOException {
         }
     }
 
-    /**
-    * Deletes all PITs.
-    */
-    public void cleanUpPits() throws IOException {
-        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
-            try {
-                restHighLevelClient.deleteAllPits(DEFAULT);
-            } catch (OpenSearchStatusException ex) {
-                if (ex.status() != RestStatus.NOT_FOUND) {
-                    throw ex;
-                }
-                // tried to remove pits but no pit exists
-            }
-        }
-    }
-
 }

From 21c086c02c6aafb2f71d74595a3b5095c7054706 Mon Sep 17 00:00:00 2001
From: Derek Ho <dxho@amazon.com>
Date: Thu, 4 Jan 2024 15:32:02 -0500
Subject: [PATCH 011/143] Improve messaging on how to set initial admin
 password (#3879)

### Description
When the demo configuration script fails when no initial admin password
is set, it does not provide helpful output telling the user how to set
the initial admin password. This PR provides some helpful output
indicating what variable the user should modify in order for the setup
to succeed.

### Issues Resolved
[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
Changed test asserting output

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Derek Ho <dxho@amazon.com>
---
 .../tools/democonfig/SecuritySettingsConfigurer.java       | 7 ++++++-
 .../tools/democonfig/SecuritySettingsConfigurerTests.java  | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index 116373a38f..9c51fbe1d4 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -149,7 +149,12 @@ void updateAdminPassword() {
 
             // if ADMIN_PASSWORD is still an empty string, it implies no custom password was provided. We exit the setup.
             if (Strings.isNullOrEmpty(ADMIN_PASSWORD)) {
-                System.out.println("No custom admin password found. Please provide a password.");
+                System.out.println(
+                    String.format(
+                        "No custom admin password found. Please provide a password via the environment variable %s.",
+                        ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD
+                    )
+                );
                 System.exit(-1);
             }
 
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
index 948a66996c..27ba150a78 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -104,7 +104,12 @@ public void testUpdateAdminPassword_noPasswordSupplied() {
             System.setSecurityManager(null);
         }
 
-        verifyStdOutContainsString("No custom admin password found. Please provide a password.");
+        verifyStdOutContainsString(
+            String.format(
+                "No custom admin password found. Please provide a password via the environment variable %s.",
+                ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD
+            )
+        );
     }
 
     @Test

From 907913a140e5a6032736d66c3701969cbceff708 Mon Sep 17 00:00:00 2001
From: Andriy Redko <andriy.redko@aiven.io>
Date: Thu, 4 Jan 2024 21:21:57 -0500
Subject: [PATCH 012/143] Update to Gradle 8.5 (#3919)

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
---
 gradle/wrapper/gradle-wrapper.jar        | Bin 63721 -> 43462 bytes
 gradle/wrapper/gradle-wrapper.properties |   4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
index 7f93135c49b765f8051ef9d0a6055ff8e46073d8..d64cd4917707c1f8861d8cb53dd15194d4248596 100644
GIT binary patch
literal 43462
zcma&NWl&^owk(X(xVyW%ySuwf;qI=D6|RlDJ2cR^yEKh!<L)kv!^b;wzjN=MbLPE6
z#Qs54Mb(a4xpF<3xwf(#I0QP#moHyHKtM=7umAmr3<3k9AfYb8AfqVBBrhW-p{ORI
zp$-WG`qx|5b@g0VIWYsKzV}*LSf1fX%5<DxH2bTXmT7RMuqAb62#S(Z1H@42g>@I-
zp9QeisK*rlxC>+~7Dk4IxIRsKBHqdR9b3+fyL=ynHmIDe&|>O*VlvO+%z5;9Z$|DJ
zb4dO}-R=MKr^6EKJiOrJdLnCJn>np<Vr_Xn3)te~Xt>?~vU-1sSFgPu;pthGwf}bG
z(1db%xwr#x)r+`4AGu$j7~u2MpVs3VpLp|mx&;>`0p0vH6kF+D2CY0fVdQOZ@h;A`
z{infNyvmFUiu*X<?lkm_Rwc7`N28EaGe!}kzj7nfhW^@lTVlH-#Uo^46(tYuSUgOx
zQr0fsq(~O?24S?tV(okgsek@TWWcu+UvB}S%m>G}RNMNwXrbec_*a3N=2zJ|Wh5z*
z5rAX$JJR{#zP>KY**>xHTuw?|-Rg|o24V)74HcfVT;WtQHXlE+_4iPE8QE#DUm%x0
zEKr75ur~W%w#-My3Tj`hH6EuEW+8K-^5P62$7Sc5OK+22qj&Pd1;)1#4tKihi=~8C
zHiQSst0cpri6%OeaR`PY>HH_;CPaRNty%WTm4{wDK8V6gCZlG@U3$~JQZ;<Vs5#qH
zEVy+t;!5@Xu1$jID=`9nIoF+Jc9_az6+@ZeQX+!p62E#%NU_ikW&7u6D)sZpOG{u|
z={bCQI06wwYzSWO$q~5IHw{K<h(x`GAQV}I+HC2mJ9);BffzPtNZV^JzK+Q*#E)sp
z_;y^CR19xFFVGX1#sx$S&@R1md`SKw94gSZefoLMIz1SgFUJeHlDdu>HPvDJcT1V{
z?>H@13MJcCNe#5z+MecYNi@VT5|&UiN1D4ATT+%M+h4c$t;C#UAs3O_q=GxK0}8%8
z8J(_M9bayxN}69ex4dzM_P3oh@ZGREjVvn%%r7=xjkqxJP4kj}5tlf;QosR=%4L5y
zWhgejO=vao5oX%mOHbhJ8V+SG&K5dABn6!WiKl{|oPkq(9z8l&Mm%(=qGcFzI=eLu
zWc_oCLyf;hVlB@dnwY98?75B20=n$>u3b|NB28H0u-6Rpl((%KWEBOfElVWJx+5yg
z#SGqwza7f}$z;n~g%4HDU{;V{gXIhft*q2=4zSezGK~nBgu9-Q*rZ#2f=Q}i2|qOp
z!!y4p)4o=LVUNhlkp#JL{tfkhXNbB=Ox>M=n6soptJw-IDI|_$is2w}(XY>a=H52d
z3zE$tjPUhW<B7^QI+mzDc0r|3FgQFs!Jsdf2mD!`%+)SGMT!&dDeNq8Wnr~TJ=;SJ
zCjA5AMnKC>WS+5h=KVH&uqQS=$v3nRs&p$%11b%5qtF}S2#Pc`IiyBIF4%A!;AVoI
zXU8-Rpv!DQNcF~(qQnyyMy=-AN~U>#&X1j5BLDP{?K!%h!;hfJI>$mdLSvktEr*89
zdJHvby^$xEX0^l9g$xW-d?J;L0#(`UT~zpL&*cEh$L|HPAu=P8`OQZV!-}l`noSp_
zQ-1$q$R-gDL)?6YaM!=8H=QGW$NT2SeZlb8PKJdc=F-cT@j7Xags+Pr*jPtlHFnf-
zh?q<6;)27IdPc^Wdy-mX%2s84C1xZq9Xms+==F4);O`VUASmu3(RlgE#0+#giLh-&
zc<QGvU&1r_Xz58P7NkF*I*90qex!^xxfEgH#K;#C|KMCf;CA5Qt-NV8mGe5b-lG!j
zRL`7OWA4AJCL!FWu3g%<l7t>xm3_e}n4<JRr%rS6Swi_EMqL;`T8Bl3(r42Q<|~(Y
zc;e@g+fVh%OUP%og+-&}AUrto$4spr+PoQd2Zp+clpMO`)?XEs_x|w9_1so-38=4Y
zn`D1h2@&{Ai|aMqEbZDK1O5PGO%pa3=lgn}`i!wzdMR^A4OKHJ)Gs9YZ1vnbkiv-D
z$-P%T9AC{vA3^Up7DULFj^rOQ`7gHyAFny;2s;Lb$MDVB@Qs!<`=}5GFJ_Xz>{%|X
zJp{G_j+%`j_q5}k{eW&TlP}J2wtZ2^<^E(O)4OQX8FDp6RJq!F{(6eHWSD3=f~(h}
zJXCf7=r<16X{pHkm%yzYI_=VDP&9bmI1*)Y<!NUzHwGU;+XI38Q(`+NB8>XZeB}F?
z(%QsB5fo*FUZxK$<e}vt0yO7dH1jD~7>oX~X^69;x~j7ms8xlzpt-T15e9}$4T-pC
z6PFg@;B-j|Ywajpe4~bk#S6(fO^|mm1hKOPfA%8-_iGCfICE|=P_~e;Wz6my&)h_~
zkv&_xSAw7AZ%ThYF(4jADW4vg=oEdJGVOs>FqamoL3Np8>?!W#!R-0%2Bg4h?kz5I
zKV-rKN2n(vUL%D<4oj@|`eJ>0i#TmYBtYmfla;c!ATW%;xGQ0*TW@PTlGG><@dxUI
zg>+3SiGdZ%?5N=8uoLA|$<tQF__q{Hb+omJ>4isK$aJ%i{hECP$bK{J#0W2gQ3YEa
zZQ50Stn6hqdfxJ*9#NuSLwKFCU<kW<Z$>Gk@c=(igyVL;;2^wi4o30YXSIb2g_ud$
zgpCr@H0qWtk2hK8Q|&wx)}4+hTYlf;$a4#oUM=V@Cw#!$(nOFFpZ;0lc!qd=c$S}Z
zGGI-0jg~S~cgVT=4Vo)b)|4phjStD49*EqC)IPwyeKBLcN;Wu@Aeph;emROAwJ-0<
z_#>wVm$)ygH|qyxZaet&(Vf%pVdnvKWJn9`%DAxj3ot;v>S$I}jJ$FLBF*~iZ!ZXE
zkvui&p}fI0Y=IDX)mm0@tAd|fEHl~J&K}ZX(Mm3cm1UAuwJ42+AO5@HwYfDH7ipIc
zmI;1J;J@+aCNG1M`Btf>YT>~c&3<N>j~Qi@Py5JT6;zjx$cvOQW@3oQ>|}GH?TW-E
z1R;q^QFjm5W~7f}c3Ww|awg1BAJ^slEV~Pk`Kd`PS$7;SqJZNj->it4DW2l15}xP6
zoCl$kyEF%yJni0(L!Z&14m!1ur<bj#167-*(B|jp)F*o{Q;Hn)6)_<P63qS{7s)%O
z``Aek8i5TJj-mjjYtt1A_~`C%@M}|?ur(!4Oz?<A^)?FLyfSWzL9}|;jFV^_SWWx7
zZqoBj%8Zht{DR?*BSX3Fo`9QF2<={td!w9oLBkZ!>Xh6Btj_5JYt1{#+H8w?5QI%%
zo-$KYWNMJVH?Hh@1n7OSu~QhSswL8x0=$<8QG_zepi_<zlB#8m+hcE7gc<MZ-I}wy
z>`y_79=nK=_ZP_`Em2UI*tyQoB+r{1QYZCpb?2OrgUw#oRH$?^Tj!Req>XiE#~B|~
z+%HB;=ic+R@px4Ld8mwpY;W^A%8%l8$@B@1m5n`TlKI6bz2mp*^^^1mK$COW$HOfp
zUGTz-cN9?BGEp}5A!mDFjaiWa2_J2Iq8qj<W!S?C&KT9grEb&=%wm;aC1~>0mXzk;
z66JBKRP{p%wN7XobR0YjhAuW9T1Gw3FDvR5dWJ8ElNYF94e<ioutKi#n7!$mwZ7cG
z1bc^4#{Lo^rv1yy&HM`wbm`jfSY+G{qjDC1m?i9np*9^ecJ6!CKPZ;Z?_@`Nrs+nA
zB6#eGiAgK!RqyysJp%o~7rj*4vtuR7j|$OCbL9xyI9^gP(08>F3ebu+QwKjtvVu4L
zI9ip#mQ@4uqVdkl-TUQMb^XBJVLW(-$s;Nq;@5gr4`UfLgF$adIhd?rHOa%D);whv
z=;krPp~@I+-Z|r#s3yCH+c1US?dnm+C*)r{m+86sTJusLdNu^sqLrfWed^ndHXH`m
zd3#cOe3>w-ga(Dus_^ppG9AC>Iq{y%%CK+Cro_sqLCs{VLuK=dev>OL1dis4(PQ5R
zcz<j+gH(MtWYW4^8ed>)>DjEkfV+M<e_sEdzrS<1AHM%agf4oS_E5Eo5a@5bZSJRE
z-3LG-!nD1<2E1K6xQ;KRI>O;~>VUlYF00SgfUo~@(&9$Iy2|G0T9BSP?&T22>K46D
zL*~j#yJ?)^*%J3!16f)@Y2Z^kS*BzwfAQ7K96rFRIh>#$*$_Io;z>ux@}G98!fWR@
zGTFxv4r~v)Gsd|pF91*-eaZ3Qw1MH$K^7JhWIdX%o$2kCbvGDXy)a?@8T&1dY4`;L
z4Kn+f%SSFWE_rpEpL9bnlmYq`D!6F%di<&Hh=+!VI~j)2mfil03T#jJ_s?}VV0_hp
z7T9bWxc>Jm2Z0WMU?`Z$xE74Gu~%s{mW!d4uvK<j&<1yHv!7+02LGZ>Cx@WD+gPUQ
zV0vQS(Ig++z=EHN)BR44*EDSWIyT~R4$FcF*VEY*8@l=218Q05D2$|fXKFhRgBIEE
zdDFB}1dKkoO^7}{5crKX!p?dZWNz$m>1icsXG2N+((x0OIST9Zo^DW_tytvlwXGpn
zs8?pJXjEG;T@qrZi%#h<Ub!eG-{OloH-RpCzw35}x@i|jcqI|*S)Mk#vJASbW?htA
zkoiPl104oY;UP=8R1euujt$?djSOx?y-rqs2lMK%Qb9yZr^vF%!MGNK6X7qcO{3$l
z`SpE|3;1<tJDRMxF=rVtiibsxjcy7ac&I!rJ(vX~wSh6hna0U?6s6xBR8R}cWK=Mr
z0w`kyzSZL7v262fj&Zs-DwNn*X?a01@1FD@>93?FP$!&P4JA(&H61tqQi=opRzNpm
zkrG}$^t9&XduK*Qa1?<l%^7R<o*-c=iC4sk-`i4!S6!9X4fSx+qbvvgrLLuj@E8FE
zq?-x^MET$9MfCquFDi&A%1BD6sWU1_{+DLFRrob7FUP<*gCNI1JNawshbr?t+t&Wg
zFNRT>355wd8G2CI6QEh@Ua>AsD;7oRUNLPb76m4HG3K?)wF~IyS3`fXuNM>${?wmB
zpVz;?6_(Fiadfd{vUCBM*_kt$+F3J+IojI;9L(gc9n3{sEZyzR9o!_mOwFC#tQ{Q~
zP3-`#uK#tP3Q7~Q;4H|wjZHO8h7e4IuBxl&vz2w~D8)w=Wtg31zpZhz%+kzSzL*dV
zwp@{WU4i;hJ7c2f1O;7Mz6<tj2!R+wyuceauj<?kVu{wyl=%JHPkLzkWmg+Z?RG$#
zRU+Lf6+%iJNryt(CfbHrg5cMQPHCKXNZUXf@5VtUpcIZ(1nKR6v)V%+OF~*L&Q2bo
zXdQmkq&Da<4ZR}a$I6XIt`dd!z6Ld%&o(8?bghVIHa*@Mm4a2#r;SUX#A+KRSH^xk
zTs2!r=Ribpu&~Zx#mw!4jE91^t<FzpP{8m$mj$1xwQ{_Z*|&XtH^s|T`GZmEqGKAk
zj@Xz#kk3*eWc-B>qRKeASoIv0_bV=i@NMG*l<#+;INk-^`5w@}Dj~;k=|}qM1vq_P
z|GpBGe_IKq|LNy9SJhKOQ$c=5L{Dv|Q_lZl=-ky*BFBJLW9&y_C|!vyM~rQx=!vun
z?rZJQB5t}Dctmui5i31C_;_}C<yrm%u8E>En}_W%>oSXtt>@kE1=JW*4*v4tPp;O6
zmAk{)m!)}34pTWg8{i>($%NQ(Tl;QC@J@FfBoc%Gr&m560^kgSfodAFrIjF}aIw)X
zoXZ`@IsMkc8_=w%-7`D6Y4e*CG8k%Ud=GXhsTR50jUnm+R*0A(O3UKFg0`K;qp1bl
z7``HN=?39ic_kR|^R^~w-*pa?Vj#7|e9F1iRx{GN2?wK!xR1GW!qa=~pjJb-#u1K8
zeR?Y2i-pt}yJq;SCiVHODIvQJX|ZJaT8nO+(?HXbLefulKKgM^B(UIO1r+S=7;kLJ
zcH}1J=Px2jsh3Tec&v8Jcbng8;V-`#*UHt?hB(pmOipKwf3Lz8rG$heEB30Sg*2rx
zV<|KN86$soN(I!BwO`1n^^uF2*x&vJ$2d$>+`(romzHP|)K_KkO6Hc>_dwMW-M(#S
zK(~SiXT1@fvc#U+?|?PniDRm01)f^#55;nhM|wi?oG>yBsa?~?^xTU|fX-R(sTA+5
zaq}-8Tx7zrOy#3*JLIIVsBmHYLdD}!0NP!+ITW+Thn0)8SS!$@)HXwB3tY!fMxc#1
zMp3H?q3eD?u&Njx4;KQ5G>32+GRp1Ee5qMO0lZjaRRu&{W<&~DoJNGkcYF<5(Ab+J
zgO>VhBl{okDPn78<%&e2mR{jwVCz5Og;*Z;;3%VvoGo_;HaGLWYF7q#jDX=Z#Ml`H
z858YVV$%J|e<1n`%6Vsvq7GmnAV0wW4$5qQ3uR@1i>tW{xrl|ExywIc?fNgYlA?C5
zh$ezAFb5{rQu6i7BSS5*J-|9DQ{6^BVQ{b*lq`xS@RyrsJN?-t=MTMPY;WYeKBCNg
z^2|pN!Q^WPJuuO4!|P@jzt&tY1Y8d%FNK5xK(!@<w&%9D$8VsECTj#p>`jO2aEA*4
zkO6b|UVBipci?){-Ke=+1;mGlND8)6+P;8sq}UXw2hn;fc7nM>g}GSMWu&v&fqh<p
z##88~l{cY%DBl|WjH>iViYT=fZ(|3Ox^$aWPp4a8h24tD<|8-!aK0lHgL$N7Efw}J
zVIB!7=T$U`ao1?upi5V4Et*-lTG0XvExbf!ya{cua==$WJyVG(CmA6Of*8E@DSE%L
z`V^$qz&RU$7G5mg;8;=#`@rRG`-uS<w08Td3B}9G%N}FK9HR~!f^Cj{`y^tJfREum
z*~gqwb#dcwc-QI{m8GKpLpC4_K%Vfi)$F_F!#pL|shy<Q%NAC^CU`RL!|-5srD#ZO
zn{I~O)p%c{5m;d<;UUXgV+yNvL<rtSIQngc|6F6>18$0WPN@!v2d{H2sOqP|!(cQ@
zUHo!d>>yFArLPf1q`uBvY32miqShLT1B@gDL4XoVTK&@owOoD)OIHXrYK-a1d$B{v
zF^}8D3Y^g%^cnvScOSJR5QNH+BI%d|;J;wWM3~l>${fb8DNPg)wrf|GBP8p%LNGN#
z3EaIiItgwtGgT&iYCFy9-LG}bMI|4LdmmJ<aSE*uYY8*ef191mD07amYtQ+>t@V@%
zb6B)1kc=T)(|L@0;wr<>=?r04N;E&ef+7C^`wPWtyQe(*pD1pI_&XHy|0gIGHMekd
zF_*M<adlI3H~C+q^IzcHq+zQxXN(?TC=A;~jCHxB64cks3Odw>4yi6J&Z4LQj65)S
zXwdM{SwUo%3<O37{DHPAG$A+a&Uh?}DLaiJmVVmFZ1SIa$#%_k^;QaeeZ7P1{c?b9
zC=eLHcdO3e<gc?V;V!z6HlJL{r#Zyj=E&V_!6PB!qLm)(8_YSrHh0%Boz_*kUx6mK
zb|)@dlgu8i#ZFeI!mo!f$fZhLo%K}Hqt2m#>SbPwFsHgqF@V|6afT|R6?&S;lw=8%
z3}@9<sV<+=?Zw{9R&#fEo?wO?NZ(DJrAWh4NL*AP6WG<pY>B=#JI3@B*#4s!O))~z
zc>2_4Q_#&+5V`GFd?88^;c1i7;Vv_I*qt!_Yx*n=;rj!82rrR2rQ8u5(Ejlo{15P%
zs~!{%XJ>FmJ})H^I9<JZ=qNB8Uvp_IODk79lcQ%6N8nJ<layarnSw*wERT@1y+@T9
zbCRk63Z9EFi*?65Y?t(rNyKH`R2OmS8*97sR}##9$$k=`zv4t1*Bd!||1<$^?K3bV
zch~R<>bn^Re&38H{xA!0l3^89k(oU;bZWXM@kn$#aoS&Y4l^-WEn<v2GMB&`=$+t{
zsqH-Hrg^zC-u%NR+$BDUf%Zr&u$O+4nJ{Bn;W>-fH39Jb9lA%s*WsKJQl?n9B7_~P
z-XM&WL7Z!PcoF6_D>V@$CvUIEy=+Z&0kt{szMk=f1|M+r*a43^$$B^MidrT0J;RI`
z(?f!O<8UZkm$_Ny$<xT<$ZIyDj(fr1FYD^^at+o!IT*&wJZ2YcAjrNtR7B|~_E5=s
zOz!Ci^%eTS=@CxD@zJ?@F7iX3EI*kkt`>Hth1J#^4ni+im8M9mr&k|3cIgwvjAgjH
z8`N&h25xV#v*d$qBX5jkI|xOhQn!>IYZK7l5#^P4M&twe9&Ey@@GxYMxBZq2e7?`q
z$~Szs0!g{2fGcp9PZEt|rdQ6bhAgpcLHPz?f-vB?$dc*!9OL?Q8mn7->bFD2Si60*
z<SxIYe5*?<(^};SmYZJUE5uTQgi>!O%y)fCdMSV|lkF9w%x~J*A&srMyYY3{=&$}H
zGQ4VG_?$2X(0|vT0{=;W$~icCI{b6W{B!Q8xdGhF|D{25G_5_+%s(46lhvNLkik~R
z><gHECVNA9lSE@px%4b)MU9AlX-3O&uNmc}yl!RiOZVkYH*st9io|}a-%W^-z%%sS
zBRKzv>nr(&C#5wwOzJZQo9m|U<;&Wk!_#q|V>fsmj1g<6%hB{jGoNUPjgJslld><h
z0D4sDtR`m}US*Y@1-q?v_8uo!>xmODzGjY<PkPw{-%~Z34UsBBxRhv{JbTqaVf$5q
z{S2pJqjiGYd2`{L@&>c?7JSuA?A_QzjDw5AsRgi@Y|Z0{F{!1=!NES-#*f^s4l0Hu
zz468))2IY5dmD9pa*(yT5{EyP^G>@ZWumealS-*WeRcZ}B%gxq{MiJ|RyX-^C1V=0
z@iKdrGi1jTe8Ya^x7yyH$kBNvM4R~`fbPq$BzHum-3Zo8C6=KW@||>zsA8-Y9uV5V
z#oq-f5L5}V<&wF4@X@<3^C%ptp6+Ce)~hGl`kwj)bsAjmo_GU^r940Z-|`<)oGnh7
zFF0Tde3>ui?8Yj{sF-Z@)yQd~CGZ*w-6p2U<8}JO-sRsVI5dBji`01W8A&3$?<gda
z?BZWzCe?!+Mzz3|voidco80@c=7!Ur=?8_d@M{njoqdXf;HO=-j8&nJI$X=2*nR5b
zdkQR1yvkj-(Jw_Mm=h7q^yxfjEp7^;bcyq6D@_K&VWKp^Sop&nM1y{dpIssXCy2i4
z=LyazjEE+1j0KJwbLD2TWETW$BXbT?w}d!pg$Bwi+bH5Fd+>}lxBaC&vn0E$c5tW*
zX>5(zzZ=qn&!J~KdsPl;P@bmA-Pr8T*)eh_+Dv5=Ma|XSle6t(k8qcgNyar{*ReQ8
zTXwi=8vr>!3Ywr+BhggHDw8ke==NTQVMCK`$69fhzEFB*4+H9LIvdt-#IbhZvpS}}
zO3lz;P?zr0*0$%-Rq_y^k(?I{Mk}h@w}cZpMUp|ucs55bcloL2)($u%mXQw({Wzc~
z;6nu5MkjP)0C(@%6Q_I_vsWrfhl7Zpoxw#WoE~r&GOSCz;_ro6i(^hM>I$8y>`!wW
z*U^@?B!MMmb89I}2(hcE4zN2G^kwyWCZp5JG>$Ez7zP~D=J^LMjSM)27_0B_X^C(M
z`fFT+%DcKlu?^)FCK>QzSnV%IsXVcUFhFdBP!6~se&xxrIxsvySAWu++IrH;FbcY$
z2DWTvSBRfLwdhr0nMx+URA$j3i7_*6BWv#DXfym?ZRDcX9C?cY9sD3q)uBDR3uWg=
z(lUIzB)G$Hr!){>E{s4Dew+tb9kvToZp-1&c?y2wn@Z~(VBhqz`cB;{E4(P3N2*nJ
z_>~g@;UF2iG{Kt(<1PyePTKahF8<)pozZ*xH~U-kfoAayCwJViIrnqwqO}7{0pHw$
zs2Kx?s#<e4dK%3b&+)k6Y|;S4DL85-WyrKVIj_j{{6I$&%2Do^b$2hE@5=a;FpA#?
zj?ue-OJN&$@J%?YKM$eGC(JtcZy!B$NWApB@di<X3W1e<da}udYMoeI3o7_<JF=Zh
zYpeXWvB)_@QIIYWL@3|7rB4|sFVTbw@}gXInS&gjZDpG1DvPM{2=+Ykc&(i5ifc$_
zh}LZ8qwN(P?@iKtl~(pPzWr%^DDJwnMm5!z?#c5FjG;&ZIUT6z@~tYZ+k;3g@lXUv
zc!5>vQr7XZ264>5RNKSL8|Ty^=PsIx^}QqOOcfpGUU4tRkUc|kc7-!Ae6!+<d3LhN
z&XzYh?Io|}4gfQtnbqxLyJD!7AFApf16JvF_cy6Y`x$Llw|Gfz;B@D2LO~qGw&vqe
zsH^CM_BX(-!fK<Eo8IYbMVZ6+S7(ZE0!FE(^I(-o-1+IZ<U0&RNxqDrwiyUBYR)d<
z#!m|@8#oaZv2FVRDr{+-;DajT%LpK4DvrtxtKBx!-{g~??&MQ(9~5@mIpt?Y@cvL%
zN}LG<11t5Cf)G^&gR<1lgJ{-R<J>B{o~7nFpm3|G5^=0#Bnm6`V}oSQlrX(u%OWnC
zoLPy&Q;1J<Q=Rw7zP0W`<I7X@-?=Nf;Xee%N*w}vJKiE|cD<4a=^PO7MQlM02j-+$
zKCm^lM#p{(Wj}5i#kBavYT-0#nTBp`m_35(`HY&Y@4YUMZTiPw%I|bpPk6PK|CYyI
z`Xes=050k(L_<N^Jv(Mpm{{2H2c!?vIl%96&k^E-?K&Vk`$KkeX~Jw~Fsfk(d16L!
z-bf)Sz$PAGgB&vJhQ}eDyRs{2lK?Gq>ui&7ST0~#+}I^&?vcE*t47~Xq#YwvA^6^}
z`WkC)$AkNub|t@S!$8CBlwbV~?yp&@9h{D|3<UyWg7|l{^glZ5Dp<R^T02<&bDDly
zL;vF_RkK%`Q$`P93~`T9H0DLwoQ7TLazhh0=(S3=G6^=$?i+3C_*1LCvRZO39g|43
z<9HQ9$%`iR2>z-vJXgzRC5^nYm+PyPcgRzAnEi6Q^gslXYRv4nycsy-SJu?lMps-?
zV`U*#WnFsdPLL)Q$AmD|0`UaC4ND07+&UmOu!eHruzV|OUox<+Jl|Mr@6~C`T@P%s
zW7sgXLF2SSe9Fl^O(I*{9wsFSYb2l%-;&Pi^d<d5gZY$ouXkSxh!i;YM~orayzvd9
z$>pv!{)C3d0AlNY6!4fgmSgj_wQ*7Am<LG|<(H6ae*!sIhw}*%cn8L{G&Qz)Il&k~
zdUB%q=yN3Oz|C{wnn*7=Y}H`Tp)^(dl#`ZFq_B51Ks``*Lp3oxGdwsr3V(Qn1t<fg
ziSMz83x=Ap$h4F(3LJRw8rYw8Xe?}PuG+VUk_bdjjrHLOpBsF^D$Ey0j+dIBQyzkk
z^3ERO0R}UDBy9?czbAa9qFbE3)`4Z5^?OXpH_#GiC*r#QhzMY=jT%oM-$ku0=Z=SS
zPUHZ>7&$z;Jg&wgR-Ih;lUvWS|KTSg!&s_E9_bXBkZvGiC6bFKDWZxsD$*NZ#_8bl
zG1P-#@?OQzE<T`h^Ta9L)yZGSKEF-RZ;~y;F=H0>D7@jlMJTH@V!6k;W>auvft)}g
zhoV{7$q=*<qV(a={b8n4s4yhm_oFzSM6cYhPn}4ss!6ccUzX#rKA~T>;=l{O>Q4a@
ziMjf_u*o^PsO)#BjC%0^h>Xp@;5$p{JSYDt)zbb}s{Kbt!T*I@Pk@X0zds6wsefuU
zW$XY%yyRGC94=6mf?x+bbA5CDQ2AgW1T-jVAJbm7K(gp+;v6E0WI#kuACgV$r}6L?
zd|Tj?^%^*N&b>Dd{Wr$FS2qI#Ucs1yd4N+RBUQiSZGujH`#I)mG&VKoDh=KKFl4=G
z&MagXl6*<)$6P}*Tiebpz5L=oMaPrN+caUXRJ`D?=K9!e0f{@D&cZLKN?iNP@X0aF
zE(^pl+;*T5qt?1jRC=5PMgV!XNITRLS_=9{CJExaQj;<KOp}Ss$xf3w95Awwovm~a
z$iUieZ+;LRH(+2InXK7*7kZ|*f#fpjzjcGEbKAy*9*Q%Ik>lt!&pdzpK?8p>%Mb+D
z?yO*uSung=-`QQ@yX@Hyd4@CI^r{2oiu`%^bNkz+Nkk!IunjwNC|WcqvX~k=><-I3
zDQdbdb|!v+I<k8C-8h1&l^p%~4R~&So2|v->z01$w@aMl!R)koD77Xp;eZwzSl-AT
zr@Vu{=xvgfq9akRrrM)}=!=xcs+U1JO}{t(avgz`6RqiiX<|hGG1pmop8k6Q+G_mv
zJv|RfDheUp2L3=^C=4aCBMBn0aRCU(DQwX-W(RkRwmLeuJYF<0urcaf(=7)JPg<3P
zQs!~G)9CT18o!J4{zX{_e}4eS)U-E)0FAt}wEI(c0%HkxgggW;(1E=>J17_hsH^sP
z%lT0LGgbUXHx-K*CI-MCrP66UP0PvGqM$MkeLyqHdbgP|_Cm!7te~b8p+e6sQ_3k|
zVcwTh6d83ltdnR>D^)BYQpDKlLk3g0Hdcgz2}%qUs9~~Rie)A-BV1mS&naYai#xcZ
z(d{8=-LVpTp}2*y)|gR~;qc7fp26}lPcLZ#=JpYcn3AT9(UIdOyg+d(P5T7D&*P}#
zQCYplZO5|7+r19%9e`v^vfSS1sbX1c%=w1;oyruXB%Kl$ACgKQ6=qNWLsc=28xJjg
zwvsI5-%SGU|3p>&zXVl^vVtQT3o-#$UT9LI@Npz~6=4!>mc431VRNN8od&Ul^+G<O
z&+UaGr()Me%6V)8@*Bx3oT4=TBj_vjymMyd8nWP{_ePd?ZpLR5y@P!PwPSnq@b%?+
z-3jAw7s2p_He|nVH%u;ROIVANf3n6TyT+w(2_c_sy)MF$<SLbp^<>_kHC`G=6WVWM
z%9eWNyy(FTO|A+@x}Ou3CH)oi;t#7rAxdIXfNFwOj_@Y&TGz6P_sqiB`Q6<Z9`{@I
zG)gW^Bs^4xVzBtFwh6KfO16ddPYr(3GPqiVlbqYNdp{z1`WEdF){s~pqbp&T6o|uZ
zd@{Wd+K`h(<$gjo>Lxy|Q{`|fgmRG(k+!#b*M+Z9zFce)f-7;?Km5O=LHV9f9_87;
zF7%R2B+$?@sH&&-$@tzaPYkw0;=i|;vWdI|Wl3q_Zu>l;XdIw2FjV=;Mq5t1Q0|f<
zs08j54Bp`3RzqE=2enlkZxmX6OF+@|2<)A^RNQpBd6o@OXl+i)<H_i&N`daO9#gRD
zbNRiucg54Gy(2fGrWtv`LB0NuWCH3@RHOJamGJ+B#lKG`{v$j0pO8><bNM_W{ENJH
zS2a-j%gz<EZJA$~1=AFf&`NH0`}A|!jr|e^sYu1)OS{vLFWmU*j55~$42^zF3vE?V
zDx)gAg1%Glt~U?HFUqs}9{v)ryb$pHbibYndMV|B@l;eyS(h=KEpcIvczVDE78@Xj
zSAm;1J^1Dwm>zO%D4iGiQNuXd+zIR{_lb96{lc~bxsBveIw6umhShTX+3@ZJ=YHh@
zWY3(d0azg;7oHn>H<>?4@*RQbi>SmM=JrHvIG(~BrvI)#W(<iZ@?A1TuACNgdXURW
z+)gvyNh;kbU(liR<_1NHe=TW&=0kt+K?wKELV`s)-;TebXWQlc!-`aY6o(nMsy+|=
z(E4T?*-uU}N^Du>EAeO6fS+}mxxcc+X~W6&YVl86W9WFSS}Vz-f9vS?XUDBk)3TcF
z8V?$4Q)`uKFq>xT=)Y9mMFVTUk*NIA!0$?RP6Ig0TBmUFrq*Q-Agq~DzxjStQyJ({
zBeZ;o5qUUKg=4Hypm|}>>L=XKsZ!<FKQ_ntYAcXmoND))pw_T3pH%fHY!pNqk5cuV
zOHA2*8nP`0K~OlwGy0SH3EWaDB-i#4%#|`_{yB={(lcN;3!10+Pxox-HkRohVDL0|
z8{E!B)=^(A?$N_ctiS3J)!iY`)ts!F9ODnu96)<93qPUBnzlYuy=Jt+bF8r45!B4r
zWzRGHHPnO9ti}*NAt&~?DFW+%!bE>F$yNTDO)jt4H0gdQ5$f|d&bnVCMMXhNh)~mN
z@_UV6D7MVlsWz+zM+inZZp&P4fj=tm6fX)<V@r2uJW+0vvpHTeeFv#Sgo7s}BAm4K
zjGGF<Q!n^&4xvzX0>SG5H>OsQf_I8c<Dg8clrV~^w3Z*%r!X6dX4x@j9;{JD(8l7}
z(Qgx)wY{>~uGCig$GzuwViK54bcgL;VN|FnyQl>Ed7(@>=8$a_UKIz|V6CeVSd2(P
z0Uu>A8A+muM%HLFJQ9UZ5c)<?oM~-8FHMf~w|t%VP|2Tazr<2Sjx#;msM?}B)jn`T
z*pYak+6)TB+ee7iYW3p=zQkY>BSAv_zH#1f02x?h9C}@pN@6{>UiAp>({Fn(T9Q8B
z^`zB;kJ5b`>%dLm+Ol}ty!3;8f1XDSVX0AUe5P#@I+FQ-`$(a;zNgz)4x5hz$Hfbg
z!Q(z26wHLXko(1`;(BAOg_wShpX0ixfWq3ponndY+u%1gyX)_h=v1zR#V}#q{au6;
z!3K=7fQwnRfg6FXtNQmP>`<;!N137paFS%y?;lb1@BEdbvQHYC{976l`cLqn;b8lp
zIDY>~m{gDj(wfnK!lpW6pli)HyLEiUrNc%eXTil|F2s(AY+LW5hkKb>TQ3|Q4S9rr
zpDs4uK_co6XPsn_z$LeS{K4jFF`2>U`tbgKdyDne`xmR<@6AA+_hPNKCOR-Zqv;xk
zu5!HsBUb^!4uJ7v0RuH-7?l?}b=w5lzzXJ~gZcxRKOovSk@|#V<jQ-(2_xKpDYt{m
zs6<ysaM*D{ARcUnlk4D!8f*k1G{Ip@*-dFQ!bhc3zg>+MuX%Y+=;14i*<yct;~?4+
z8a$HdaeCZdGnM?f>%{)_gSW9(#4%)AV#3__kac1|qUy!uyP{>?U#5wYNq}y$S9pCc
zF<Mndv5MKme1!JVgsoWscJ<knfP)Xe)2}9N1^EiWQ;6~WJPU`LW&2l%<A5V5ht~*^
zy?4tqc_+c^CwHLPg-(Ehm=L2yf~2Mxlz*2rKsp2n_Y-esI>c~4mgSC*G~j0u#qqp9
z${>3HV~@->GqEhr_Xwoxq?Hjn#=s2;i~g^&Hn|aDKpA<n^4$fC$Kuspwq}<LNwu8C
zbf6;H40RGwOB}XjobHn85?fmF9ub`bI+IQM@Py%7F9WcE4R&_4B5<%dGT-3U#$8JL
z+9W_t43rJ$Gf^G?+|wOo&KIwqf2&OR?zMoHUZhcc%t4i);VELMxvn-h%aEuLgl_t^
zn}SzihDXMuweFhp8a#vz8k>>Oc%HlW(KA1?BXqpxB;Ydx)w;2z^MpjJ(Qi(X!$5RC
z*P{~%JGDQqojV>2JbEeCE*OEu!$XJ>bWA9Oa_Hd;y)F%MhBRi*LPcdqR8X`NQ&1L#
z5#9L*@qxrx8n}LfeB^J{%-?SU{FCwiWyHp682F+|pa+CQa3ZLzBqN1{)h4d6+vBbV
zC#NEbQLC;}me3eeYnOG*nXOJZEU$xLZ1<1Y=7r0(-U0P6<g54#mo~h%m97FKEIHpA
zi1;stE`DWrPG;ZcvR%GkPkplBUD5E>-AqwMAM`a(Ed#7vJkn6plb4eI4?2y3y<C7^
zMN|!317AP-8b+h`frBg^oc&CV#@gdFKbOG_+V@md3_}H++3*0>OTGmmDQ!z9`wzbf
z_OY#0@5=bnep;MV<TyaesE-ymV~)h1zKx)bzGTLWVIp8Jc0Xjtfz?g}02XS&L-sgn
zz+J7FV@}%gTsBPancF*aFOCi$QUrJa8Ibmw3#H6HwLunm!~S7uJfJF*x^4TdZ((BQ
z!OA8ez?xzj5&N>0X_;;<l|1-%NB+RStv%4V3*k9dM&8$D*6KHj&I{f#=G0sJycjJ9
zsbnF%tPoJ^)WY9aH4DzA@Up>SJJWEf^E6Bd^tVJ9znWx&Ks8t*<NkWUjNZuHXm?wX
z&k+-16-gZ2l39lpjw5PGa}Nvw$IGx#fYlU<*{);MA3*W3V0a83>B>AM@?;D4oWUGc
z!H*`6d7Cxo6VuyS4Eye&L1ZRhrRmN6Lr`{NL(wDbif|y&z)JN>Fl5#Wi&mMIr5i;x
zBx}3YfF>><oG8>8EC(fYnmpu~)CYHuHCyr5*`ECap%t@y=jD>!_%3iiE|LN$mK9>-
zHdtpy8fGZtkZF?%TW~29JIAfi2jZT8>OA7=h;8T{{k<t+bcx0feOM-&l9hI?Xmy(z
z-fq}pe2pf8j{{(B0xe64n-!77hMklQf7$y)E8W+2Z@Tt{aWpu0WCZ>?c2`nCEx9$r
zS+*&vt~2o^^J+}RDG@+9&M^K*z4p{5#IEVbz`1%`m5c2};aGt=V?~vI<yv(rk2~bL
zj=};pL9GggLHjow%gVWrUmkyePLZ<Qj(q4u0~rKInZFBgS5;8-hpCcg={gcFHnWum
zMonS>M}ZdPECD<VzUqoNT#)>I)47|CWBCfDWUbxBCnmYivQ*0Nu_xb*C>~C9(VjHM
zxe<*D<#dQ8TlpMX2c@M<9$w!RP$hpG4cs%AI){jp*Sj|*`m)5(Bw*A0$*i-(C<so-
zb=dYmBN5sxWooS6f<r|QIT;nm(*5IP;!0gq<>A5#%>a)$+jI2C9r6|(>J8InryENI
z$NohnxDUB;wAYDwrb*!N3noBTKP<UImuz_p@!@WwtKs6Oq=w->pPN}~09SEL18tkG
zxgz(RYU_;DPT{l?Q$+eaZaxnsWCA^ds^0PVRkIM%bOd|G2IEBBiz{&^JtNsODs;5z
zICt_Zj8wo^KT$7Bg4H+y!Df#3mbl%%?|EXe!&(Vmac1DJ*y~3+kRKAD=Ovde4^^%~
zw<9av18HLyrf*_>Slp;^i`Uy~`mvBjZ|?Ad63<fPCD(QY8B|u!l)brK@3#~ULtEdK
zqfCRe>yQa#YK`4+c6;pW4?XIY9G1(Xh9WO8{F-Aju+nS9Vmv=$Ac0ienZ+p9*O%NG
zMZKy5?%Z6TAJTE?o5vEr0r>f>hb#2w2U3DL64*au_@P!J!TL`oH2r*{>ffu6|A7tv
zL4juf$DZ1MW5ZPsG!5)`k8d8c$J$o;%EIL0va9&GzWvkS%ZsGb#S(?{!UFOZ9<$a|
zY|a+5kmD5N&{vRqkgY>aHsBT&`rg|&kezoD)gP0fsNYHsO#TRc_<dLhZf-oCe<uor
zVn+D3J+?dI`OPTIwX%7HL4coV@n&0F`$sgzfV#jy^Nxhx;htyfm`2*%2*E<EEua3X
z>$n6Lf1Z{?+DLziXlHrq4sf(!>O{?Tj;Eh@%)+nRE_2VxbN&&%%caU#JDU%vL3}Cb
zsb4AazPI<wjJ5Xm?P>{>8H&d=jUaZDS$-0^AxE@utGs;-Ez_F(qC9T=UZX=>ok2k2
ziTn{K?y~a5reD2A)P${NoI^>JXn>`IeArow(41c-Wm~)wiryEP(OS{YXWi7;%dG9v
zI?mwu1MxD{yp_rrk!j^cKM)dc4@p4Ezyo%lRN|XyD}}>v=Xoib0gOcdXrQ^*61HNj
z=NP|pd>@yfvr-=m{8$3A8TQGMTE7g=z!%yt`8`Bk-0MMwW~h^++;qyUP!J~ykh1GO
z(FZ59xuFR$(WE;F@UUyE@Sp>`aVNjyj=Ty>_Vo}xf`e7`F;j-IgL5`1<e8<5GZ9t_
zSKJ;j#8L2sA)KLlG+guS4jf40SgEe!dKKK0Hbs4NAYj<w(>~-#70$9_=uBMq!2&1l
zomRgpD58@)YYfvLtPW}{C5B35R;ZVvB<<#)x%srmc_S=A7F@DW8>QOEGwD6suhwCg
z>Pa+YyULhmw%BA*4yjDp|2{!T98~<6Yf<Ht&p|`G9M?uugEk_wVc(bM<s*XMD&4B1
z!i3%8q|snVIZ`!_i1*YyreC8Lohwejbmzog)&}vE7Rz1dcR%OnN}_3vj`{K=-3O~_
zu1c5_k};f^gB06dul({<`Lcpka0Ph<!;#yPQz#pwe?I#d5?HpUA@y)AJdD~*W6*^J
z9IAb}`aqXze3Z5+o@S&yu8d^LhgI0a?q{$=xrJP?yBJszi{*k);E$b`3mcYPuTL=d
zCCNFg0QG16+KKF$c43P(5eJVL61PLUzK~wHo_6%n7f<5cmB2yHn6OgGuGvm#^QB$O
zIXl<)?hk{+{p_;>d(wo1mQ!KWwq0eg+6)o1>W~f~kL<-S+P@$wx*zeI|1t7z#Sxr5
zt6w+;YblPQNplq4Z#T$GLX#j6yldXAqj>4gAnnWtBICUnA&-dtnlh=t0Ho_vEKwV`
z)DlJi#!@nkYV#$!)@>udAU*hF?V`2$Hf=V&6PP_|r#Iv*J$9)pF@X3`k;5})9^o4y
z&)~?EjX5yX1<xGQ%1@{UCW^23>2O(BsFy-l6}nYeuKkiq`u9145&3Ssg^y{5G3Pse
z9w(YVa0)N-fLaBq1`P!_#>SS(8fh_5!f{UrgZ~uEdeMJIz7DzI5!NHHqQtm~#CPij
z?=N|J>nPR6_sL7!f4hD_|KH`vf8(Wpnj-(gPWH+ZvID}%?~68SwhPTC3u1_cB`otq
z)U?6qo!ZLi5b>*KnYHWW=3F!p%h1;h{L&(Q&{qY6)_qxNfbP6E3yYpW!EO+IW3?@J
z);4>g4gnl^8klu7uA>eGF6rIGSynacogr)KUwE_R4E5Xzi*Qir@b-jy55-JPC8c~(
zo!W8y9OGZ&`xmc8;=4-U9=h{vCqfCNzYirONmGbRQlR`WWlgnY+1wCXbMz&NT~9*|
z6@FrzP!LX&{no2!Ln_3|I==_4`@}V?4a;YZKTdw;vT<+K+z=uWbW(&bXEaWJ^W8Td
z-3&1bY^Z*oM<=M}LVt>_<PFYrPfhFhSu%npt;+8<VSwjlcQC8wPbX!R<;Rgr<C++E
zby{kGH;!C6486yrVIwy8>j+p=2Iu7<ee5Yzkv)1V_(^OyjiyljyAy{*({<c49<wJ_
zD`WoEKZ35Gv<M<<pCYpQZ?|m!#mlmG_*_DC0N62ESbuImD+AoD)Lj4`<}R)PJ25MB
zQ(JSFe<_~3nt|(_B)R}zmNZN0*RPG}Ru~x4q$U+I`RU|gs%W~s18LSc)J(SC3~+Y<
zk0lr!;49KA_>pZmbXrhQ_k)ysE9yXKygFNw$5hwDn(M>H+e1&9BM5!|81vd%r%vEm
zqxY3?F@fb6O#5UunwgAHR9jp_W2zZ}NGp2%mTW@(hz7$^<W>+a`A?mb8|_G*GNMJ)
zjqegXQio=i@AINre&%ofexAr95aop5C+0MZ0m-l=MeO8m3epm7U%vZB8+I+C*iNFM
z#T3l`gknX;D$-`2XT^Cg*vrv=RH+P;_dfF++cP?B_msQI4j+lt&rX2)3GaJx%W*Nn
zkML%D{z5tpHH=dk<tahvnnE?`>sQ*gzc|}gzW;lwAbxoR07VNgS*-c3d&8J|;@3t^
zVUz*J*&r7DFRuFVDCJDK8V9NN5hvpgGjwx+5n)qa;YCKe8TKtdnh{I7NU9BCN!0dq
zczrBk8pE{{@vJa9ywR@mq*J=v+PG;?fwqlJVhijG!3VmIKs>9T6r7MJpC)m!Tc#>g
zMtVsU>wbwFJEfwZ{vB|ZlttNe83)$iz`~#8UJ^r)lJ@HA&G#}W&ZH*;k{=TavpjWE
z7hdyLZPf*X%Gm}i`Y{OGeeu^~nB8=`{r#TUrM-`;1cBvEd#d!kPqIgYySYhN-*1;L
z^byj%Yi}Gx)Wnkosi337BKs}+5H5dth1JA{Ir-JKN$7zC)*}hqeoD(WfaUDPT>0`-
z(6sa0AoIqASwF`>hP}^|)a_j2s^P<w)m}Rj^15uY<n!4_%<!d#{vZ=Z_P}@eeW-Ox
z;JQLPzZSHN-l$$DLG%r}N3ZZZvwUxH+BWNXE{dS!hk|G5x)?-llV>Qn*qVC{Q}htR
z5-)duBFXT_V56-+UohKXlq~^6uf!6sA#ttk1o~*QEy_Y-S$gAvq47J9Vtk$5oA$Ct
zYhYJ@8{hsC^98${!#Ho?4y5MCa7iGnfz}b9jE~h%EA<g+BN#3fNo`|_hPZ+|%)bb7
zIn_D<^wYb`{#zL<_<s|myPLHg(|`4wmJ7hi$=pTU+V#^hHu-$b(Luw-PR!Bav-v(-
z@?W|xOvONHUKm|~3~s1|_Dl38>Av~Qxu)_rAV;^cygV~5r_~?l=B`zObj7S=H=~$W
z<UmLzInv1Ql%M`_G9-u94*9n+0oO@^hhKgl*ZXu|6{=bN1o_txgnax72@;~Z7?^Oq
z7?^&}>PtI_m%g$`kL_fVUk9J<CtwAz7a!$Q&-Jh3I_W5n|1(dhB)p#U+Wl>@>EiBH
zOO&jtn~&`hIFMS5S`g8w94R4H40mdNUH4W@@XQk1sr17b{@y|JB*G9z1|CrQjd+GX
z6+KyURG3;!*BQrentw{B2R&@2&`2}n(z-2&X7#r!{yg@<!&3xwQWd$^>Soy}cRD~j
zj<Og|6*w}HqZTw8{Il!Ft=<O5!dlKfOz|j$Z^w5&_=~)z5Z-}bt_7jqebZL&Vjmk}
z(RA*=wrL0UL*<vcZEZprIhH<3JJLr)CAtGH+&D8sC~U9fHYR9L!BM()S6a1mtsI!E
z--M=*g<DRnwm1hG$L!!=946pI4AzFaqTKQdn(cd9nxm|_%Tp(UbUJVdmn&m&OV5sT
zjBA&CZ;!B-hP7XTLul+iNP4Dg{KGjcnsK_H51vQ)!>9@UBW+N|4HW4AWapy4wfUI-
zZ`gSL6DUlgj*f1hSOGXG0IVH8HxK?o2|3HZ;KW{K+yPAlxtb)NV_2AwJm|E)FRs&&
z=c^e7bvUsztY|+f^k7NXs$o1EUq>cR7C0$UKi6IooHWlK_#?IWDkvywnzg&ThWo^?
z2O_N{5X39#?eV9l)xI(>@!vSB{DLt*oY!K1R8}_?<kMv(YfJ|7amweKbCcwmp-oP{
zR^MH3r^g&R=wr#qxEEp(KK<zYcr_;1=X$Imnu<Z`RiZwY8*iRY{cWxHh1c@XJZ&pv
zV{U_Z%$qRKL70X;eBqb*t1O=8k$SB(oK)NPT~SfHMOv=9#+69sQt>%+0^C{d9a%N4
zoxHVT1&Lm<qomrTXsCPGIz?rb+qQLuzE?D*s2JcateF>|uDX%$QrBun5e-F`HJ^T$
zmzv)p@4ZHd_w9!%Hf9UYNvGCw2TTTbrj9pl+T9<ayV5<}<wvT;Sn~c<QFT@1O08w<
zkEzBm=w)jYybjnZrhSE(k<3uFR)#=txys^{+XA;N)s*?BH^)|A82SR=)(_iGhC7T3
z6;In+x<8Dm5KW<GS7?86#S~&}Tl{Cy3IDd}BL8#I#Xpxf?HmDS<l^QQ0CzjL|Nnnw
z7e`AMb5~dSPx>%-_-}L(tES>Or-}Z4F*{##n3~L~TuxjirGuIY#H7{%$E${?p{Q01
zi6T`n;rbK1yIB9jmQNycD~yZq&mbIsFWHo|ZAChSFPQa<(%d8mGw<NE-PqxpYmaZY
z>*V3fh|yFoxOOiWJd(qvVb!Z$b88cg->N=qO*4<Ju1L$F55Eg|&pd*ih%*g;pO{D%
z0by!&Tpi~?D_*9Y{Y99`;u%i~<7J9|%7CE#RGy9%il*j9uH#6qR8ZZ3+-)Oz_wKW(
z^pYp_3KlClW0cl`;)I55^HEmIrxSK3i7Y3l?;+5qj8LrRLEa*uvXRuegx26kvwYL_
zb#;U>k~6;R==|9ihg&riu#P~s4Oap9O7f%crSr^rljeIfXDEg>wi)&v*a%7zpz<9w
z*r!3q9J|390x`Zk;g$&OeN&ctp)VKRpDSV@kU2Q>jtok($Y-*x8_$2piTxun81@vt
z!Vj?COa0fg2RPXMSIo26T=~0d`{oGP*eV+$!0I<(4azk&Vj3SiG=Q!6mX0p$z7I};
z9BJUFgT-K9MQQ-0@Z=^7R<{bn2Fm48endsSs`V7_@%8?Bxkqv>BDoVcj?K#dV#uUP
zL1ND~?D-|VGKe3Rw_7-Idpht>H6XRLh*U7epS6byiGvJpr%d}XwfusjH9g;Z98H`x
zyde%%5mhGOiL4wljCaWCk-&uE4_OOccb9c!ZaWt4B(wYl!?vyzl%7n~QepN&eFUrw
zFIOl9c({``6~QD+43*_tzP{f2x41h(?b43^y6=iwyB)2os5hBE!@YUS5?N_tXd=h(
z)WE286Fbd>R4M^P{!G)f;h<3<yF&*^O7$OuoRrI)h{eq;PvnVS@*1~LuT)USkQaNv
zOM$`oAtUE4j7%H>Q>Fipuy+d2q-)!RyTgt;wr$(?9ox3;q+{E*ZQHhOn;lM`cjnu9
zXa48ks-v(~b*;MAI<>YZH(^NV8vjb34be<!O&B^}ixjt}bVWn%lGLAylA+d{-I3Ov
zYGthSdKw$ke{f2yKKz!}A?+JRYrVrnNgphJxf8a2-SUbcd-<f$tEQ|wN=!zhIVy6o
z{e*aA58OB1vmh4GpWd_ASE)%_0rN^UY7rBTo&!Y1@Ctrd$H;scFhnl=M`1%EsufNC
z-OLaEwV5;h{|wOY5$Wp2@8oFu?G`jM&~vo;?-m}Z`0Z8WNBRVdp)MQ|2K`3!%98{%
zdNe?VYC=$}mLx4b>E<_cwKlJoR;k6lJNSP6v}uiyRD?|0w+X@o1ONrH8a$fCxXpf?
z?$DL0)7|X}Oc%h^zrMKWc-NS9I0Utu@>*j}b@tJ=ixQSJ={4@854wzW@E>VSL+Y{i
z#0b=WpbCZS>kUCO_iQz)LoE>P5LIG-hv9E+oG}DtlIDF>$tJ1aw9^LuhLEHt?BCj&
z(O4I8v1s#HUi5A>nIS-JK{v!7dJx<eVzUtPaTI7fl_Lc9Q7H|gBw|{WKmed^JnGV(
zu>)^Yg%XjNmlkWAq2*cv#tHgz`Y(bETc6CuO1VkN^L-L3j_x<4NqYb5rzrLC-7uOv
z!5e`GZt%B782C5-fGnn*GhDF$%(qP<74Z}3xx+{$4cYKy2ik<NlkqF%3WflOIsu<r
zJ1Ia^)U`#vAWMh>xI7B2N+2r07DN;|-T->nU&!=Cm#rZt%O_5c&1Z%nlWq3TKAW0w
zQqemZw_ue--2uKQsx+niCUou?HjD`xhEjjQd3%rrBi82crq*~#uA4+>vR<_S{~5ce
z-2<NdSzF&R56UcB$b`5iPf1tk$#inbE+bN7x7fQ!g0(-tUeP$5mD|<oEEQs$_4x-D
zh0c}WhYdr7ofXz6ohh@zpmk*n(FlBp!zEgxx$uEo2H<WsrEGtxER628jLj$t%l9)Q
zpgsl-$*Z~WylJ9&D{WG%{31lN8lbCEKy<E~v-RJ-A&Im)1f}cclb5D<{1Q#Vu%0dO
zWKBG_7m(=clSMuCN`u^GxdNe&YF`-TUb|;%bmJ`YPw4~vsx(y)NXfrJ;zl=TdJvdM
zgjB=Fy{n+66I+(Z4-Ri^DAN$}Va@@|i(LY(Ta%N-!9$yT@Di8@Q|ICHs-$>EIl?~s
z1=<moH2Vo(ywx9NJa$4J-?u#55cOFdV)B}0g(o*O*fidd5c?ici{Ux!YWxH)lJBu&
zebpoNCFHe!@Sp-PDw*l@?whO<W~J*cdfDfxv>GVL{NxP1N3%=AOaC}j_Fv=ur&THz
zyO!d9kHq|c73kpq`$+t+8Bw7MgeR5~`d7ChYyGCBWSteTB>8WAU(NPYt2Dk`@#+}=
zI4SvLlyk#pBgV<A2?oY=e+fBwTE4;jq%tyXWMQiSYYYO}#)dHPJlDLuJulo6SGjK1
z`gH3!=BMJnht1ob+aBAuUFTlcx2QPoAUzlvdTgFMd@}Q&V?T*GzNthb2P4Otx?F}b
zQU!B?T171=l1DVswq8U{dUopH<i_9aHNW4O!%Ue4mI5N4Rk3KVw;&F(OhCj^%kuG+
z8MtBDbnF(k2oZuHMNq<)Iaf2h9OF2sY%r9g4<_CbzLUIxWdSMTHg+tXTNiq(CW|G{
zGd*nwn$nSQ3yn2F)sHm_LxN&3a)|o1Bxxow1q4-amB&cP3_zydal7X0#bqu|rbi}z
za?8dV(p~@OkF-Z^V2VNz4r_~<b6L?KbFZxteo)3x8MUXZIB5k|m&5ONIJ2mEmpJ8+
zS^3scTkT>igEe`?NG*vl7V6m+<}%FwPV=~PvvA)=#ths==DRTDEYh4V5}Cf$z@#;<
zyWfLY_5sP$gc3LLl2x+Ii)#b2nhNXJ{R~vk`s5U7Nyu^3yFg&D%Txwj6QezMX`V(x
z=C`{76*mNb!qHHs)#GgGZ_7|vkt9izl_&PBrsu@}L`X{95-2jf99K)0=*N)VxBX2q
z((vkpP2RneSIiIUEnGb?VqbMb=Zia+rF~+iqslydE34cSLJ&BJW^3knX@M;t*b=EA
zNvGzv41Ld_T+WT#XjDB840vovUU^FtN_)G}7v)1lPetgpEK9YS^OWFkPoE{ovj^=@
zO9N$S=G$1ecndT_=5ehth2Lmd1II-PuT~C9`XVePw$y8J#dpZ?Tss<6wtVglm(Ok7
z3?^oi@pPio6l&!z8JY(pJvG=*pI?GIOu}e<i-gr8K;Jwm`jb9}cg?7%k?$ozkvP<q
z^_0<VPv%dHn>^EB6QYk$#FJQ%^AIK$I4epJ+9t?KjqA+bkj&PQ*|vLttme+`9G=L%
ziadyMw_7-M)hS(3E$QGNCu|o23|%O+VN7;Qggp?PB3K-iSeBa2b}V4_wY`G1Jsfz4
z9|SdB^;|I8E8gWqHKx!vj_@SMY^hLEIb<lAtPrMWpQ?Gx@0V+>SMCuE?WKq=c2mJK
z8LoG-pnY!uhqFv&L?yEuxo{dpMTsmCn)95xanqBrNPTgXP((H$9N${Ow~Is-FBg%h
z53;|Y5$MUN)9W2HBe2TD`ct^LHI<(xWrw}$qSoei?}s)&w$;&!14w6B6>Yr6Y8b)S
z0r71`WmAvJJ`1h&poLftLU<!Z5k{sKI&`B$86NJr<vepFmH?(W7PH*&i|mr?Ft$yK
zlQ2hYqAhr7MyE%yewrikAeSqlmaqf6`n)*-iF$8(XN#mJ2C<)bI6Vjy(bW4=>S6Ir
zC$bG9!Im_4Zjse)<TV^7Y-skQbZaPLqlJGP?6u?Ar53a`=TEMdV9Pz$A~Oa(Rc*59
zlP6c&tH(X*j_BPct#psJ_4ej*FB0-ZmxrgT1go#{dSJYBN5b(ilJd0C{DrQAlZa_y
z_`$lr_=xcxo6aRz`CVouz-G0iMAr=_WWB~^j&$tY`E*!!JHXJsUn?rao*@+eB&qDA
zW99F#`#iK!JA{ggeYTsjHg%UzJKlG}4g|0~H1^LtyCeCE^d_K<#AGK3JmN+YTaC5S
z91&>#K=oJM9mHW1{%l8sz$1o?ltdKlLTxWWPB>Vk22czVt|1%^wn<WkC7-mZ1~!CF
z*?s-mfPHuh>N@*!l)}?EgtvhC>vlHm^t+ogpgHI1_$1ox9e;>0!+b(tBrmXR<YSIe
z+ujWarO6U*;i)~AxpZt4t`{u9*(+s;XcKm*(c~N9u#mFIlYU2WORAXM_UYQcUg$Ee
zx5S=-_TAMk8a1Q-)f_5{=PkrVgJA;Ro116-3NLM9UpBJ!h?qkH2BSize2e<I)M16H
z`{Y|kfSkRI?YvZ4;f|#JKgvo95q7X$@!Rjljd&2-g(yOk)xl#i>B`PY1vp-R**8N7
zGP|QqI$m(Rdu#=(?!(N<WmSu~%G3p+kgCkb(yT{~ITG_cvZ}c9BIo-Bx{A8PA+JSS
zM`u{@ucuz=u?fnE^32?!>}G9QhQ%o!aXE=aN{&wtGP8|_qh+7a_j_sU5|J^)vxq;#
zjvzLn%_QPHZZIWu1&mRAj;Sa_97p_lLq_{~j!M9N^1yp3U_SxRqK&JnR%6VI#^E12
z>CdOVI^_9aPK2eZ4h&^{pQs}xsijXgFYRIxJ~N7&BB9jUR1fm!(xl)mvy|3e6-B3j
zJn#ajL;bFTYJ2+Q)tDjx=3IklO@Q+FFM}6UJr6km7hj7th9n_&JR7fnqC!hTZoM~T
zBeaVFp%)0cbPhejX<8pf5HyRUj2>aXnXBqDJe73~J%P(2C?-RT{c<cL>3NjE`)om!
zl$uewSgWkE66$Kb34+QZZvRn`fob~Cl9=cRk@Es}KQm=?E~CE%spXaMO6YmrMl%9Q
zl<Oi>A3Q$3|L1QJ4?->UjT&<QWaf5;5SDgEG|O+++eQ`L7IecmPP{~vvxpw+mh_w?
z)_nm*UV;|XpG)3akT+?)#!p)ksH$g>CBd!~ru<az8{#I2>{Ih^in&JXO=|<6J!&qp
zRe*OZ*cj5bHYlz!!~iEKcuE|;U4vN1rk$xq6>bUWD*u(V@8sG^7>kVuo(QL@Ki;yL
zWC!FT(q{E8#on>%1iAS0HMZDJg{Z{^!De(vSIq&;1$+b)oRMwA3nc3mdTSG#3uYO_
z>+x;7p4I;uHz?ZB>dA-BKl+t-3IB!jBRgdvAbW!aJ(Q{aT>+iz?91`C-xbe)IBoND
z9_Xth{6?(y3rddwY$GD65IT#f3<(0o#`di{sh2gm{dw*#-Vnc3r=4==&PU^hCv$qd
zjw;<UDv>>i&?L*Wq#TxG$mFIUf>eK+170KG;~+o&1;Tom9}}mKo23KwdEM6UonXgc
z!6N(@k8q@HPw{O8O!lAyi{rZv|DpgfU{py+j(X_cwpKqcalcqKIr0kM^%Br3SdeD>
zHSKV94Yxw;pjzDHo!Q?8^0bb%L|wC;4U^9I#pd5O&eexX<SpYMUi;NrGyaua!-+-%
z(b6a1gZ;D+I4*J4ZzM0c^5vOx!1kF+S*rg^EpYq4Q$8Zv`)iCLe*9oY_%}BDzxap$
zLASmGRxF(y%$&cS<d#PK1_s~QhLoPQp2`0OZ5YXZBV6=I+(qKW;)rW-X|QN4Rtu+O
zUSe{k6uD&;e7|DG*7jRd*&ewJO@NTU@h#Yzt1=3xB&wH^G8Ykks+&HQ<6Vd9>+Im{
z?jKnCcsE|H?{uGMqVie_C~w7GX)kYGWAg%-?8|N_1#W-|4F)3YTDC+QSq1s!DnO<W
zN9@pSmktp>ML3@d`mG%o2YbYd#jww|jD$gotpa)kntakp#K;+yo-_ZF9qrNZw<%#C
zuPE@#3RocLgPyiBZ+R_-FJ_$xP!RzWm|aN)S+{$LY9vvN+IW~Kf3TsEIvP+B9Mtm!
zpfNNxObWQpLoaO&cJh5>%sl<u+Ou}Gr38*?+PIrbJtKK2C4@@i^3b)w#L5cfzsc$p
zGS#mh6Pugtp<?+N{dA+4Q%bSY%c7pXA|R9VW%COsIn2Bo=M^XtO8d8nsr~aAmv2eX
zu1Bz3botI2)|TFV6HCJkzYB4<>ZnHl_Q~(-Tfh!DMz(dTWld@LG1VRF`9`DYKhyNv
z2pU|UZ$#_yUx_B_|MxUq^glT}O5Xt(Vm4Mr02><%C)@v;vPb@pT$*yzJ4aPc_FZ3z
z3}PLoMBIM>q_9U2rl^sGhk1VUJ89=*?7|v`{!Z{6bqFMq<nxEmclgCD+90@&@li(W
z@s`8&MDulaH_%E?T~GV|zVm+MR`OB^kjC~xrEgb}MlNn^7GQ&p?tO;j2-%IuU~fD(
z0>(mYiA?%KbsI~JwuqVA9$H5vDE+VocjX+G^%bieqx->s;XWlKcuv(s%y%D5Xbc9+
zc(_2nYS1&^yL*ey664&4`IoOeDIig}y-E~_GS?m;D!xv5-xwz+G`5l6V+}CpeJDi^
z%4ed$qowm88=iYG+(`ld5Uh&>Dgs4uPHSJ^TngXP_V6fPyl~>2bhi20QB%lSd#yYn
zO05?KT1z@?^-bqO8Cg`;ft>ilejsw<PFMVi?0Z@%ZV7rUN23RZ3KB-HQ4YJB9u)4=
za)vbs@fTDRfs8YOO9lTq9t(nMd5S}gTT;muT}2|Lp9^&=2z~`<$j8jb{Rm0Lj+(J;
zBs1-Ce%8FDmkdHi5cJ6Wi^?0Snek8_6eCPHqaWM%UBUa}9l;;Shpu<^ueJT0tU&6s
zM}#unAgS&xl(DwgfMw$=1QcnDcIW6g!~<;08&1lIeTOvuGw?sf1Lf^Kz4~1^b^i*7
zQv6%-{2%J%9~}I@Dko75!V~i_(Z_~qE@Eg*k5ZaIz;BO8D2h5gAVv@$PDearM7jpi
z&t7+EZUrTlNkkN39;K<FA&>@2%RR7;`$Vs;FmO(Yr3Fp`pHGr@P2hC%QcA|X&N2Dn
zYf`MqXdHi%cGR@%y7Rg7?d3?an){s$zA{!H;Ie5exE#c~@NhQUFG8V=SQh%UxUeiV
zd7#UcYqD=lk-}sEwlpu&H^T_V0{#G?<Ioj?HL)KBNR`OQ7)HFN^?vHg<3bOCMy{-_
zoJlS{0I_uDhHNKG64k_@&-j<$nist8llO}aD}1PO>lZMxL7ih_&{(g)MWBnCZxtXg
znr#}>U^6!jA%e}@Gj49LWG@*&<lmaA<6<$*MXpyYdp&6c<H(Q`F-~?W^X9RVJSh6?
zS8Z8DnkwU?#%B!h%)j^e-VAuVDAU!JK1md@BbHM`aL3Du8QeW#u5Ow!LJ{cJE;g7g
zfS6lhpcAG^4%Z7tD(JDejR@8=mF27gB&U9t&uA8@v6X<1)e#$W_^iPrw&Q6FYe!O;
z;mr4?<{+g_EB>t0V>Cxc3?oO7LSG%~)Y5}f7vqUUnQ;STjdDU}P9IF9d9<$;=QaXc
zL1^X7>fa^jHBu_}9}J~#-oz3Oq^JmGR#?GO7b9a(=R@fw@}Q{{@`Wy1vIQ#Bw?>@X
z-_RGG@wt|%u`XUc%W{J<m*s=4j2#hKvp}Xrwm)9{h;W6E2ZrwT0V)(gGD?GnU0RwM
z#HcK41SrivBddca)fHXF?z{gCQT_P@wx-H|POi8hsVAB%nToV4iMN+KZh1=!UMaa>
z>iSeiz8C3H7@St3mOr_mU+&bL#Uif;+Xw-aZdNYUpdf>Rvu0i0t6k*}vwU`XNO2he
z%miH|1tQ8~ZK!zmL&wa3E;l?!!XzgV#%PMVU!0xrDsNNZUWKlbi<KaWZPRa*yQzPD
z?-!`siNqS2^Ar7FQc!m$_+UxWcy|gEk+B~FLt>OjzH-1Uoxm8E#r`#2Sz;-o&qcqB
zC-O_R{QGuynW14@)7&@yw1U}uP(1cov)t<bZtw#(M)(XiJYfL8BvaF25ezUn8smY%
zIL-I&o$OIFs>wxeLus0s|7ayrtT8c#`&2~Fiu2=R;1_4bCaD=*E@cYI>7YSnt)nQc
zohw5CsK%m?8Ack)qNx`W0_v$5S}nO|(V|RZKBD+btO?JXe|~^Qqur%@eO~<8-L^9d
z=GA3-V14ng9L29~XJ>a5k~xT2152zLhM*@zlp2P5Eu}bywkcqR;ISbas&#T#;HZSf
z2m69qTV(V@EkY(<qXx5YNic%z2;It?O+T%icQRw=w~P}(cE?O$<=1P^LjThO*$J$+
z*<@biHe!q%g+LQ{F#~S5QTZUfOZ3GP3D<=D3j0f!9E7HkjxKc_g)z1!o;_rP|9bAk
z`BjEQCx<KIvi^GM1jRkNM0nRs6P0hPcy|5t18}ZQi<ZQS>1Dk3`}j)JMo%ZVJ*5eB
zYOjIisi+igK0#yW*gBGj?@I{~mUOvRFQR^pJbEbzFxTubnrw(Muk%}jI+vXmJ;{Q6
zrSobKD>T%}jV4Ub?L1+MGOD~0Ir%-`iTnWZN^~YPrcP5y3VMAzQ+&en^VzKEb$K!Q
z<7Dbg&DNXuow*eD5yMr+#08nF!;%4vGrJI++5HdCFcGLfMW!KS*Oi@=7hFwDG!h2<
zPunUEAF+HncQkbfFj&pbzp|MU*~60Z(|Ik%Tn{BXMN!hZOosNIseT?R;A`W?=d?5X
zK(FB=9mZusYahp|K-wyb={rOpdn=@;4YI2W0E<s2&%i8x7RnmR_dIeK2wKPtVA?`W
z&(y5N6Uhf;St!k{QtA^2hklC0F0jNQ1^WG!Djrw#gypMTn;8cIm2IT14W4+8Zfd?P
z(RlNsG)S|I($<XQ_wo(zU~QxgZ&c8}J!LwJ+gC5c>cbMKyo~-#^?h`BA9~o285%oY
zfifCh5Lk$SY@|2A@a!T2V+{^!psQkx4?x0HSV`(w9{l75QxMk!)U52Lbhn{8ol?S)
zCKo*7<MT2Z&#yn*rVnwZQkr>R(z!uk<6*qO=wh!Pul{(qq6g6xW;X68GI_CXp`XwO
zxuSgPRAtM8K7}5E#-GM!*ydOOG_{A{)hkCII<|2=ma*71ci_-}VPARm3crFQjLYV!
z9zbz82$|l01mv`$WahE2$<xD1<`ujC!7ijORpLN)M&U@lEiyOfPgz+#&<j+G)Ve@{
z49uhDM!il+f+1Ohddi`=p(=u!h7sLm7yGqK4%#ZKd%YvUI(=BCzpn|IbHf!`E?jjq
zNkN-}Pa3AG2My;G@zYOnXl4g(LduE~%FKPJPA6{M4Z@(IC6iu#g0fgCkY2yVR!o7w
zSAe0_FH9n8VszXsaA+KDe(<8VA=dXe;@Mvzyql~A=eKPoX4qg$E{b4p|B|j96u7YW
zNCPo=y&#Ttz?U7fK~W6j?Kuo=wXeV4?w*;OO9xZst|SP^Q4kbKqBIl8hkGC7OOt_I
zzHTK9Aly><gDl|FkR~>=fAGWkd^X2kY(J7<hlY%A5J0#uldARym;T+|d;|>iz}WGS
z@%MyBEO=A?HB9=^?nX`@nh;7;la<vP=GJ_DWqB#{#!`KAdu6%FTU8VbENgD#KJ^CI
z);B^q)Y@yF(YlyL5A}rZXOX1<`Dd>Ajs+fbo!|K^mE!tOB>$2a_O0y-*uaIn8k^6Y
zSbuv;5~##*4Y~+y7Z5O*3w<R;J{o5i>4qgI5V^17u*ZeupVGH^nM&$qmAk|anf*>r
zWc5CV;-JY-Z@Uq1Irpb^O`L_7AGiqd*YpGUShb==os$uN3yYvb`wm6d=?T*it&pDk
zo`vhw)RZX|91^^Wa_ti2zBFyWy4cJu#g)_S6~jT}CC{DJ_kKpT`$oAL%b^!2M;JgT
zM3ZNbUB?}kP(*YYvXDIH8^7LUxz5oE%kMhF!rnPqv!GiY0o}NR$OD=ITDo9r<LYGN
z?2+*it!7d=84FF3EQ!5V&5166oc{Z1O8<?lF+=(kiua&7_M#TrD_|it=_mE6Cz1eX
zwfacTRHwa2jO`w@vfr7ByY*=K7se2@f$`RJFOlykOa!$prgR<-&f{zzV_tCE6E=v(
zZk!PdC3n<fkSRL#m(DteyDn?OK=a6ita@qk4DQ*rtk@>%4E>E0Y^R(rS^~XjWyVI6
zMOR5rPXhTp*G*M&X#NTL`Hu*R+u*QNoiOKg4CtNPrjgH>c?H<b@rgzW2`xq%+zxdV
zGQjVif3BBaXojc?{FLuym0L2fO1Nh(c42RW12b^>i4MUG#I917fx**+<zC5r06AVA
zs!KCNuuLq&Z|e$b{bN7-`NGtKU0>pJfOo!z<a0Lrf~l|OU$j3PPNH#8yRT5C5cWK;
z4Ck57(G?59g@;(s9m49`EtaF2lDH|dGl0xCg>FM&*da&G_x)L(`k&TPI*t3e^{crd
zX<4I$5nBQ8Ax_lmNRa~E*zS-R0sxkz`|>7q_?*e%7bxqNm3_eRG#1ae3gtV9!fQpY
z+!^a38o4ZGy9!J5sylDxZTx$JmG!wg7;>&5H1)>f4dXj;B+@6tMlL=)cLl={jLMxY
zbbf1ax3S4>bwB9-$;SN2?+GULu;UA-35;VY*^9Blx)Jwyb$=U!D>HhB&=jSsd^6yw
zL)?a|>GxU!W}ocTC(?-%z3!IUhw^uzc`Vz_g>-tv)(XA#JK^)ZnC|l1`@CdX1@|!|
z_9gQ)7uOf?cR@KDp97*>6X|;t@Y`k_N@)aH7gY27)COv^P3ya9I{4z~vUjLR9~z1Z
z5=G{mVtKH*&$*t0@}-i_v|3B$AHHYale7>E+jP`ClqG%L{u;*ff_h@)al?RuL7tOO
z->;I}>%WI{;vbLP3VIQ^iA$4wl6@0sDj|~112Y4OFjMs`13!$JGkp%b&E8QzJw_L5
zOnw9joc0^;O%OpF$Qp)W1HI!$4BaXX84`%@#^dk^hFp^pQ@rx4g(8Xjy#!X%<A@Ix
z5U>+X5Jd@fs3amGT`}mhq#L97R>OwT5-m|h#yT_-v@(k$q7P*9X~T*3)LTdzP!*B}
z+SldbVWrrwQo9wX*%FyK+sRXTa@O?WM^FGWOE?S`R(0P{<6p#f?0NJvnBia?k^fX2
zNQs7K-?EijgHJY}&zsr;qJ<*PCZUd*x|dD=IQPUK_nn)@X4KWtqoJNHkT?ZWL_hF?
zS8lp2(q>;RXR|F;1O}EE#}gCrY~#n^O`_I&?&z5~7N;zL0)3Tup`%)oHMK-^r$NT%
zbFg|o?b9w(q@)6w5V%si<$!U<#}s#x@0<ZXLbXYKvlKR0q_0uaLFS0K_yZx{oRI6O
zi*Yz=QW(i&SHEhi(35LX5YAi{vy`;KnIJ$O_Y#C4gG~=hcxXw*NH*okugRb;j#&_y
z)}Rg9+nz^&!aY|=fJZ?L&1;1?%7EYHgT5ryT&e6MH~EPzrS<7r*22}w^{P@eQei1e
zd>aX-hP>zwS#9*75VXA4K*%gUc>+yzupTDBOKH8WR4V0pM(HrfbQ&eJ79>HdCvE=F
z|J>s;;iDLB^3(9}?biKbxf1$lI!*Z%*0&8UUq}wMyPs_hclyQQi4;NUY+x2qy|0J;
zhn8;5)4ED1oHwg+VZF|80<4MrL97tGGXc5Sw$wAI#|2*cvQ=jB5+{AjMiDHmhUC*a
zlmiZ`LAuAn_}hftXh;`Kq0zblDk8?O-`tnilIh|;3lZp@F_osJUV9`*R29M?7H{Fy
z`nfVEIDIWXmU&YW;NjU8)EJpXhxe5t+scf|VXM!^bBlwNh)~7|3?fWwo_~ZFk(22%
zTMesYw+LNx3J-_|DM~`v<!_@4wF#cHZ_E9}9+lbenMh?8-P99`3uA4wl$95cN^e{4
z^f$@0?%=HSAz>93yXe=jPD{q;li<xOVXMn1yKMTqv6XhqrnsCUXSTSsjJ{x^XFo@J
z{WA$2#dyTq?%~VAg|L)nty{-VrW88Lu82|x7td?b;LG2_DA_BpkSSx!@P8<G?h<XX
zNw7xGt`p+BMOcS|$jn%|wK)WAaS99%p8&_kFrLJVp7_Jg4yOpvWS`>;5PD?Dyk+b?
zo21|XpT@)$BM$%F=P9J19Vi&1#{jM3!^Y&fr&_`toi`XB1!n>sbL%U9I5<7!@?t)~
z;&H%z>bAaQ4f$wIzkjH70;<8tp<T&Yl>UoxzKrPhn#IQfS%9l5=Iu))^XC<58D!-O
z{B+o5R^Z21H0T9JQ5gNJnqh#qH^na|z92=hONIM~@_i<m8HDcej!764)8GxDF)RMg
z!DFoaWC9)+nME7X6Bjpkb{QXd4;jG|u8$8kw{X8T%Z{fASla5Kj43Dc#xwsm?e^ow
zcpj5R3LQeCN@Z#}!7^cGYJ3aEd-Gp-Jj@_K{U*}A((dH-)nN*GjCV>uOi|F>jBh<M
zWxy1uqU)B}MVkHZ;j2o<4&9z0o{ro;0~$*^2bQ$8Q;vmWoz6BD$xqze?6Q)tzTZs7
zG{RspTbUAmB!P|sU1Q@1do~tC7@>-?aA20}Qx~EpDGElELNn~|7WRXRFnw+Wdo`|#
zBpU=Cz3z%cUJ0mx_1($X<40XEIYz(`noWeO+x#yb_pwj6)R(__%@_Cf>txOQ74wSJ
z0#F3(zWWaR-jMEY$7C*3HJrohc79>MCUu26mfYN)f4M~4gD`}EX4e}A!U}QV8!S47
z6y-U-%+h`1n`*pQuKE%Av0@)+wBZr9mH}@vH@i{v(m-6QK7Ncf17x_D=)32`FOjjo
zg|^VPf5c6-!FxN{25dvVh#f<C2j|FW^wcEVOx|0?I*o1i)tbC%E;daCUUqnT*va?<
z#^@&RTCo<xj8b($3`PD<adop6xc~jgfA19=fzjFXxO)$!??RO(s_s88E>og=NNpXz
zfB$o+0jbRkHH{!TKhE709f+jI^$3#v1Nmf80w`@7-5$1Iv_`)W^px8P-({xwb;D0y
z7LKDAHgX<84?l!I*Dvi2#D@oAE^J|g$3!)x1Ua;_;<@#l1fD}lqU2_tS^6Ht$1Wl}
zBESo7o^)9-Tjuz$8YQSGhfs{BQV6zW7dA?0b(Dbt=UnQs&4zHfe_sj{RJ4uS-vQpC
zX;Bbsuju4%!o8?&m4UZU@~Z<l{fpuI7gBNBuLonV&UnEv8Mm+}6y;;iZ7)_U-2H6P
zik(*@ZnhVtEFTNE*=&MLnOTGYcGC{O?!<?O$^7><Ix|i$iDSBHQSY+=yJ@Z(hm=j8
zLng0c8d`c!aP=6?o|-71!|y*rlW^s|L>ZjeFF6ex2ss5_60_JS_|iNc+R0GIjH1@Z
z=rLT9%B|WWgOrR7IiIwr2=T;Ne?30M!@{%Qf8o`!>=s<2CBpCK_TWc(DX51>e^xh8
z&@$^b6CgOd7KXQV&Y4%}_#uN*mbanXq(2=Nj`L7H7*k(6F8s6{FOw@(DzU`4-*77{
zF+dxpv}%mFpYK?>N_2*#Y?oB*qEKB}VoQ@bzm>ptmVS_EC(#}Lxxx730trt0G)#$b
zE=wVvtqOct1%*9}U{q<)2?{+0TzZzP0jgf9*)arV)*e!f`|jgT{7_9iS@e)recI#z
zbzolURQ+TOzE!ymqvBY7+5NnAbWxvMLsLTwEbFqW=CPyCsmJ}P1^V30|D5E|p3BC5
z)3|qgw@ra7aXb-wsa|l^in~1_<?%wr8cBwUUhaLFkF#>fm{7bS9jhVRkYVO#U{qMp
z)Wce+|DJ}4<2gp8r0_xfZpMo#{Hl2MfjLcZdRB9(B(A(f;+4s*FxV{1F|4d`*sRNd
zp4#@sEY|?^FIJ;tmH{@keZ$P(sLh5IdOk@k^0uB^<vY$Teo5@@0*v8p)6|Qc!#V-V
z19rz;O<~HzAD{>BWr@pk6mHy$qf&~rI>P*a;h0C{%oA*i!VjWn&D~O#MxN&f@1Po#
zKN+<Mx&_V;mQ6by$gOOv@*=130y8ws;u!(S9My%BQ_xyRTms3Q+kzSy&vNnQacNo>
zrGrkSjcr?^R#nGl<#Q722^wbYcgW@{+6CBS<1@%dPA8HC!~a`jTz<`g_l5N1M<n^b
zu`mSxZ+unU+QCuJ((?b36-TN-d1@FTfBA^ddw8UCuT`zjb=Fz?S6Qufs*9jSR|1nK
zFf2vJS;<?+uRmFfTer5Vv1$_#5QG8wt@)CbC^|w;&`=|x<yh14$tmJUYy0g0%PA`M
zOgeNCX{{Nxe0ra@9=~<n^L&fj)_rb#gMU)NmxDTM+6}H9CM!Fi?NW<y$)i_5yC^Lw
z2UV(8qc395hk@%W59BzlhhVt(<xJvm!~c3l+ocXQq>@9wn9GOAZ>nqNgq!yOCb<ux
z3a7GGof9{?JXCwFGGvl~3dP~BNs%SovKoTvXW8FuXj`m7Bnn?jUZ$?pzzIRqprlp7
z2WeoTGz*SooG8Jko3Cp>Z@1z`U_N`Z>}+1HIZxk*5RDc&rd5{3qjRh8QmT$VyS;jK
z;AF+r6XnnCp=wQYoG|rT2@8&IvKq*IB_WvS%nt%e{MCFm`&W*#LX<V7)65J}gDBN(
zk<mMjk3Ksz1;V7!3@X8he*FSaSG=@7E0@=@yHKsO4iF;tj3{tU-4xewSJc&$#1UMZ
zuOWXXn?>c|HrD?nVBo=(8*=Aq?u$sDA_sC_RPDUiQ+wnIJET8vx$&fxkW~kP9qXKt
zozR)@xGC!P)CTkjeWvXW5&@2?)qt)jiYWWBU?AUtzAN}{JE1I)dfz~7$;}~BmQF`k
zpn11qmObXwRB8&rnEG*#4Xax3XBkKlw(;tb?Np^i+H8m(Wyz9k{~ogba@laiEk;2!
zV*QV^6g6(QG%vX5Um#^sT&_e`B1pBW5yVth<mfskR&uj=IULHb38<tse=w*}Q<7Qz
z3<|`SLDlf5BpLb9#iQyjF6U}7JJ`^RZ>~xUs#0}nv?~C#l?W+9Lsb_5)!71rirGvY
zTIJ$OPOY516Y|_014sNv+Z8cc5t_V=i>lWV=vN<QPmtSpXv;kT!7hs-HH@i&RiI&9
z!dO2CvGs>u#!58y9Zl&G<qC8KlC>sMEW#pPYPYGHQ|;vFvd*9eM==$_=vc7xnyz0~
zY}r??$<`wAO?JQk@?RGvkWVJlq2dk9vB(yV^vm{=NVI8dhsX<)O(#nr9YD?I?(VmQ
z^r7VfUBn<~p3()8yOBjm$#KWx!5hRW)5Jl7wY@ky9lNM^jaT##8QGVsYeaVy<knK7
z-|ItZG@v_5HqwNL*X;&)fE*o2En9}_QSQ~Sxpo=`)<(LLcGS!($DADohdab0N6KTw
zF9i4%@WsNPJ2f@Kf&OK)$mJTfFx16uGFyQhd(9)Ota05_m2b4&e^Iw3r!jC#Hp$0t
zt!S{)s#CdvfKjo>wmpv>X|Xj7gWE1Ezai&wVLt3p)k4w~yrskT-!PR!kiyQlaxl((
zXhF%Q9x}1TMt3~u@|#wWm-Vq?ZerK={8@~&@9r5JW}r#45#rWii};t`{5#&3$W)|@
zbAf<Wd~LF&Fa+z%sLq|a7`8BxH;x+F8(HU&VXoK6B>2yDNe0q}NEUvq_Quq3cTjcw
z@H_;$hu&xllCI9CFDLuScEMg|x{S7GdV8<&Mq=ezDnRZAyX-8gv97YTm0bg=d)(>N
z+B2F<g3)ia(W`M0HCo-hfSmEqFQ$W5j$wJ;?r7W^?`K&S(*5L=PU?;K=%mT~AoyLc
zmB9dB0BfY<$42H7qp*b&gqwjPG@?GHqEWMaXbG2l^~e?yEl$rb2e+7tNeQjQi!%mG
z!n&myqi%P$bT;(Jy7TA*2tP}NXfszN-aSbAw)CRWi!Y&moQuMP!ZIYY+|-Hi;nfsw
zSAibHD0K*Rx488O94=w;IYZ)nc%KdXcP-D4kAzBYZwl}PDc(ZIiFm=)7;@JjuDF@@
zh({Ks)K#T@$U#?|cc5wW7j|#<s#)XeeNmP*9S3P%QoJ+84!)t-Q3y&LB4VHT${%s|
zTG3XIg~2`B_RVw|0J-Nqqo+Pe*FeW61Sh*R7{v~e$s_}74Z{>cqvI9>jGtnK%eO%y
zoBPkJTk%y`8TLf4)IXPBn`U|9>O~WL2C~C$z~9|0m*YH<-vg2CD^SX#&)B4ngOSG$
zV^wmy_iQk>dfN@Pv(ckfy&#ak@MLC7&Q6Ro#!ezM*VEh`+b3Jt%m(^T&p&WJ2Oqvj
zs-4nq0TW6cv~(YI$n0UkfwN}kg3_fp?(ijSV#tR9L0}l2qjc7W?i*q01=St0eZ=4h
zyGQbEw`9OEH>NMuIe)hVwYHsGERWOD;JxEiO7cQv%pFCeR+IyhwQ|y@&^24k+|8fD
zLiOWFNJ2&vu2&`Jv96_z-Cd5RLgmeY3*4rDOQo?Jm`;I_(+ejsPM03!ly!*Cu}Cco
zrQSrEDHNyzT(D5s1rZq!8#?f6@v6dB7a-aWs(Qk>N?UGAo{gyt<fmzm5NzZ|fs&#}
zncD~rYY0$e-KIJ+=Op({4j(9PIkXkc_SkA;(m*CznUsh<u&YaQ2?WX;ffj?q#rkaD
zhgb+R9A8jgPt^w}K)OK@H5E_#!Z=VQBe3%qPvYY%REdJYYg39A`{$NP_M^}lrMFR7
z+z-hJlg#zeS)0^WAq|DzTPsJlg*U_m2#Hg-0Wmz@?iH!<yiUNaD#c-kYUp!%4RSKq
z{aEO|^oK+y2EtPt%bwO#VBE9DxJ9N@ufrh+8SIe+8$#E{7>lh$%_IhyL7h?DLXDGx
zgxGE<S);`7Ye2u;8Dq575#~501>BQoCAWo-$LRvM=F5MTle`M})t3vVv;2j0HZY&G
z22^iGhV@uaJh(X<Ji#4pfqzo+6CV|xa;=Mz*tzH^bNhkjCY|vEWb}4_nF}mp3zj6F
z<RK*`vdncONn`be@hcYCs`Fx)%bT8wV$T8!b%e<R8G~jKI85M<1J$4NY<nL0CutfG
z<0HvW$c5I*1#_hw)1(15*aH)~KVw0;{Zp_ZQI?8k=6OO?W$jqY0waZgj%rb>yyY%}
zd4iH_UfdV#T=3n}(Lj^|n;O4|$;xhu*8T3hR1mc_A}fK}jfZ7LX~*n5+`8N2q#rI$
z@<<NwLoApZ<e3!J$+qrZqXhfixi{}uCew+VjVR``fj1Lf`2I-jD>_2VANlYF$vIH$
zl<)+*tIWW78IIINA7Rr7i{<Y3K#4WL2gwP{V}$lxr|)k#^h4W{mX@Le*u!g#hfAGO
zCeSa;u(-xw0ZspUEBo+8Ru(%}-m6Ro%1{7aEL$_dA#RWFH+pZ@3`vn|LIY-BbZ`xA
z;0Hf*V6m6EEIJ?MTj|I!l!v*XnqWfITy`ve|BDjjbn-XMEaj|oNyd!_<K^Ti36kh1
z(%3QLBv(><;#^yzxoLNkXL)eSs=%<Gis)1JtKs|A*=kDqutu=D>|P>$YQIh+ea_3k
z_s7r4%j7%&*NHSl?R4k%1>Z=M9o#zxY!n8sL5>BO-ZP;T3Gut>iLS@U%IBrX6BA3k
z)&@q}V8a{X<5B}K5s(c(LQ=%v1ocr`t$EqqY0EqVjr65usa=0bkf|O#ky{<C<t3zu
z`hM@H`e*c^To>j3)WBR<Rk0XEu3I97LQj|W=oPZA>(((L^wmyHRzoWuL2~WTC=`yZ
zn%VX`L=|Ok0v7?s<AoD@n8D7kz^e<8kpe+<X#n2|WDSoR5^oCGt<jgs)X#u5@PWV+
z<b`lm>>IHg?yA<ed=nI4vx^O}jp~R0s4CS5p`R9jtX~z7xF-Z5gJMA(5vqNQrH2}B
zLEIs&NxKWPrwn0(*pI+NhLe0_cU!>rBcync5rG#^+u)>a%qjES%dRZoIyA8gQ;StH
z1Ao7{<&}6U=5}4v<)1T7t!J_CL%U}CKNs<r5fMyAUKFZK{y9U{q!s_ZSKXqW%qBRr
z?bu0a7Zic(_|KEJWkFJk=&bobT<sZBi;dXUmO?)}m$)B<s0Nr7^=$mY+Dr7ke?^*x
z4Vt?Ovyz0Mk+fmZjXJTAv@hijH2y5Cf|5J3ryKO57~3?_EAxOUYF##HdjopeNH4%@
zuGqW!`j7vRX*U7T5B1|m8}h%c4gNobJO8sb_&>-0xWoTTeqj{5{?Be$L0_tk>M9o8
zo371}S#30rKZFM{`H_(L`EM9DGp+Mifk&IP|C2Zu_)Ghr4Qtpmkm1osCf@%Z$%t+7
zYH$Cr)Ro@3-QDeQJ8m+x6%;?YYT;k6Z0E-?kr>x33`H%*ueBD7Zx~3&HtWn0?2Wt}
zTG}*|v?{$ajzt}xPzV%lL1t-URi8*Zn)YljXNGDb>;!905Td|mpa@mHjIH%VIiGx-
zd@MqhpYFu<g)7l4&_bNaog=DANE?ZcfM)*NEMkm~{>4_?y5N4xiHn3vX&|e6r~Xt>
zZG`aGq|yTNjv;9E+Txuoa@A(9V7g?1_T5FzRI;!=NP1Kqou1z5?%X~Wwb{trRfd>i
z8&y^H)8YnKyA_Fyx>}RNmQIczT?w2J4SNvI{5J&}Wto|8FR(W;Qw#b1G<1%#tmYzQ
zQ2mZA-PAdi%RQOhkHy9Ea#TPSw?WxwL@H@cbkZwIq0B!@ns}niALidmn&W?!Vd4Gj
zO7FiuV4*6Mr^2xlFSvM;Cp_#r8UaqIzHJQg_z^rEJw&OMm_8NGAY2)rKvki|o1bH~
z$2IbfVeY2L(^*rMRU1lM5Y_sgrDS`Z??nR2lX;zyR=c%UyGb*%TC-Dil?Si<D{nTD
zMw8K;)%(lo#`W8jOV@qoJ#X}Mwbyz4a;PcPaSBZqr;F)uJhh<vQG%Y4Mw<phKlLRw
zIw!C3k>hkjrQy~TMv6;BMs7P8il`H7DmpVm@rJ;b)hW)BL)GjS154b*xq-NXq2cwE
z^;VP7ua2pxvCmxrnqUYQMH%a%nHmwmI33nJM(>4LznvY*k&C0{<x1=XMzKZ~Bs`;;
zzjN;>8f*%?zggpDgkuz&JBx{9mfb@wegEl2v!=}Sq2Gaty0<)UrOT0{MZtZ~j5y&w
zXlYa_jY)I_+VA-^#mEox#+G>UgvM!Ac8zI<%JRXM_73Q!#i3O|)lOP*qBeJG#BST0
zqohi)<I-A(NiPhXic7WGcd${Bs6q40O%lhVI#-EDK6jPHL9qSG))QSk?b4HNO46Kt
zq~AhM!n=+cMgd8rvaDcAUqe9_Py+)1zbv_Wy{}+a|F1es@~Qc9kW@MgedI!i{HhtJ
z!kAvsCV6n8=$My(7M_90IyH+8**uSL-iyt^&8vOeIRo?HTA5+#Xr^9U=2eV`Xlmc$
zFjy%l4c$~))iDJkH$oB2LfNc)TX?BjEeaRo@~X+PeGiiD85sGHqRqi@$1TzmJ+rd3
zVg^Gn@P5KfN#t5@T7Lvq5F&=Y)v)n4Cjfha{J2+Jic#JjOH^ggzd<;^a<68vsD0fr
zC*U$7*i1uw{BlNp8mMWqc46bk3VHJ?|MSSFbx~ox6ZBjsfPa3I5EWvc##{^VJo^EN
z<}Cr>O!|$|2SeJQo(w6w7%*92S})XfnhrH_Z8qe!G5>CglP=nI7JAOW?(Z29;pXJ9
zR9`KzQ=WEhy*)WH>$;7Cdz|>*i>=##0bB)oU0OR>>N<21e4rMCHDemNi2LD>Nc$;&
zQRFthpWniC1J6@Zh~iJCoLOxN`oCKD5Q4r%ynwgUKPlIEd#?QViIqovY|czyK8>6B
zSP%{2-<;%;1`#0mG^B(8KbtXF;Nf>K#Di72UWE4gQ%(_26Koiad)q$xRL~?pN71ZZ
zujaaCx~jXjygw;<Ay^b{e7rQ>rI!WB=xrOJO6HJ!!w}7eiivtCg5K|F6$EXa)=xUC
za^JXSX98W`7g-tm@uo|BKj39Dl;sg5ta;4qjo^pCh~{-HdLl6qI9Ix6f$+qiZ$}s=
zNguKrU;u+T@ko(Vr1>)Q%h$?UKXCY<ELeH%x_-+;N!NPjI@5|c>>3se%&;h2osl2D
zE4A9bd7_|^njDd)6cI*FupHpE3){4NQ*$k*cOWZ_?CZ>Z4_fl@n(mMnYK62Q1d@+I
zr&<rzyB}9!OG>O))G4hMih<XQCmlZu^@8%Z@1T|FyI_m%FM=cL3%T#%II(MZ`FKla
zpXXu4TSaVkB7;tYPyY<uMC(fA=<j-47<k>gBqRIAJkLdk(p(D~X{-oBUA+If@B}j&
zsHbeJ3RzTq96lB7d($h$xTeZ^gP0c{t!Y0c)aQE;$FY2!mACg!GDEMKXFOPI^)nHZ
z`aSPJpvV0|bbrzhWWkuPURlDeN%<qMpCcxwvwqRMaqc9@{O;iK_N2snE#x<P5c1;#
zmjI^QLBwgKbA!596SF19-xAg`j~Dtp%yL%PsIy-Iy#n3_juW-DvzXBY7{iAZ@^xZK
z@xr2R*rSktAvjWK{FY-U0t8|bspU3(%@64Udl&2uFK6|JrwGTmi+3cF9F%O9@lnIC
zs=6lONtdy$oHQyWIz$zmM@0(12^Y0f!FDBU-xO1sA%B@8>VT8tndV8?d)eN*i4I@u
zVKl^6{?}A?P)Fsy?3oi#clf}L18t;TjNI2>eI&(ezDK7RyqFxcv%>?oxUlonv(px)
z$vnPzRH`y5A(x!yOIfL0bmgeMQB$H5wenx~!ujQK*nUBW;@Em&6Xv2%s(~H5WcU2R
z;%Nw<$tI)a`Ve!>x+qegJnQsN2N7HaKzrFqM>`6R*gvh%O*-%THt<rb___hz1Q*?5
z6WlWA+_DZ_V%@(Z;W6IiWcwb%0tQS@7FVT8L%H@;-K!LOiZIstqiCW*I~5y<2j59v
z*;R0rbBXIxu3n@3a3wxbyp;2oPnr)69p#+<DwNc<oL?vCKSPPJA(K9!1O*f4{YL62
zn|Sj8G%K~6J)K=!JP_YX8V=PjLK~TW_=@Nh@Cw-!NlZLY;2_j0TFoobFt-2R;qd|Z
z5LA6AxE3z?^1m|nTtbf_LVu#lgMMaoQSi!)(ir+k@yiKNqZa8D=pY1qBEL59w8xB>
zrB$Nk;lE;z{s{r^PPm5qz(&lM{sO*g+W{sK+m3M_z=4=&CC>T`{X}1Vg2PEfSj2x_
zmT*(x;ov%3F?qoEeeM>dUn$a*?SIGyO8m<CDx(PoF9Z7P(-Vz@5G~R_9zlbonzZYL
z!@f`rWC1aNE3{SDF~{lPR$(P=;{QgE*BcIk`ok>806J1W1o+4HRhc2`9$s6hM#qAm
zChQ87b~GEw{ADfs+5}FJ8+|bIlIv(jT$Ap#hSHoXdd9#w<#cA<1Rkq^*EEkknUd4&
zoIWIY)sAswy6fSERVm&!SO~#iN$OgOX*{9@_BWFyJTvC%S++ilSfCrO(?u=Dc?CXZ
zzCG&0yVR{Z`|ZF0eEApWE<q~aV-3QaRPuwFB`iCbViORA{tX~ST{rFw+In$j?7gLL
zT8ETr1QUOZxkIpI@5JqQk|b^xG*nZ910-;>o#s9osV>F{uK{QA@BES#&;#KsScf>y
zvs?vIbI>VrT<*!;XmQS=bhq%46-aambZ(8KU-wOO2=en~D}MCToB_u;Yz{)1ySrPZ
z@=$}EvjTdzTWU7c0ZI6L8=yP+YRD_eMMos}b5vY^S*~VZysrkq<`cK3>>v%uy7jgq
z0ilW9KjVDHLv0b<1K_`1IkbTOINs0=m-22c%M~l=^S}%hbli-3?BnNq?b`hx^HX2J
zIe6ECljRL0uBWb`%{EA=%!<byF4eC4KX4aZdAqSwE!&>i^4sMcj+U_TaTZRb+~GOk
z^ZW!nky0n*Wb*r+Q|9H@ml@Z5gU&W`(z4-j!OzC1wOke`TRAYGZVl$PmQ16{3196(
zO*?`--I}Qf(2HIwb2&1FB^!faPA2=sLg(@6P4mN)>Dc3i(B0;@O-y2;lM4akD>@^v
z=u>*|!s&9zem70g7zfw9FXl1bpJW(C#5w#uy5!V?Q(U35A~$dR%LDVnq@}kQm13{}
zd53q3N(s$Eu{R}k2esbftfjfOITCL;jWa$}(mmm}d(&7JZ6d3%IABCapFFYjdEjdK
z&4Edqf$G^MNAtL=uCDRs&Fu@FXRgX{*0<(@c3|PNHa>L%zvxWS={L8%qw`STm+=Rd
zA}FLspESSIpE_^41~#5yI2bJ=9`oc;GIL!JuW&7YetZ?0H}$$%8rW@*J37L<XFjIr
zWJ?$CMV^YggN$kCs0w8InCxL-qk`fNzT7&VA*&~~T=_(uA$CzC9vrKbN28^=3?MLv
zFoK23^axE9-(UuJp6l-WH~flb#LWz<-GZXz4PS*&{c?IaOs6}Rx>-~Rsx!)8($nI4
zZhcZ2^=Y+p4YPl%j!nFJA|*M^gc(0o$i3nlphe+~-_m}jVkRN{spFs(o0ajW@f3K{
zDV!#BwL322CET$}Y}^0ixYj2w>&Xh12|R8&yEw|wLDvF!lZ#dOTHM9pK6<Y!obdB7
zJ?!B#A1=BS7Ka=6k6_mfjXh1lGwLZR4PT*9n^^MB#jyfEy~L|)^EN8(11T8rrN7f?
z?@)HsizJFWKFr(u1x(=}jA~A*@;u9iCG}YS49mN9degGJEr@RQbFX&wZoBr{H3Nr7
z?H=$Zj>@Nm-@9Lnng4ZHBgBSrr7KI8YCC9DX5Kg|`HsiwJHg2(7#nS;A{b3tVO?Z%
za{m5b3rFV6EpX;=;n#wltDv1LE*|g5pQ+OY&*6qCJZc5oDS6Z6JD#6F)bWxZSF@q%
z+1WV;m!lRB!n^PC>RgQCI#D1br_o^#iPk>;K2hB~0^<~)?p}LG%kigm@moD#q3PE+
zA^Qca)(xnqw6x>XFhV6ku9r$E>bWNrVH9fum0?4s?Rn2LG{Vm_+QJHse6xa%nzQ?k
zKug4PW~#Gtb;#5+9!QBgyB@q=s<UxAOfSGI17`#WQPoP8A+0%MXyAyK3J=T4^Kbj7
zlt}Oe#L`UOUU8o&zkUW`eBtn39$xzlz~(3x_>k9=$S{4T>wjFICStOM?__fr+Kei1
z3j~xPqW;W@YkiUM;HngG!;>@AITg}vAE`M2Pj9Irl4w1fo4w<|Bu!%rh%a(Ai^Zhi
zs92>v5;@Y(Zi#RI*ua*h`d_7;byQSa*v9E{2x$<hp}Q26jsc}%C<*BjhE^Jt66tP1
zKtKU0Q9$V-l~zCy7`juGR=*kVy&nUYi+t;Q*P6xR{P8}s&pC7U+3()_`4tk8P7SO*
zts+C&EBA;W!X3G&`&E+LxzU~6Q<emFH@kgR*8?20u2XLWT3aI!YMwas1=TsetFPnK
zg5`qHR`D=R<(><-_=5Z<7{%)}4XExANcz@rK69T0x3%H<@frW>RA8^swA+^a(FxK|
zFl3LD*ImHN=X<Tm`8DfC>DUkrR<xW<(jZxC)!wKS)92Mp`by<@CGgeKED~ZJ3Jy$+
zjW_5$gXkQl+$Z+QJ~I#o6Pp!?bb78VSX!(@(92a;u-;wW%qe9fMiUm=#PwkrAbXT5
zVo>hp6RY5$rQ{bRgSO*(vEHYV)3Mo6Jy3puiLmU&g82p{qr0F?ohmbz)f2r{X2|T2
z$4fdQ=>0BeKbiVM!e-lIIs8wVTuC_m7}<Ui;+XED-5oBiR>y4A_%ikI;Wm5$9j(^Y
z(cD%U%k)X>_>9~t8;pGzL6L-fm<ULs+oY32iJK8t`MZXpBuoD$6OMAKyL46!gYNWE
zud<`{zju@c#T_7EyRG#xA7t1QT}ZgtiYwog7J*c#?<fNv<K7Htr4Bz79uv2x*w)<k
z=a;7q%vaAz-hD(kAxqWM%g9t=$}0NKb?)GaBa8K156rk8wWyI)MB=&^_{THh+}COk
zUzRKn7T0APWWnx<r&J-F&{b%n+JRIgYHuv;^|;Hor$0q~|8BI{QjuMG8JYxvYF}Gn
zy*In4ANN}0dpJx*JPO@eiJFX7bD|1WV+M;rfsj3PIBa@gpsi3FnkV~X3nx%2?_ypI
zh}S3zV-DKR|K!F9Z3-RZumjj)P_`}W2J~q|bB0)a9xHmA&%h{<vyYF9&zIJ>QO@K;
zo&vQzMlgY95;1BSkngY)e{`n0!NfVgf}2mB3t}D9@*N;FQ{HZ3Pb%BK6;5#-O|WI(
zb6h@qTLU~AbVW#_6?c!?Dj65Now7*pU{h!1+eCV^KCuPAGs28~3k@ueL5+u|Z-7}t
z9|lskE`4B7W8wMs@<RoRq4K_1jQ|2oJg$O-rP`~;Bzz?@Jlrn0Z@<=ZmJTM3jjq_~
zRZ}mS?n&K}m}#OA-nYs)kQ@R^-(uFAD{$CgCv6|t>xJa{#bsCGDFoRSNSnmNYB&U7
zVGKWe%+kFB6kb)e;<v}cel^QYVzboCh<hrVzAa>TyHfqtU6~fRg)f|>=5(N36)0+C
z`hv65J<$B}WUc!wFAb^QtY31yNleq4dzmG`1wHTj=c*=hay9iD071Hc?oYoUk|M*_
zU1GihAMBsM@5rUJ(qS?9ZYJ6@{bNqJ`2Mr+5#hKf?doa?F|+^IR!8lq9)wS3tF_9n
zW_?hm)G(M+MYb?V9YoX^_mu5h-LP^TL^!Q9Z7|@sO(rg_4+@=PdI)WL(B7`!K^ND-
z-uIuVDCVEdH_C@c71YGYT^_Scf_dhB8Z2Xy6vGtBSlYud9vggOqv^L~F{BraSE_t}
zIkP+Hp2&nH^-MNEs}^`oMLy11`PQW$T|K(`Bu*(f@)mv1-qY(_YG&J2M2<7k;;RK~
zL{Fqj9yCz8(S{}@c)S!65aF<=&eLI{hAMErCx&>i7OeDN>okvegO87OaG{Jmi<|}D
zaT@b|0X{d@OIJ7zvT>r+eTzgLq~|Dpu)Z&db-P4z*`M$UL51lf>FLlq6rfG)%doyp
z)3kk_YIM!03eQ8Vu_2fg{+osaEJPtJ-<V*830?$46vO`8Mw##QM*`Rr?w|#MyZ6A&
z_}pwQU2m8=Sp54^L})3wA`G=0rsaz56>s36R+5_AEG12`NG)IQ#TF9c@$99%0iye+
zUzZ57=m2)$D(5Nx!n)=5Au&O0BBgwxIBaeI(mro$#&UGCr<;C{UjJVAbVi%|+WP(a
zL$U@TYCxJ=1{Z~}rnW;7UVb7+ZnzgmrogDxhjLGo>c~MiJAWs&&;AGg@%U?Y^0JhL
ze(x6Z74JG6FlOFK(T}SXQfhr}RIFl@QXKnIcXYF)5|V~e-}suHILKT-k|<*~Ij|VF
zC;t@=uj=hot~*!C68G8hTA%8SzOfETOXQ|3FSaIEjvBJp(A)7SWUi5!Eu#yWgY+;n
zlm<$+UDou*V+246_o#V4kMdto8hF%%Lki#zPh}KYXmMf?hrN0;>Mv%`@{0Qn`Ujp)
z=lZe+13>^Q!9zT);H<(#bIeRWz%#*}sgUX9P|9($kexOyKIOc`dLux}c$7It4u|Rl
z6SSkY*V~g_B-hMPo_ak>>z@AVQ(_N)VY2kB3IZ0G(iDUYw+2d7W^~(Jq}KY=JnWS(
z#rzEa&0uNhJ>QE8iiyz;n2H|SV#Og+wEZv=f2%1ELX!SX-(d3tEj$5$1}70Mp<&eI
zCkfbByL7af=qQE@5vDVxx1}FSGt_a1DoE3SDI+G)mBAna)KBG4p8Epxl9QZ4BfdAN
zFnF|Y(umr;gRgG6NLQ$?ZWgllE<HJXYDr?-K8^D!ZlPa8ZG&+c+DJy(x5;Feg3L)*
zvdpRL&@{hyOZBRzTt*TCk9hewUpi`*Kt|w8q}nwi%?T`D?1ox^RZSRut44vMd{LO!
z5<xD{qy<T%oDMUy9H#9$W-Wu8GwxNdV(5T7B?RP@ZWH6Jt?*TpR4hY26nALXC@f!D
z_AE{^bi`q0U%atoVV5-5alLF?pA>eeq~z^ZS7L?<(~O&$5|y)Al^iMKy}&W+eMm1W
z7EMU)u^ke(A1#XCV>CZ71}P}0x)4wtHO8#JRG3MA-6g=`ZM!FcICCZ{IEw8Dm2&LQ
z1|r)BUG^0GzI6f946RrBlfB1Vs)~8toZf~7)+G;pv&XiUO(%5bm)pl=p>nV^o*;&T
z;}@oZSibzto$arQgfkp|<o4}2aWyA-u@g@X@*3Qq>z4Z($P>dTXE{4O=vY0!)kDO*
zGF8a4wq#VaFpLfK!iELy@?-SeRrdz%F*}hjKcA*y@mj~VD3!it9lhRhX}5YOaR9$}
z3m<U!dsnGfk?KY|+&M@U4to6WN5Fr~Z2Y~S6z;ugWov!c#T4Pid7?1x8wY`#cM-K&
zXZ31E^^+4l<8TS_eV}PTTl9cUjRQB-789L;;mi28ms9Ok_n}yunSfm?pRC6bk9iMK
z{Me@L*Hx9gKeGtG68!~RS?gRYfl2zINnyRg@p)U*X(<_ksV`=o%2XWE5-Y+=UYL-Y
ztqFc{r$bTOOr%6GK_kGlR5`+;tTS|8zSb;+levJ}UbU#B1Mej>S%$2Be7{l(+MVx3
z(4?h;P!jnRmX9J9sYN#7i=iyj_5q7n#X(!cdqI2lnr8T$IfOW<_v`eB!d9xY1<?8m
zc=9ctC~_znEmY{3do4Y&tSr#K8MEwV*K>P=2q&WtOXY=D9QYteP)De?S4}FK6#6Ma
z=E*V+#<o63M9PbR(KQau)lC&KzK0v*^~#=c>s8>L;8aVroK^6iKo=MH{4yEZ_>N-N
z`(|;aOATba1^asjxlILk<4}f~`39dBFlxj>Dw(hMYKPO3EEt1@S`1lxFNM+J@uB7T
zZ8WKjz7HF1-5&2=l=fqF-*@>n5J}jIxdDwpT?oKM3s8Nr`x8JnN-kCE?~aM1H!hAE
z%%w(3kHfGwMnMmNj(SU(w42OrC-euI>Dsjk&jz3ts}WHqmMpzQ3vZrsXrZ|}+MHA7
z068obeXZTsO*6RS@o3x80E4ok``rV^Y3hr&C1;|ZZ0|*EKO`$lECUYG2gVFtUTw)R
z4Um<0ZzlON`zTdvVdL#KFoMFQX*a5wM0Czp%wTtfK4Sjs)P**RW&?lP$(<}q%r68Z
zS53Y!d@<WHAUBA*8bUiRbm%Z;gZhfNqOZBHucO1A@&fFR43kejZro_v)VLcPwS7}~
zK5k!0!+rSL*HKlXVA@0UZ>&~ne9O)A^tNrXHhXBkj~$8j%pT1%%mypa9A<G!EKb<E
z`}8*o7Vl;U@K#TU5!9`Os$JU!y8FCud{w+#5g>W5E&s9)rjF4@O3ytH{0z6riz|@<
zB~UPh*wRFg2^7EbQrHf0y?E~dHlkOxof_a?M{LqQ^C!i2dawHTPYUE=X@2(<D?FV&
zcM@&VpBXA?L{0tb_j)NYM}%xYbEn~9R`f?;g|efm#wA%S{AP`lHyTMh8%rB%5P`TA
z^U37=Hfa1dqP}{-l>3<=OOxs8qn_(y>pU>u^}3y&df{JarR0@VJn0f+U%UiF=$Wyq
zQvnVHESil@d|8&R<%}uidGh7@u^(%?$#|&J$pvFC-n8&A>utA=n3#)yMkz+qnG3wd
zP7xCnF|$9Dif@N~L)Vde3hW8W!UY0BgT2v(wzp;tlLmyk2%N|0jfG$%<;A&IVrOI<
z!L)o>j>;dFaqA3pL}b-Je(bB@VJ4%!JeX@3x!i{yIeIso^=n?<yGgTTZ!PNB?9gX<
zIb-Mwo=t8!k;=1f5ke{{mjD;8+drvc=j_XPyvGfArKBJEaX2!s2-K1+v_zbm8v7BT
za`|K1N2}$TyJ@nhBOHb0du-5xRz>fDX`3bU=eG7sTc%g%ye8$v8P@yKE^XD=NYxTb
zbf!Mk=h|otpqjFaA-vs5YOF-*GwWPc7VbaOW&stlANnCN8iftFMMrUdYNJ_Bnn5Vt
zxfz@Ah|+4&P;reZxp;MmEI7C|FOv8NKUm8njF7Wb6Gi7DeODLl&G~}G4be&*Hi0Qw
z5}77vL0P+7-B%UL@3<Hx#GB2%vG%0rC1(94hq216=?s(ssfs{vDgp`%$+N_!WRy9C
za}K<}u;;Pqc=!2V0k{Hgo5p0-m1!D$f?OU9<FJ2<5oh^cbOGSGfdj2^%OxwDfU-z~
z(XR@2k_uf5r(>n1&JPxW^d@vVwp?u#gVcJqY9#@-3X{ok#UfW3<1fb%FT`|)V~ggq
z(3AUoUS-;7)^hCjdT0Kf{i}h)mBg4qhtHHBti=~h^n^OTH5U*XMgDLIR@sre`AaB$
zg)IGBET_4??m@cx&c~bA80O7B8CHR7(LX7%HThkeC*@vi{-pL%e)yXp!B2InafbDF
zjPXf1mko3h59{lT6EEbxKO1Z5GF71)WwowO6kY|6tjSVSWdQ}NsK2x{>i|MKZK8%Q
zfu&_0D;CO-Jg0#YmyfctyJ!mRJp)e#@O0mYdp|8x;G1%OZQ3Q847YWTyy|%^cpA;m
zze0(5p{tMu^lDkpe?HynyO?a1$_LJl2L&mpeKu%8YvgRNr=%2z${%WThHG=vrWY@4
zsA`OP#O&)TetZ>s%h!=+CE15lOOls&nvC~$Qz0Ph7tHiP;O$i|eDwpT{cp>+)0-|;
zY$|bB+Gbel>5aRN3>c0x<ruzyyQ%Zy5vf6}`4)t?d-C#9!GHs<@Hns>)4U=|X+z+{
zn*_p*EQ<B%95agq4hNqm^)z*%GD}I4q^^7sH5Hy)x3mf2i}!E6)Yg(THpWRZ7O-FM
zN0W_>oquRL+=+p;=lm`d71&1NqBz&_ph)MXu(Nv6&XE7(RsS)^MGj5Q?Fwude-(sq
zjJ>aOq!7!EN>@(fK7EE#;i_BGvli`5U;r!YA{JRodLBc6-`n8K+Fjgwb%sX;j=qHQ
z7&Tr!)!{HXoO<2BQrV9Sw?JRa<KG5emNB(T<y(NWmqssKxUatWWx*DdyYw_kOIJd)
z;k&Pys2Tnf4Po((JL<eVe)|O!Lv`GXH>LXV8HrsNevvnf>Y-6|{T!pYLl7jp$-nEE
z#X!4G4L#K0qG_4Z;Cj6=;b|Be$hi4JvMH!-voxqx^@8cXp`B??eFBz2lLD8RRaRGh
zn7kUfy!YV~p(R|p7iC1Rdgt$_24i0cd-S8HpG|`@my70g^y`gu%#Tf_L2<gJMO);m
zEk>1-k?sRRZHK&at(*ED0P8iw{7?R$9~OF$Ko;Iu5)ur5<->x!m<Z%nn+oUd>93Eb
zFYpIx60s=Wxxw=`$aS-O&dCO_9?b1yKiPCQmSQb>T)963`*U+Ydj5kI(B(B?HNP8r
z*bfSBpSu)w(Z3j7HQoRjUG(+d=IaE~tv}y14zHHs|0UcN52fT8V_<@2ep_ee{QgZG
zmgp8iv4V{k;~8@I%M3<#B;2R>Ef(Gg_cQM7%}0s*^)SK6!Ym+~P^58*wnwV1BW@eG
z4sZLqsUvBbFsr#8u7S1r4teQ;t)Y@jnn_m5jS$CsW1um!p&PqAcc8!zyiXHVta9QC
zY~wCwC<otwTnmD(e1ezd?<0DwVxo}=Fub>F0U%xiQPD_INKtTb;A|Zf29(mu9NI;E
zc-e>*1%(LSXB`g}kd`#}O;veb<(sk~RWL|f3ljxCnEZDdNSTDV6#Td({6l&y4IjKF
z^}lIUq*ZUqgTPumD)RrCN{M^jhY>E~1pn|KOZ5((%F)G|*ZQ|r4zIbrEiV%42hJV8
z3xS)=!X1+=olbdGJ=yZil?oXLct8FM{(6ikLL3E%=q#O6(H$p~gQu6T8N!plf!96|
z&Q3=`L~>U0zZh;z(pGR2^S^{#PrPxTRHD1RQOON&f)Siaf`GLj#UOk&(|@0?zm;Sx
ztsGt8=29-MZs5CSf1l1jNFtNt5rFNZxJPvkNu~2}7*9468TWm>nN9TP&^!;J{-h)_
z7WsHH9|F%I`Pb!>KAS3jQWKfGivTVkMJLO-HUGM_a4UQ_%RgL6WZvrW+Z4ujZn;y@
zz9$=oO!7qVTaQAA^BhX&ZxS*|5dj803M=k&2%QrXda`-Q#IoZL6E(g+tN!6CA!CP*
zCpWtCujIea)ENl0liwVfj)Nc<9mV%+e@=d`haoZ*<oI1yD0)ode<2{}h3=ee3^GUp
zK^Zv;a(K^#^f3JYFh@>`B7+PNjEbXBkv=B+Pi^~L#EO$D$ZqTiD8f<5$eyb54-(=3
zh)6i8i|jp(@OnRrY5B8t|LFXFQVQ895n*P16cEKTrT*~yLH6Z4e*bZ5otpRDri&+A
zfNbK1D5@O=sm`fN=WzWyse!za5n%^+6dHPGX#8DyIK>?9qyX}2XvBWVqbP%%D)7$=
z=#$WulZlZR<{m#gU7lwqK4WS1Ne$#_P{b17qe$~UOXCl>5b|6WVh;5vVnR<%d+Lnp
z$uEmML38}U4vaW8>shm6CzB(Wei3s#NAWE3)a2)z@i{4jTn;;aQS)O@l{rUM`J@K&
l00vQ5JBs~;vo!vr%%-k{2_Fq1Mn4QF81S)AQ99zk{{c4yR+0b!

literal 63721
zcmb5Wb9gP!wgnp7wrv|bwr$&XvSZt}Z6`anZSUAlc9NHKf9JdJ;NJVr`=eI(_pMp0
zy1VAAG3FfAOI`{X1O)&90s;U4K;XLp008~hCjbEC_fbYfS%6kTR+JtXK>nW$ZR+`W
ze|#J8f4A@M|F5BpfUJb5h>|j$jOe}0<b<>oE!`Zf6fM>C<V>R?!y@zU(cL8NsKk`a
z6tx5mAk<liamrzlCS@BsX~|&`RS-HU8cGq`t>djD;J=LcJ;;Aw8p!v#ouk>mUDZF@
zK>yvw%+bKu+T{N<MgC_~H%9||dlSch>k@LZ;zkYy0HBKw06_IWcM<!q!PNfx0T}}e
zTRJ0a11G0!b#QO&CEQP4n)k!|A)#qSG|8;N24)yY|3OH|n9Ef#Qn-}F#h?W3i%43c
z)2szbS#t|1^laxjK<9Y@_Ix3>Ho*0HKpTsEFZhn<oTMi&w}vW*Ra?K_!_)1rk7w^0
zcz%y-9{{$<M=0I0eaFor!J){*JHz%a;XWx9WpR5@-ICoSDBGt4RNpQ|Al>5qCHH9j
z)|XpN&{`!0a>Vl+PmdQc)Yg4A(AG-z!+@Q#eHr&g<9D?7E)_aEB?s_rx>UE9TUq|?
z;(ggJt>9l?C|zoO@5)tu?<y?2z)*Z;1quxvz;2Wr$0J)*8MlO}_`_m{D`H0p@e^(M
z$iAC}1xU~1A4L(ddtDLl_Pr6{Hx8(|zsON}%665gG;b|X+4q@!y;YHT4o3!{_{jPB
z>EV0x_7T17q4fF-q3{yZ^ipUbKcRZ4Qftd!xO(#UGhb2y>?*@{xq%`(-`2T^vc=#<
zx!+@4pRdk&*1ht2OWk^Z5IAQ0YTAXLkL{(D*$gENaD)7A%^XXrCchN&<gtMWk{spc
zdf)IQ%Esm7d(=p(gnM#+I?kJb&Lb5@<u)2i>z2x+*>o2FwPFjWpeaL=!tzv#JOW#(
z$B)Nel<+$bkH1KZv3&-}=SiG~w2sbDbAWarg%5>YbC|}*d9hBjBkR(@tyM0T)FO$#
zPtRXukGPnOd)~z=?avu+4Co@wF}1T)-uh5jI<1$HLtyDrVak{gw`mcH@Q-@wg{v^c
zRzu}hMKFHV<8w}o*yg6p@Sq%=gkd~;`_VGTS?L@yVu`xuGy+dH6YOwcP6ZE`_0rK%
zAx5!FjDuss`FQ3eF|mhrWkjux(Pny^k$u_)dyCSEbAsecHsq#8B3n3kDU(zW5yE|(
zgc>sFQywFj5}U*qtF9Y(bi*;>B7WJykcAXF86@)z|0-Vm<fczTCmKxlM?(K(U1MI{
zH7CsNY39I?b2iW&6QmO%p`j~N;r{IyO6k!4?8&O+JtB37&qWiLadcH|I)VEU4X_&G
z2Ff&+i<CegULNGA;Rqo82kZIenL`+2Sql2b=gdn7-sCd|*$dW%v3%JHM_jz-$G*h(
z2Zhp66mL0wC-)~7Dg~G4tT5AYOjgU1YJq|3QV~+nZV4#kZI8ONh{_OOoJD(-6)TQN
zW~`V4m}~|uOv@KO-ydJ-Zh&N$+FY<g0*jjHHbxmR>@jt!EPoLA6>r)?@DIobIZ5Sx
zsc@OC{b|3%vaMbyeM|O^UxEYlEMHK4r)V-{r)_yz`w1*xV0|lh-LQOP`OP`Pk1aW(
z8DSlG<ofVg|3LaJ-=P0V))`RIkE+lq+qJ{`jPVl(|5Va1SGyg3MTkZ3a5}sBX&c*A
ztSA~lX)HnZl`w$}6pc6PwMwbP#y;;c$+yzscOU^s%U^DuE7fk%u_oE_r4U9DlvWzf
zB&zu$+)hR%%$d2sDve|n{X>N>Ts|n*xj+%If~+E_B<wY#42?CSY)Lp9f}%hd8G2BV
zYz5{>xK)~5T#w6Q1WEKt{!Xtbd`J;`2a>8boRo;7u2M&iOop4qcy<)z023=oghSFV
zST;?S;ye+dRQe>ygiJ6HCv4;~3DHtJ({fWeE~$H@mKn@Oh6Z(_sO>01JwH5oA4nvK
zr5<Xf@p4l8GDDqq9Ca=)oYjzaL8(efxR9(LX_X`~m?l6@BVW;!8T+Uyif6_AH70S3
z1&@6Mj!ceBBfVQ`!9u3Zf{wVpf0C(t(aC=1R{{IVv+00AMAS(+n-xbkL&B4F#nFqZ
ztPDBX@p?jtnq^cL=+U%~e$BEw+yxI)sZyO4JhtoSg*p=}x1?BGLbn0LMY>Sr^g+LC
zLt(i&ecdmqsIJGNOSUyUpglvhhrY8lGkzO=0USEKNL%8zHshS>Qziu|`eyWP^5xL4
zRP122_dCJl>hZc~?58w~><cp^hJ_ZV5fj>`P_s18VoU|7(|Eit0-lZRgLTZKNq5{k
zE?V=`7=R&ro(X%LTS*f+#H-mGo_j3dm@F_krAYegDLk6UV{`UKE;{<k$0*s;%bL~F
z;<2lwblZB7HV^gmjYfnL$(oz3yiwuVBNdItsJS*edKT4)myLcW$QJUM;r94>YSsn$
z(yz{v1@p|p!0>g04!eRSrSVb>MQYPr8_MA|MpoGzqyd*$@4j|)cD_%^Hrd>SorF>@
zBX+V<@vEB5PRLGR(uP9&U&5=(HVc?6B58NJT_igiAH*q~Wb`dDZpJSKfy5#Aag4IX
zj~uv74EQ_Q_1qaXWI!7Vf@ZrdUhZFE;L&P_Xr8l@GMkhc#=plV0+g(ki>+7fO%?Jb
zl+b<?C%WXJNEX{LzvH<usRTrr8A!~O>Ty7q{w^pTb{>(Xf2q1BVdq?#f=!geqssXp
z4pMu*q;iiHmA*IjOj4`4S&|8@gSw*^{|PT}Aw~}ZXU`6=vZ<Hcy3%$%v9V&0Kee&a
zKV!#7+J;9|6x<uodo*>B=GGeMm}V6W46|pU&58~P+?LUs%n@J}CSrICkeng6YJ^M?
zS(W?K4nOtoBe4tvBXs@@`i<!ZAMR~@rqD5uMjjRS2DHf>?4G$S2W&;$z8VBSM;Mn9
zxcaEiQ9=v<fz_-ouh|d?S}QqE(0qsl4bj8_Oo|Bt%%h=cX$JXg7?LJ&<ET0ro2;%t
z1-1gS%DOru2m?YDj1D3wKn1f3YvfFowv0`#z<)Q7Eu0mY1aD;Bp(<0D*dvtLJmX0i
zAI;vT=wP6!8*)iKc4+k{>S|bIJ>*tf9AH~m&U%2+Dim<)E=<ebn)#5-YItTnbgMqQ
zt=Y>}KORp+cZ^!@wI`h1NVBXu{@%hB2Cq(dXx_aQ9x3mr*fwL5!ZryQqi|KFJuzvP
zK1)nrKZ7U+B{1ZmJub?4)Ln^J6k!i0t~VO#=q1{?T)%OV?MN}k5M{}vjyZu#M0_*u
z8jwZKJ#Df~1jcLXZL7bnCEhB6IzQZ-GcoQJ!16I*39iazoVGugcKA{lhiHg4Ta2fD
zk1Utyc<n(<e1-Rj>5%QzZ$s3;p0N+N8VX{sd!~l*Ta3|t>lhI&G`sr6L~G5Lul`>m
z{!^INm?J|&7X=;{XveF!(b*=?9NAp4y&r&N3(GKcW4rS(Ejk|Lzs1PrxPI_owB-`H
zg3(Rruh^&)`TKA6+_!n>RdI6pw>Vt1_j&+bKIaMTYLiqhZ#y_=J8`TK{Jd<7l9&sY
z^^`hmi7^14s16B6)1O;vJWOF$=$B5ONW;;2&|pUvJlmeUS&F;DbSHCrEb0QBDR|my
zIs+pE0Y^`q<Mo02TIpLU)qh7WQ?@rM6U&!Z;VW(ggXdTSsIrFphI+dpATgu%)3IHs
z@+Xj*BwLyZ=r@R=;kqR6lCAdnF<CWp%t6J7J#JoVQ!Q2LM-rk#T_J^oRW%%3=2#t<
zlx+Py@hbE`=>JTyH-_mP=)Y+u^LHcuZhsM3+P||?+W#V!_6E-8boP#R-*na4!o-Q1
zVthtYhK{mDhF(&7Okzo9dTi03X(AE{8cH$JIg%MEQc<ZbLh@dc$w|qk{r@1?l>a`S
zy@8{Fjft~~BdzWC(di#X{ny;!yYGK9b@=b|zcKZ{vv4D8i+`ilOPl;PJl{!&5-0!w
z<G-5=7&<vS8W=eX+1c0_*cwY)*qR90*}8t;u!-Ye>^fOl#|}vVg%=n)@_e1BrP)`A
zKPgs`O0EO}Y2KWLuo`iGaKu1k#YR6BMySxQf2V++Wo{6EH<oD|H%>mK>A~Q5o73yM
z-RbxC7Qdh0Cz!nG+7BRZE>~FLI-?&W_rJUl-8FDIaXoNBL)@1hwKa^wOr1($*5h~T
zF;%f^%<$p8Y_yu(JEg=c_O!aZ#)Gjh$n(hfJAp$C2he555W5zdrBqjFmo|VY+el;o
z=*D_w|GXG|p0**hQ7~9-n|y5k%B}TAF0iarDM!q-jYbR^us(>&y;n^2l0C%@2B}KM
zyeRT9)oMt97Agvc4sEKUEy%M<cvw&A<E0smes0HD4KT3M{WaOQQ;89w>pXr2vz*lb
zh*L}}iG>-pqDRw7ud{=FvTD?}<cu3Tk)KD+t)3BG<`{7$)a-(xssJsd76$3kXZ|K+
zux7WJ7n@%B)`GvtXt2vB^wx3Cq%hbMjsz#YIUp6%4@(wA$XOe1;039$$Hc7QvIpbU
zLS8D9A2JK!>xjD)w{`KzjNom-$jS^;iw0+7n<H%EYFc(Oy%QoCT$qyKODp6T3?dHk
z!A)db&e@dFRGDaEZ1f6Uhkq#S5W3t3q@<p|gafXRD$(FZPe|Di#nme60l3B9fVDQI
z7v|md<AFmDM_>XSnt1R@G|VqoRh<xeTuMLt3A;kkH;cO*#r^ytgz}n?7coM19}rK`
z);^|be>E%12<OWj>nm+PH?9`(4rM0kfrZzIK9JU=^$YNyLvAIoxl#Q)xxDz!^0@zZ
zSCs$nfcxK_vRYM34O<1}Q<iD$7sC+}q<B7R-C|JDpp;azgo0#wbVy`Lz$zBEbO-~2
z>HZ|hp4`ioX3x8(UV(FU$J@o%tw3t4k1QPmlEpZa2IujG&(roX_q*%e`Hq|);0;@k
z0z=fZiFckp#JzW0p+2A+D$PC~IsakhJJkG(c;CqAgFfU0Z`u$PzG~-9I1oPHrC<wq
zp!=`znU^{;qwI4(IwPTBbeO&*i}Y=rKz<}0qd2sSuD;n+Mp~oxu2u^U_@*f$2SH4&
zl?ba0Bgc;6q%NBUleYBwY{7zE^Vfp-*+^4E--SmUnP*kpPGgQ7i#F(|?Htpi_BGIr
zb@Gxu5=<~CQJoX};=}ZoAqI?aQ`aURT7|_bL85cc5*32Ec(l3BkkWJ!;u(fz)0rjQ
zM$>w&)@s^Dc~^)#<wKTL<XKhL5mN0<#J&V|X6YXFoTAHh1v3e?`1qzOHJxAfrJ&Ia
z>HPW0Ra}J^=|h7Fs*<8|b13ZzG6MP*Q1dkoZ6&A^!}|hbjM{2HpqlSXv_UUg1U4gn
z3Q)2VjU^ti1myod<e*tXJ``;<uRxWgHj9DL9reuUk;3Yai3$ZVxc$Lik!QkFkY_p-
zQ0zfew$syu%`J??OaA$e3yhROoyi??MOs)*6Y|FoRjo5YG8>v+tjhSZp%D978m~p&
z43uZUrraHs80Mq&vcetqfQpQP?m!CFj)44t8Z}k`E798wxg&~aCm+DBoI+nKq}&j^
zlPY3W$)K;KtEajks1`G?-@me7C>{PiiBu+41#yU_c(dITaqE?IQ(DBu+c^Ux!>pCj
zLC|HJGU*v+!it1(;3e`6igkH(VA)-S+k(*yqxM<DMa${DuB@U~n2TvsN>gUah3$@C
zz`7hEM47xr>j8^g`%*f=6S5n>z%Bt_Fg{Tvmr+MIsCx=0gsu_sF`q2hlkEmisz#Fy
zj_0;zUWr;Gz}$BS%Y`meb(=$d%@Crs(<S5im8rZJ+hXaeF4?)$Bxlh$wotZoqo;9C
zoV$lbzz-{=kDm#H-UEvsDLF6Q650PW_m^)`Fnl2k7$|cT<4p%DP+QQ%Pm<dng5Tlm
zJY!}F9=K|jqEaN6rLUGWH!wZ0U(TSP7a_ulN!0{(D76G_DCCMYc~&1UiwGoGVvr{o
zKJ*3=vWF1EmCF?ngO(A#QHO73AHw39x4#7x|2*uRJP=H^WAL{ITtOufKQPefaR-dw
z;G$VL`0sIgw-zB%E@}zvSQFs9-~l@jy~i@_j=aHRkdEWSDI;LT_XD0ffYvUye7<si
z2Fb>OoJ|}m#<7=-A~PQbyN$x%2iXP2@e*nO0b7AwfH8cCUa*Wfu@b)D_>I*%uE4O3
z(lfnB`-Xf<Eah_TH0`p#iJ%bwIruYbtv4=i&#2ev1%ADQ5<nqfk9TiY>*L<pJwX*6
z6rk6>fC)E}e?%X2kK7DItK6Tf<+M^mX0Ijf_!IP>7c8IZX%8_#0060P{QMuV^B<Nc
z0Y@_z8xvb+5qBdKduI!~zgMP`<EJEn8Bv1e-k1xUTQqH`&-$;LRKPb?p@^XRcl%SW
z7A(?4O_9bX%W97*cKg9^@&`$1Rhl479TL49uifNE-$%}|e=@U3QRq(u*`T|i!vY;=
zLFYU{oP~b!`V{F3i<~?v4T-GsVj-c>9i<^E`_Qf0pv9(P%_<ZnXV3#<!Itln<wgcO
z_ag@&>s8D`qvDE9LK9u-jB}J2S`(mCO&XHTS04Z5Ez*vl^T%!^$<HtTbQGA?-M`Fa
zN~3r+{;f4I^wTt)Y$;V0A?b}t39$3`u-!SmQRz2~BgR0Y22AtoiqyTce$gRQ#;)xn
z(H=h1rzHb3B0D>~EH8M-UdwhegL>3IQ*)(MtuH2Xt1p!fS4o~*rR?WLxlA!sjc2(O
znjJn~wQ!Fp9s2e^IWP1C<4%sFF}T4omr}7+4asciyo3DntTgWIzhQpQirM$9{EbQd
z3jz9vS@{<x6RjX4HShz$XJL7Gv9^MIhKL19l!vXDKtut8g2a8N<h+4&Yt&WgZG-0p
z_>aOqTQHI|l#aUV@2Q^Wko4T0T04Me4!2nsdrA8QY1%fnAYb~d2GDz@lAtfcHq(P7
zaMBAGo}+NcE-K*@9y;Vt3*(aCaMKXBB*BJcD_Qnx<UAAx@pFpd`WS-_yK7SJSHbCM
zJ+sycj{FkEU&9Ysa-wV2!;2(ImdDdIZgJ}`9j;jTiYPXEDq*CO`T4-t*|XS#9~HNC
zu96BV=Ry2qi)VUChoa}C_CB44h;*&oc0EWPU$hYH8{zPphs-sTrb;$I`Tk25Ef6wI
z)-7g@DMK6f){DP<6&$RnaJ4vp86eii6XT#?kKzCG^Hnm1S^@(5e!g%30A&B?^OgGt
zSI<_}azj?Z*h(zPW=Yo#YqH4KJ|wab#BOfNtKQV48`7O!MvH)0FqQ@{NoPp6N4$3X
z1K#yg(se^X=dYqMag+$(^NRillP<Mw#+WO8vuGkT>pt75r?GeAQ}*|>pYJE=uZb73
zC>sv)18)q#EGrTG6io*}JLuB_jP3AU1Uiu$D7r|2<a!(dEKJOdD7OJ~`mJ#&3lVWo
z2(|vK+K6Dp{tAw<@IDkF-OU~{Fey=i5LyAY`xe{ZP)J-QHDxPH%5%%ni&>_zlIGb9
zjhst#ni)Y`$)!fc#reM*$~iaYoz~_Cy7J3ZTiPm)E?%`fbk`3Tu-F#`{i!l5pNEn5
zO-Tw-=TojYhzT{J=?SZj=Z8#|eoF>434b-DXiU<dJw*iNTYgDXXO3%H4$mrD2+2if
zR#sZlF&7^<X^ey&*l`pd(b870Yl;d^q~$DJ4j>si<i1L1H7=S6VPERSA>gnxXNaR3
zm_}4iWU$gt2Mw5NvZ5(Vp<B5%4ml4%u2XX{cb%`vs{9^lq|NV~2Us}ADnGUgJZqX-
zvwS;i%5bY0rx<UeBWyPSiTAfxZ8Te<Y^2=Q6Uyjb@`B9@uPO^RqSGRQ8L=vx?~S*{
zt!O7dY09tk+Q(K@^7dsqbRFj3D?R)D=uSPhZfFr)&^PL7B^!(GLR_d(Kw!yNd&IP$
znV)B>F`?X*f2UZDs1TEa1oZCif?Jdgr{>O~7}-$|BZ7I(IKW`{f;@|IZFX*R8&iT=
zoWstN8&R;}@2Ka%d3vrLtR|O??ben;k8QbS-WB0VgiCz;<$pBmIZdN!aalyCS<xwK
zC7(yN8jDThv(|6XTqj5k)nXJHl?i2Q&>Em)crpS9dcD^Y@XT1a3+zpi-`D}e#HV<}
z$Y(G&o~PvL-xSVD5D?JqF3?B9rxGWeb=oEGJ3vRp5xfBPlngh1O$yI95EL+T8{GC@
z98i1H9KhZGFl|;`)_=QpM6H?eDPpw~^(aFQWwyXZ8_EEE4#@QeT_URray*mEOGsGc
z6|sdXtq!hVZo=d#+9^@lm&L5|q&-GDCyUx#YQiccq;spOBe3V+VKdjJA=IL=Zn%P}
zNk=_8u}VhzFf{UYZV0`lUwcD&)9AFx0@Fc6LD9A6Rd1=ga>Mi0)_QxM2ddCVRmZ0d
z+J=uXc(?5JLX3=)e)Jm$HS2yF`44IKhwRnm2*669_J=<i2xqPYPe_t`z^~U4bI&mS
zeK8h(VJQzW*&0F;1J5rkP14OFRVV|<ULvN%7sx(;Rti9xZLhau-~!P2{WfUAn2q*`
zd|=*_Vb!;8;KGMfl41$VF7fE>2LlwuF5$1tAo@ROSU@-y+;Foy2IEl2^V1N;fk~YR
z?&EP8#t&m0B=?aJeuz~lH<ij*LuuHi5!4Rd8ZU2wg>jAzRBX>&x=A;gIvb>MD{XEV
zV%l-+9N-)i;YH%nKP?>f`=?#`>B(`*t`aiPLoQM(a6(qs4p5KFjDBN?8JGrf3z8>=
zi7sD)c)Nm~x{e<^jy4nTx${P~cwz_*a>%0_;ULou<DyN^`2@H+<{3q_pZ|fCRGf^h
zvtT4FGJj|vS-l9;nX`=;6AMdLY77qfRlAH(xzJbez);$Wc|j0JS86%Riccga7l&Q^
z7DDh5jhBvJ0eBnJZoBnclA)#bn$D1A`JT3aY&tu3wlfU}!It+X%B_(|pGP1-6at%6
z9G;Q{hFp?BH`-HYKrn-(5-7%bIR8)}bl%^bc}8y}>3kHCAD7EYkw@l$8TN#LO9jC(
z1B<i{*|v`>eFW`k+bu5e8Ns^a8dPcjEVHM;r6UX+cN=Uy7HU)j-myRU0wHd$<r<rS
z?gfFH3ULExuxO;h09`>A1fNI~`4;I~`zC)3ul#8#^rXVSO*m}Ag>c%_;nj=Nv$rCZ
z*~L@C@OZg%Q^m)lc-kcX&a*a5`y&DaRxh6O*dfhLfF+fU5wKs(1v*!TkZidw*)YBP
za@r`3+^IHRFeO%!ai%rxy;R;;V^Fr=OJlpBX;(b*3+SIw<j-Y9ZSgmH9DO&6{}V;z
z4IG_J97!1eDmMg22|)ETAc%aKH#bAM9(9CS1?uKgKtu$Phh55R&4VPI?P<FMz>}7=
zIq$*Thr(Zft-RlY)D3e8V;BmD&HOfX+E$H#Y@B3?UL5L~_fA-@*IB-!gItK7PIgG9
zgWuGZK_nuZjHVT_Fv(XxtU%)58;W39vzTI2n&)&4Dmq7&JX6G>XFaAR{7_3QB6zsT
z?$L8c*WdN~nZGiscY%5KljQARN;`w$gho=p006z;n(qIQ*Zu<``TMO3n0{ARL@gYh
zoRwS*|Niw~cR!?hE{m*y@F`1)vx-JRfqET=dJ5_(076st(=lFfjtKHoYg`k3oNmo_
zNbQEw8&sO5jAYmkD|Zaz_yUb0rC})U<yhPFxA*<jTKd}k{c~z90FpaZKIj}7mLZZR
zVlskQe<0xI9>!rCHOl}JhbYIDLzLvrZVw0~JO`d*6f;X&?V=#T@ND*cv^I;`sFeq4
z##H5;gpZTb^0Hz@3C*~u0AqqNZ-r%rN3KD~%Gw`0XsIq$(^MEb<~H(2*5G^<2(*aI
z%7}WB+TRlMIrEK<z8Y-G_4JTi0dxbex2YwD(&eIklPGFZaWLB&GD=ZnUD^~B#;k{<
zjP^KiL#JbSns`pE$?*&<=bFPwu*}^i6&=HjW3#5UHflvIkmn+HmO8$)V)qRxk*3l@
zOO9ib60_+Zpll9hiP2eYZBRUKjvXd)MdN}}smA0!UK^qy;<^pk_jf6elpJ`B)>#s0
z93xn*Ohb=kWFc)BNHG4I(~RPn-R8#0lqyBBz5OM6o5|>x9LK@%HaM}}Y5goCQRt2C
z{j*2TtT4ne!Z}vh89mjwiSXG=%DURar~=kGNNaO_+Nkb+tRi~Rkf!7a$*QlavziD(
z83s4GmQ^Wf*0Bd04f#0H<rzc{Zw2|AZqo(GiNDwicoG{misd0-Mku7fEh(b%bV@{&
zro_rCgoAMr<vEX067x&DjEdA&lB?SNTC@l2#eL4j&Fx~(S<U2Qj$}%g_p>X@ua_d8
z23~z*53ePD6@xwZ(vdl0DLc=>cPIOPOdca&MyR^jhhKrdQO?_jJh`xV3GKz&2lvP8
zEOwW6L*ufvK;TN{=S&R@pzV^U=Q<n5LbrjaQ=f5@7_~`mTQ9mj1lTX|puGXCkhc-%
zDqQ!ov(P;Fh`r;zNT#tw6ShQ_Wb=wsd)-t85jQ<PT~cSb(KG~zb^;j9%nmc1=u1J=
znM6vCx;p+afnlGOK^Z(FtJX%b2Laq9%EC)v3-}QHS=dL;;3Z|eP=v~{8Igl4x<in+
zs+~^lyBk3)zB{QIT=g<UC4Dvc@uY$A(I$Qm(r%M)rb;eRGv~cUyVvsbhIKxiBZOdE
z&4GjvPs^czPS?~yx=kmokn<?z^Iu|gjSZTs;5%U;1OKb!`@bg*{}`ix5nQLgVzWB=
zOBPuGVWiiKw%d`msf^&W1_DTJ7XVcxDttFKPMJj@Q@p^`V#d*Pi+Mxn7SS91D^8en
zZty#+i)vgc%xXIPl}6Ud+}N0#zLvf5`S$Ta{!?R<CC_N_2bR$mN%T1dmbl^kFBBTw
z1ujzzCe&Kp;{r{`peY9BJL9Pe30)VP%6+b7BRXtX7mFD)e?pfD#2CL!17n(PpRUO`
z?Yjz)8OniiQ=hFAxt9*96eH5w{w=1|n0X<i`5k*Km^JQNZ!JF0bM74Zvj&6~ZAXtn
zgG9^ASe$T762j2Jcgl0`Y(Mo@H6OZ<lK6bTs)vl;gOmx8Db2@XVoT@)D;P*RE2{Pu
zkq|sNVFWHy%(o0jW-8h@<pE7_$58cKk*4~kS1*H4Ot~s|!`6&RJxm(c3R*s0mV_8;
zn2FG~1NRH*S@8AcCakja5ctO6KJ`a7lcApLvK|cc`*cNA(|7?@ShdEJko*Iz0dJa*
za(Cjc=YoMHSiGhp!^zXOoFUjrW@)@~Kuoe2$0wLZF+12d?*qAHgQiPS_>Nk^Ec}5H
z+2~JvEVA{`uMAr)?Kf|aW>33`)UL@bnfIUQc~L;TsTQ6>r-<^rB8uoNOJ>HWgqMI8
zSW}pZmp_;z_2O5_RD|fGyTxaxk53Hg_3Khc<8AUzV|ZeK{fp|Ne933=1&_^Dbv5^u
zB9n=*)k*tjHDRJ@$bp9mrh}qFn*s}npMl5BMDC%Hs0M0g-hW~P*3CNG06G!MOPEQ_
zi}Qs-6M8aMt;sL$vlmVBR^+Ry<64jrm1EI1%#j?c?4b*7>)a{aDw#TfTYKq+SjEFA
z(aJ&z_0?0JB83D-i3Vh+o|XV4UP+YJ$9Boid2^M2en@APw&wx7vU~t$r2V`F|7Qfo
z>WKgI@eNBZ-+Og<{u2ZiG%>YvH2L3fNpV9J;WLJoBZda)01Rn;o@){01{7E#ke(7U
zHK>S#qZ(N=aoae*4X!0A{)nu0R_sKpi1{)u>GVjC+b5Jyl6#AoQ-1_3UDovNSo`T>
z?c-@7XX*2GMy?k?{g)7?Sv;SJkmxYPJPs!&QqB12ejq`Lee^-cDveVWL^CTUldb(G
zjDGe(O4P=S{4fF=#~oAu>LG>wrU^z<Zw*_46AZG)LPZf(N{7;dl4f;=ChNJ&((0HR
z>_?3yt24FOx>}{^lCGh8?vtvY$^hbZ)9I0E3r3NOlb9I?F-Yc=r$*~l`4N^xzlV~N
zl~#oc>U)Yjl0BxV>O*Kr@lKT{Z09OXt2GlvE38nfs+DD7exl|&vT;)>VFXJVZp9Np
zDK}aO;R3~ag$X*|hRVY3OPax|PG`@_ESc8E!mHRByJbZQR<iP3ONA)u3T^sr$hJu)
z!;4BKQQ3Ke*v_=`LpX`s9^P!rY`x6m`OB{xdu)~9l-PrYu_eSHL`$3Jn77r}HXM<V
zt(63|ZNf?J_G2$D@(>S38V2F__7MW~sgh!a>98Q2%lUNFO=^x<M$kfz5r<ep4<gy2
zqj#v58_1DTD9KgRF!$T?T|hpgQFqS{y9=z}$c192Is9kheW211%6d$Lv95L2Dj6<Y
zb#^>U52|?D=IK#QjwBky-C>zO<IBf}7iok}7&M@d#5zo!yo-N`Xt*z8pz#W=a}edt
zZG-pIp+-`FRdYN5kGiz~5pI5v{UL@+ll7;0f%sl_#Rz#s#c=hclIZch%vfdNL6kTn
zr*OojJocIA;LUP<Ni!nCp8^IKsKOF;%d~A3Zec1Z)onv06oLt;&zK*gg)?kMAG~wt
z$?%9ZDd#C*i@r2pEnc3pbg`;ZSgHhk8hnJ=MZQDKa})LR^M<VYo_<&7>WlsiiM&1n
z;!&1((Xn1$9K}xabq~222gYvx3hnZPg}VMF_GV~5ocE=-v>V=T&RsLBo&`)DOyIj*
zLV{h)JU_y*7SdRtDajP_Y+rBkNN*1_TXiKwHH2&p51d(#zv~s#HwbNy?<+(=9WBvo
zw2hkk2Dj%kTFhY+$T+W-b7@qD!bkfN#Z2ng@Pd=i3-i?xYfs5Z*1hO?kd7Sp^9`;Y
zM2jeGg<-nJD1er@Pc_cSY7wo5dzQX44=%6rn}P_SRbpzsA{6B+!$3B0#;}qwO37G^
zL(V_5JK`XT?OH<!?|M@&0-Z{-IE8Y%j&9{KOrqhAFsdE>Vk|{_$vQ|oNEpab*BO4F
zUTNQ7RUhnRsU`TK#~`)$icsvKh~(pl=3p6m98@k3P#~upd=k*u20SNcb{l^<aLnRI
zIQFl^{&&$2$-fmuufLTX(f?#w5i)Qxk+5|#v30U=ws193a(1+^HT!10f0I0&?f$MZ
z7Axt<A%ClkjrclcTIHY>1rUa)>qO997)pYRWMncC8A&&MHlbW?7i^7M`+B$hH~Y|J
zd>FYOGQ;j>Zc2e7R{KK7)0>>nn_jYJy&o@sK!4G>-rLKM8Hv)f;hi1D2fAc$+six2
zyVZ@wZ6x|fJ!4KrpCJY=!Mq0;)X)OoS~{<zp2fNOj3=!d#J-DZOZZGDsQytEg`t+g
z3s*%5CrGI0LC#hm)1QTr3)Q~mP=>Lkh6u8J<B0%4?J^Iw+=WHCe(yhjohQDag#Q-y
zuxp6&sgx+NVPxq!=P=H(FOhwRd2_*m=|$Mcn3vF&f(Fz>`eK%u0WtKh6B>GW_)PVc
zl}-k`p09qwGtZ@VbYJC!>29V?Dr>>vk?)o(x?!z*9DJ||9qG-&G~#kXxbw{KKYy}J
zQKa-dPt<oy^t}rwUk4E{A=4M9sOFfr7Ds9yI!q0r@t|+qU_|sPwWo~)0N*{XeSJ2j
zt||$@K&w$2s%KuI4R}Av!VN4FKqSw8V4~H!Grt8-#>~M~E}V?PhW0R26xdA%<ogsP
zN|DDB6`HT`^}UE=1A}Thaak~Emv(0YF@z$Cl+aE_pyty?6u<ojo%}e0uS=bI+~z8+
zN@qxB>1T*%ra6SguGu50YHngOTIv)@N|YttEXo#OZfgtP7;H?EeZZxo<}3YlYxtBq
znJ!W<Tk7rKF4_TgJoZCW5Z^!*fTJ-Zk)y;)2fnZbAE(sksf_kg&-X&Eg#6@NPIv)e
zPk4oG=#<n+u~!?2Waj@D(b4RIBp>FR^tmGf0Py}N?kZ(#=VtpC@%xJkDmfcCoBTxq
zr_|5gP?u1@vJZbxPZ|G0AW4=tpb84gM2DpJU||(b8kMOV1S3|(yuwZJ&rIiFW(U;5
zUtAW`O6F6Zy+eZ1EDuP~AAHlSY-+A_eI5Gx)%*uro5tljy}kCZU*_d7)oJ>oQSZ3*
zneTn`{gnNC&uJd)0aMBzAg021?YJ~b(fmkwZAd696a=0NzBAqBN54KuNDwa*no(^O
z6p05bioXUR^uXjpTol*ppHp%1v9e)vkoUAUJyBx3lw0UO39b0?^{}yb!$yca(@DUn
zCquRF?t=Zb9`Ed3AI6|L{eX~ijVH`VzSMheKoP7LSSf4g>md>`yi!TkoG5P>Ofp+n
z(v~rW+(5L96L{vBb<M(xcH!jFDY91P;>^g51B=(o)?%%xhvT*A5btOpw(TKh^g^4c
zw>0%X!_0`{iN%RbVk+A^f{w-4-SSf*fu@FhruNL##F~sF<TNlh3Zu<wDObc>24O~u
zyYF<3el2b$$wZ_|uW#@Ak+VAGk#e|kS8nL1g>2B-SNMjMp^8;-FfeofY2fphFHO!{
z*!o4oTb{4e;S<|JEs<1_hPsmAlVNk?_5-Fp5KKU&d#FiNW~Y+pVFk@Cua1I{T+1|+
zHx6rFMor)7L)krbilqsWwy@T+g3DiH5MyVf8Wy}XbE<yUx>aoFIDr~y;@r&I>FMW{
z?Q+(IgyebZ)-i4jNoXQhq4Muy9Fv+OxU;9_Jmn+<`mEC#%2Q_2bpcgzcinygNI!&^
z=V$)o2&Yz04~+&pPWWn`rrWxJ&}8k<h1nlJpEW7DYjzCm^(#wnSe&>hR)6B(--!9Q
zubo}h+1T)>a@c)H^i``@<^j?|r4*{<Pxu7~B&!$dLmL9Ys=1M8gJeDpJrYz<2V9nr
zTvmS4mM<@Hxmfnk<1RI6FD*TtRhU+s9@>;tQf78(xn0g39IoZw0(CwY1f<%F>kEaJ
zp9u|IeMY5mRdAlw*+gSN^5$Q)ShM<~E=(c8QM+T-Qk)FyKz#<J1rUcxa8T8CP^@o-
z9LUqXz6y%L)dYBeo?hHD`m4vf;Ko!GhH#gWIg{IB<GEyusoLX^qjW_iBFR#|P|H$t
z1PVdv4xB@M4hvXb%aZB@j?)`0DTujf<&yn?+Ww^h>Sw0EJ*edYcuOtO#~Cx^(M7w5
z3)rl#L)rF|(Vun2LkFr!rg8Q@=r>9p>(t3Gf_auiJ2Xx9HmxYTa|=MH_SUlYL`mz9
zTTS$`%;D-|Jt}AP1&k7PcnfFNTH0A-*FmxstjBDiZX?}%u%Yq94$fUT&z6od+(Uk>
zuqsld#G(b$G8tus=M!<V>N#oPd|PVFX)?M?tCD0tS%2IGTfh}3YA3f&UM)W$_GNV8
zQo+a(ml2Km4o6O%gKTCSDNq+#zCTIQ1<zRinbW1<P#|UQotg93waYH2w1*h*jWPj6
z^zMSH#dD)R!pp{n89hOchS-cu?Yi0ISv7!)1hAHH{1T%@r!ud3;HLw5<Vb67p@OE@
zP1TDxu7L{<vN=z>*`TIJh~k6Gp;htHBFnne))rlFdGqwC6dx2+La1&Mnko*352k0y
z+tQcwndQlX`nc6nb$A9?<-o|r*%aWXV#=6PQic0Ok_D;q>wbv&j7cKc!w4~KF#-{6
z(S%6Za)WpGIWf7jZ3svNG5OLs0>vCL9{V7cgO%zevIVMH{WgP*^D9ws&OqA{yr|m|
zKD4*07dGXshJHd#e%x%J+qmS^lS|0Bp?{drv;{@{l9ArPO&?Q5=?OO9=}h$oVe#3b
z3Yofj&Cb}WC$PxmRRS)H%&$1-)z7jELS}!u!zQ?A^Y{Tv4QVt*vd@uj-^t2fYRzQj
zfxGR>-q|o$3sGn^#VzZ!QQx?h9`njeJry}@x?|k0-GTTA4y3t2E`3DZ!A~D?GiJup
z)8%PK2^9OVRlP(24P^4_<|D=H^7}WlWu#LgsdHzB%cPy|f8dD3|A^mh4WXxhLTVu_
z@abE{6Saz|Y{rXYPd4$tfPYo}ef(oQWZ=4Bct-=_9`#Qgp4ma$n$`tOwq#&E18$B;
z@Bp)bn3&rEi0>fWWZ@7k5WazfoX`SCO4jQWwVuo+$PmSZn^Hz?O(-tW@*DGxuf)V1
zO_xm&;NVCaHD4dqt(-MlszI3F-p?0!-e$fbiCeuaw66h^TTDLWuaV<@C-`=Xe5WL)
zwooG7h>4&*)p3pKMS3O!4>-4jQUN}iAMQ)2*70?hP~)TzzR?-f@?Aqy$$1Iy8VGG$
zMM?8;j!pUX7QQD$gRc_#+=raAS577ga-w?jd`vCiN5lu)dEUkkUPl9!?{$IJNxQys
z*E4e$eF&n&+AMRQR2gcaFEjAy*r)G!s(P6D&TfoApMFC_*Ftx0|D0@E-=B7tezU@d
zZ{hGiN;YLIoSeRS;9o%dEua4b%4R3;$SugDjP$x;Z!M!@QibuSBb)HY!3zJ7M;^jw
zlx6AD50FD&p3JyP*>o+t9YWW8(7P2t!VQQ21pHJOcG_SXQD;(5aX#M6x##5H_<Vgo
zXaA`|b1qI$OB^nkP*k8;>Re>6lPyDCjxr*R(+HE%c&QN+b^tbT<D}=?S8O%T8tX+C
zcq<H{RI|G2B9m%Rvp=d?PUf-1CZ*M)qUmtvLRWz*mFB-QNI1$Q(ryDe(K%5UcMcw>
zXBJk?p)zhJj#<NYmRaIG#%{yKso~Jl);(QZ{BXnYyStuZE8Z;ST(ba;;Cf6`eaY~e
zro&T_@|5eV&LV-Vdlye+OlA8HSGS?PEP0tn!gk^nHiROTHF+mL6DBZ*<LBy0zzNW0
z?K`Dd6_+8u^4Tx%YqyDRx3oaO`51F%4~hz9FS=g55uAbZ9<uEXv*DeH(f5XqNd{@0
zp<n?$CoIPaZ{u=WOkQK=>I?&Y2n&~XiytG9!1ox;bw5Rbj~)7c(MFBb4>IiRATdhg
zmiEFlj@S_hwYYI(ki{}&<;_7(Z0Qkf<vz98R4^QE*0+j0Yt5Bq_8W~pIEsdB>q>am
z&LtL=2qc7rWguk3BtE4zL41@#S;NN*-jWw|7Kx7H7~_%7fPt;TIX}Ubo>;Rmj94V>
zN<mGWxPciFI#UK&1{)&R+tKETKKJppI5eS&4QOQDb2gC@9#amL!Z4`6_?sgG50#TO
zUE{XN@zEh;wAcp{%1UraASTco@__6>B1=;-9AR7s`Pxn}t_6^3ahlq53e&!Lh85uG
zec0vJY_6e`tg7LgfrJ3k!DjR)Bi#L@DHIrZ`sK=<5O0Ip!fxGf*OgGSpP@Hbbe&$9
z;ZI}8lEoC2_7;%L2=w?tb%1oL0V+=Z`7b=P&lNGY;yVBazXRYu;+cQ<d^ZC}lYirx
z)hZjd3qKHeGus^Y+enhww8u%4lE|(|Z6qnX?I}@3Q1b~uMX2mD2SFAFYnI`H<@TW6
z_W((t!X&)`@PpH2wi2iW=uqjmv(p=oqs&Y%b9;Nf0OWslW9*Nb&oWZEt+0AVS&R~u
z_Wf#$fP|$gQ9fiHWGF1iGfW}Wb;*#iU5QAsVTwY*RhU@;t!16`ZZ<f|b==EnUgA$9
z4GDXmcVu4RoyBc?5+IzLNU`y7!@x5Q-0Qn*X9{dMTclVEa<*>DKvm*7NCxu&i;zub
zAJ<l&f69)KP9=Oa-e|<}G6{v&t3Gsy-GA$_$uw;4(^(<e6x2^i-<E!;86)%4VjM%-
z<_j^P(DEMAyY~*<c=R4aPSMdD=QV?HQb>h#11%?w>E2rf2e~C4+rAb-&$^vsdACs7
z@|<k_fU+PhC9U|KK^m>Ra!OfVM(ke{vyiqh7puf&Yp6cd6{DptUteYfIRWG3pI+5<
zBVBI_xkBAc<(p<um#S5<Wtzr=ckJ6;=I>cb$!Y%dTW(b;B;2pOI-(QCsLv@U-D1XJ
z(Gk8Q3l7Ws46Aktuj>|s{$6zA&xCPuXL-kB`CgYMs}4IeyG*P51IDwW?8UNQd+$i~
zlxOPtSi5L|gJcF@DwmJA5Ju8HEJ>o{{upwIpb!f{2(vLNBw`7xMbvcw<^{Fj@E~1(
z?w`iIMieunS#>nXlmUcSMU+D3rX28f?s7z;X=se6bo8;5vM|O^(D6{A9*ChnGH!RG
zP##3>LDC3jZPE4PH32<r6$U<HX=R_L2D`8>AxrqPk|yIIrq~`aL-=}`okhNu9aT%q
z1b<WnlSbT*V4<ymTCe0MD#5~7Whz|=;>)7iJ)CN=V#Ly84N_r7U^SH2FGdE5FpTO2
z630TF$P>GNMu8`rOytb(lB2};`;P4YNwW1<5d3Q~AX#P0aX}R2b2)`rgkp#zTxcGj
zAV^cvFbhP|JgWrq_e`~exr~sIR$6p5V?o4Wym3kQ3HA+;Pr$bQ0(PmADVO%MKL!^q
z?zAM8j1l4jrq|5X+V!8S*2<l)&qsCusW$QhU{vI`y!|$e;d+{bf(RH@<)nJ517c7s
zDim)TBb^~cK*c)35Gg|q1$&KAYNncsQOHJ|nu#)~+T76>Wl@=7*pPgciTVK6kS1Ge
zMsd_u6DFK$jTnvVtE;qa+8(1sGBu~n&F%dh(&c(Zs4Fc#A=gG^^%^AyH}1^?|8quj
zl@Z47h$){PlEL<j^JXcV*jDSt#inW`1Gn}CBm-N=8TRh<K)!JpM`mq>JgYZCIHHL=
z{U8O>Tw4x3<1{?$8>k-P<}1y9DmAZP_;(3Y*{<b??kNj&VqPGa79d@(m$2L68%nd!
z{_JjeX;XQdwTu-^XN2zhv1k+fQHndX43k}u83t_z&A52ZBFI*?6D8Q{uBSWGwQ#nR
zSnaCVwkuW{YP1TLJ@kJx_A>Sk^H^A=_iSJ@+s5ktgwTXz_2$~W9>VVZsfwCm@s0sQ
zeB50_yu@uS+e7QoPvdCwDz{prjo(AFwR%C?z`EL{1`|coJHQTk^nX=tvs1<0arUOJ
z!^`*x&&BvTYmemyZ)2p~{%eYX=JVR?DYr(rNgqRMA5<s3FN;{WX^H?!5dAC7_ToT&
z049v%;5~bT4K%9GqC;d+sXL`9S9+;oZpLE#7knG~OKbHmpUA?yU6n&99^Z!ZI?xYz
z{BGz0U$>E1PR1Iw=prk=L2ldy3r3Vg@27IZx43+ywyzr-X*p*d@tZV+!U#~$-q=8c
zgdSuh#r?b4GhEGNai)ayHQpk>5(%j5c@C1K3(W1pb~HeHpaqijJZa-e6vq_8t-^M^
zBJxq|MqZc?pjXPIH}70a5vt!IUh;l}<>VX<-Qcv^u@5(@@M2CHSe_hD$VG-eiV^V(
zj7*9T0?di?P$FaD6oo?)<)QT>Npf6Og!GO^GmPV(Km0!=<c9QK{JSBnxbTl~S4d3F
zZhX~`iBZf``YC!s;R3x;^$k-@k$#)|!OTN1novAwmG;&P2)PD!FyXg4r(4gHh?ySe
z7<%V?@*d*j&#%W*MAHm*B6GjS8B_74D&Msq691~iVscJ{Zps}t4Abjxm(LlYOjt<z
z0=dj7A`k(bp)&5Hm__k9JT(e0PyOe3?@>+dE&bk#SNI+C9RGQ|{~O*VC+tXK3!n`5
zHfl6>lwf_aEVV3`0T!aHNZLsj$paS$=LL(?b!Czaa5bbSuZ6#$_@LK<(7yrrl+80|
z{tOFd=|ta2Z`^ssozD9BINn45NxUeCQis?-BKmU*Kt=FY-NJ+)8S1ecuFtN-M?&42
zl2$G>u!iNhAk*HoJ^4v^9#ORYp5t^wDj6|lx~5w45#E5wVqI1JQ~9l?nPp1YINf++
zMAdSif~_ETv@Er(EFBI^@L4BULFW>)NI+ejHFP*<T<d*k5U>T}UhWNN`I)RRS8za?
z*@`1>9ZB}An%aT5K=_2iQmfE;GcBVHLF!$`I99o5GO`O%O_zLr9AG18>&^HkG(;=V
z%}c!OBQ~?MX(9h~tajX{=x)+!cbM7$YzTlmsPOdp2L-?GoW`@{lY9U3f;OUo*BwRB
z8A+nv(br0-SH#VxGy#ZrgnGD(=@;HME;yd46EgWJ`EL%oXc&lFpc@Y}^>G(W>h_v_
zlN!`idhX+OjL+~T?19sroAFVGfa5tX-D49w$1g2g_-T|EpHL6}K_aX4$K=LTvwtlF
zL*z}j{f+Uoe7{-px3_5iKPA<_7W=>Izkk)!l9ez2w%vi(?Y;i8AxRNLSOGDzNoqoI
zP!1uAl}r=_871(G?y`i&)-7{u=%nxk<TF^9;4ekh$qpT49mIUTo!QB3IxD^Xo8$2N
z0jCW$vUnPpla#O+%Oja`23x?g8&sst<rR<!i-fJAT!pW4qQWcl7>7CZ_Qh#!|ITec
zwQn`33GTUM`;D2POWnkqngqJhJRlM>CTONzTG}>^Q0wUunQyn|TAiHzyX2_%ATx%P
z%7gW)%4rA9^)M<_%k@`Y?RbC<29sWU&5;@|9thf2#zf8z12$hRcZ!CSb>kUp=4N#y
zl3hE#y6>kkA8VY2`W`g5Ip?2qC_BY$>R`iGQLhz2-S>x(RuWv)SPaGdl^)gGw7tjR
zH@;jwk!jIaCgSg_*9iF|a);sRUTq30(8I(obh^|}S~}P4U^BIGYqcz;MPpC~Y@k_m
zaw4WG1_vz2GdCAX!$_a%GHK**@IrHSkGoN>)e}>yzUTm52on`hYot7cB=oA-h1u|R
ztH$11t?54Qg2L+i33FPFKKRm1aOjKST{l1*(nps`>sv%VqeVMWjl5+Gh+9);hIP8?
zA<Q7k-wX5MjEY4*mC%%h!I%wsiVeW4+`u*(F}G%hLu4v_No<?+)c0h3mM0wvOcTzb
z6mLpttd1pgh;LPDfUyEl9?m3fSr8}4WkXDbERL<t;7gDrg+uTPTiBati$g>@$?}Sc
z3qIRpba+y5yf{R6G(u8Z^vkg0Fu&D-7?1s=QZU`Ub{-!Y`I?AGf1VNuc^L3v>)>i#
z{DV9W$)>34<d17om!!)9&{`T5uHYJXV$G;?A+9420_wrs59Q5xU_?zk<S-MZw#YF!
z)5TK_({W1E10+oWfpH?yLthllM<4BAQSN*>wnzAXUiV^ZpYKw>UElrN_5Xj6{r_3|
z$X5PK`e5$7>~9Dj7gK5ash(dvs`vwfk}&RD`>04;j62zoXESkFBklYaKm5seyiX(P
z<ID{omUfJz++3+6M6A3|He)%RuG>qQ-;XxlV*yg?Dhlx%xt!b0N3GHp@(p$A;8|%#
zZ5m2KL|{on4nr>2_s9Yh=r5ScQ0;aMF)G$-9-Ca6%wA`Pa)i?NGFA|#Yi?{X-4ZO_
z^}%7%vkzvUHa$-^Y#aA+aiR5sa%S|Ebyn`EV<3Pc?ax_f>@sBZF1S<H?5z{)#QL{V
zr*a_q>;7y$CXd5t5=WGsTKBk8$OfH4v|0?0I=Yp}7c=WBSCg!{0n)XmiU;lfx)<uN
zPvr+1FFDIM@A4#y;a<?S=xTH`XYK!+^->**zZaYqmDJelxk$)nZyx5`x$6R|fz(;u
zEje5Dtm|a%zK!!tk3{i9$I2b{vXNFy%Bf{50X!x{98+BsDr_u9i>G5%*sqEX|06J0
z^IY{UcEbj6LDwuMh7cH`H@9sVt1l1#8kEQ(LyT@&+K}(ReE`ux8gb0r6L_#bDUo^P
z3Ka2l<H7(tNv_ycRF43oWEx{?2ychJaXYk!nafC$;QPt)Dhl%pHY&kHF=u*jMxFxR
z8hs|e%r39oE}ts%zE`x;@(JZF%`*hV&TQs;k7&^PC%_|U=Z^yM6XVPX3WWp6H|w9J
z45Q%jM?z_P7Kg74lHMQ_-ZVr_NbHvg3EMK85#qK7Y#v#ov_?2?Wu|DHo1}82@XlNo
z*7dav>Ro52Hdtl_%+pwVs14=q`{d^L58PsU@AMf(hENumaxM{7iAT5sYmWh@hQCO^
zK&}ijo=`VqZ#a3vE?`7QW0ZREL17ZvDfdqKGD?0D4fg{7v%|Yj&_jcKJAB)>=*RS*
zto8p6@k%;&^ZF>hvXm&$PCuEp{uqw3VPG$9VMdW5$w-fy2CNNT>E;>ejBgy-m_6`&
z97L1p{%srn@O_JQgFpa_#f(_)eb#YS>o>q3(*uB;uZb605(iqM$=NK{nHY=+X2*G)
zO3-_Xh%aG}fHWe*==58zBwp<ewOv=l7F;`(EW(2I^P`O~+>%&`mg<U+`XEp_tI#7M
zlHXq!JFASK8=TxtsItown-vYtx@G%cb7t%FpgERtlejdO-?8O0py|EQiBWNJ#diHb
z8h^Y>e<8uq8;xIxOd=P%9EK!34^E9sk|(Zq1QSz-JVeP12Fp)-`F|KY$LPwUE?rku
zY@OJ)Z9A!ojfzfeyJ9;zv2EM7ZQB)AR5xGa-tMn^bl)FmoIiVyJ@!~@%{}qXXD&Ns
zPnfe5U+&ohKefILu_1mPfLGuapX@btta5C#gPB2cjk5m4T}Nfi+Vfka!Yd(L?-c~5
z#ZK4VeQEXNPc4r$K00F<wRh*06<c<Cw!0P4***aS+tgLJ2H$n=v+UM@P`jG9HJHW0
zeqBot9>g>g#_W!YZ)cJ?JTS<&68_$#cZT-ME`}tcwqg3#``3M3UPvn+pi}(VNNx6y
zFIMVb6OwYU(2`at$gHba*qrMVUl8xk5z-z~fb@Q3Y_+aXuEKH}L+>eW__!IAd@V}L
zkw#s%H0v2k5-=vh$^vPCuAi22Luu3uKTf6fPo?*nvj$9(u)4$6tvF-%IM+3pt*cgs
z_?wW}J7VAA{_~!?))?s6{M=KPpVhg4fNuU*|3THp@_(q!b*hdl{fjRVFWtu^1dV(f
z6iOux9hi&+UK=|%M*~|aqFK{Urfl!TA}UWY#`w(0P!KMe1Si<jiK`FCX|r(xrQ!0U
zNF-2!m|??dd%b!3w5!;b;@Y>{8|o))Gy6d7;!JQYhgMYmXl?3FfOM2nQGN@~Ap6(G
z3+d_5y<nkN(o+zEYZBPE7qE4X4RTq~xP<0UuT}eq);wA`P~5mS&}Ni6sX$kQ!#Y14
zw<=&7Ca^#oAVnvbz-T-b@50=C)>@=nkpKAhRqf{qQ~k7Z$v&l&@m7Ppt#FSNzKPZM
z8LhihcE6i=<(#87E|Wr~HKvVWhkll4iSK$^mUHaxgy8*K$_Zj;zJ`L$naPj+^3zTi
z-3NTaaKnD5FPY-~?Tq6QHnmDDRxu0mh0D|zD~Y=vv_qig5r-cIbCpxlju&8Sya)@{
zsmv6XUSi)@(?PvItkiZEeN*)AE~I_?#+Ja-r8$(XiXei2d@Hi7<U!}O-C%Wp93|!6
z_maftKQVDsmc-oSX^Wf5%~c*ohRjQuXO7WUoJr4mKQ1O_S_G_rS=b~3S&JLLEOKDV
z{3LUpGl1vt1pkI#r_j=V*y<p!g}(O0?op0V5}i0e<PEWYB8x5J4<%9#9y9X9M*bUx
zicdfReJ#lhlVUp=<yC<tza847t{vKR$R*ci-p`+Gl}ts*E09J&7%h92yemiDYmk~}
zTm@z(hV@tXo`0Xdz4V~IJu7i|)?jOn6Nt~0dUv^z2PHbxR-jssAHfY`%7{ql=vzVB
zs_4Na@y!!YjTV?bkxAK(=I=549YO&vP5F{dsX_6-68_n)LiIx2IwV=E#EmY<Yodu6
z9z7+@5zk>Rx8+rZZb?ZLa{;@*EHeRQ-YDadz~M*YCM4&F-r;E#M+@CSJMJ0oU|PQ^
z=E!HBJDMQ2TN*Y(Ag(ynAL8%^v;=~q?s4plA_hig&5Z0x_^Oab!T)@6kRN$)qEJ6E
zNuQjg|G7iwU(N8pI@_6==0CL;lRh<Er=!!1>1dQF#wePhmu@hADFd3B5KIH#dx(2A
zp~K&;Xw}F_N6CU~0)<woWpm{<(lL~%8t8hZ?O>QpQk7s$a+LcTOj1%=WXI(U=Dv!6
z{#<#-)2+gCyyv=Jw?Ab#PV<kuPJ4UouiQa>kxPDeH|sAxyG`|Ys}A$PW4TdBv%zDz
z^?lwrxWR<%Vzc8Sgt|?FL6ej_*e&rhqJZ3Y>k=X(^dytycR;XDU16}Pc9Vn0>_@H+
zQ;a`GSMEG64=JRAOg%~L)x*w{2re6DVprNp+FcNra4VdNjiaF0M^*<Z21jxz28!z4
z)+Qw^>>Cd<OYjfTeBDpnxINod_ps<v{(V~~r+~z4oEIjOYCK|$#(JnCT7;!!Y}f=y
zFNsGLXIqR_Lc24Epk`I91kx04#KNLQB=sN}`>Pkt(m150rCue?FVdL0nFL$V%5y6N
z%eLr5%YN7D06k5ji5*p4v$UMM)G??Q%RB27IvH7vYr_^3>1D-M66#MN8tWGw>WED}
z5AhlsanO=STFYFs)Il_0i)l)f<8qn|$DW7ZXhf5xI;m+7M5-%P63XFQrG9>DMqHc}
zsgNU9nR`b}E^mL5=@7<1_R~j@q_2U^3h|+`7YH-?C=vme1C3m`Fe0HC>pjt6f_XMh
zy~-i-8R46QNYneL4t@)<0VU7({aUO?aH`z4V2+kxgH5pYD5)wCh75JqQY)jIPN=U6
z+qi8cGiOtXG2tXm;_CfpH9ESCz#i5B(42}rBJJF$jh<1sbpj^8&L;gzGHb8M{of+}
zzF^8VgML2O9nxBW7AvdEt90vp+#kZxWf@A)o<TP7Iv6D<p-`geitU42O0|5*#cI2&
zD#rHm-Vc3+vP+a)$@(=16*wM+J-aXvee~$jPN+y)1J;9JyU$}nCH;?MkiD^?^{YXd
z()hszm1?+Vl-hdUHRO1qu43l7<f-+JFAVi;sMe)sVUTGeF5*U18gVs~b3a#HICwn?
zOc3D$MdBtKd+A-2`!?hp+dNtbrf)b+gMTQ^qA%J;1l0Bf$I4T>9f9}vKJy9NDBjBW
zSt=Hcs=YWCwnfY1UYx*+msp{g!w0HC<_SM!VL1(I2PE?CS}r(eh?{I)mQixmo5^p#
zV?2R!R@3GV6hwTCrfHiK#3Orj>I!GS2kYhk1S;aFBD_}u2v;0HYFq}Iz1Z(I4oca4
zxquja8$+8JW_EagDHf$a1OTk5S97umGSDaj)gH=fLs9>_=XvVj^Xj9a#gLdk=&3tl
zf<JQN-rLl3?(b@3I(eFE1!7*!5QjuNkUcQB*{SCO?Dz6>mK9MNnIX9v{?%xdw7568
zNrZ|roYs(vC4pHB5RJ8>)^*OuyNC>x7ad)tB_}3SgQ96+-JT^Qi<`xi=)_=$Skwv~
zdqeT9Pa`LYvCAn&rMa2aCDV(TMI#PA5g#RtV|CWpgDYRA^|55LLN^u<JFRGA?x);o
z`Z~}R6`4W#%h(d)aQ>Nh*gOU>Z=a06qJ;$C9z8;n-Pq=qZnc1zUwJ@t)L;&NN+E5m
zRkQ(SeM8=l-aoAKGKD>!@?mWTW&~)uF2PYUJ;tB^my`r9n|Ly~0c%diYzqs9W#<S`
z2%`mn3A&KL|FUYx1DDYTb2GMnO1WEyfJ-eVoSqd~=r!kw@InSGE<>FTjy?h&X3TnH
zXqA{QI82sdjPO->f=^K^f>N`+B`q9&rN0bOXO79S&a9XX8zund(kW7O76f4dcWhIu
zER`XSMSFbSL>b;Rp#`CuGJ&p$s~G|76){d?xSA5wVg##_O0DrmyEYppyBr%fyWbbv
zp`K84JwRNP$d-pJ!Qk|(RMr?*!wi1if-9G#0p>>1QXKXWFy)eB3ai)l3601q8!9JC
zvU#ZWWDNKq9g6fYs?JQ)Q4C_cgTy3FhgKb8s&m)DdmL5zhNK#8wWg!J*7G7Qhe9VU
zha?^AQTDpYcuN!B+<Y^i3NB&h=8l2*^8*j@dwN-$SX`JG4?X#EO)n_d+Mm*qNtLvW
z1{=j+)$5S8QKKaCKpO>#1dE*X{<#!M%zfUQbj=zL<r~1!%Q56_&?RVt*j39RdBbdU
zvt>E{dW0XeQ7-oIsGY6RbkP2re@Q{}r_$iiH0xU%iN*ST`A)-EH6eaZB$GA#v)cLi
z*MpA(3bYk$oBDKAzu^kJoSUsDd|856DApz={3u8sbQV@JnRkp2nC|)m;#T=DvIL-O
zI4vh;g7824l}*`_p@MT4+d`JZ<NgM|d-wED*_BDR=X2CYG0s+@tH~}mHA<v@@*LLa
zcTk2OQd|qCF;Irq7ZT2t<bCnFzjKHMYi_FEX5uA1sMB~b=-gExnk*fx9Jolk@GBaP
zo2{A-B!6SMvS~u~??*1DY*%B^{i&5Xid$7&jHLv;Csgpyh12H&Wr+sb8jR356U$OH
z#keINf2882?;$z(=9b`_o!xWZsvxb)AId~zQ-ypi#22f~snWv+_Q$md&MYLZH1*5&
zgU2`BbMmltaER}JO!m5!`^u~)I>2%6NQh=N9bmgJ#q!hK@_<`HQq3}Z8Ij>3%~<*=
zcv=!oT#5xmeGI92lqm9sGVE%#X$ls;St|F#u!?5Y7syhx6q#MVRa&lBmmn%$C0QzU
z);*ldgwwCmzM3ug<bwv^{e8k-I_Ia))Ca<<K85KO7s<Z8_qINV*w7o<JN><pez`8$
z*U(_%(Oddx;Dy@<By6!p<ae@SHe5;+DISJZbTAq-U`Q`A1)YLa`3xqvnU#=JMDwvc
zT=fd_B(g|SbuM?{hEp2{k!4hh2k1}qTl{TSl*cD|duWT^U1%zqX9UbNuTdGS)?ic-
zFWu0OzODT7)oL^9a3Iy*#7Rk@72_$KGruLmz}W@8{rhO(Lndv7z61c>lr}!Z2G+?&
zf%Dpo&mD%2ZcNFiN-Z0f;c_Q;A%f@>26f?{d1kxIJD}LxsQkB47SAdwinfMILZdN3
zfj^HmTzS3Ku5BxY>ANutS8WPQ-G>v4^_Qndy==P3pDm+Xc?>rUHl-4+^%Sp5atOja
z2oP}ftw-rqnb}+khR3CrRg^ibi6?QYk1*i^;kQGirQ<G&YKu_KEA~r2_|MY6U!vEc
zYq^WKw2*I=^(R7(!~~v`>=uB9Sd1NTfT-Rbv;hqnY4neE5H1YUrjS2m+2&@uXiAo-
zrKUX|Ohg7(6F(AoP~tj;NZlV#xsfo-5reuQHB$&EIAhyZk;bL;k9ouDmJNBAun;H&
zn;Of1z_Qj`x&M;5X;{s~iGzBQTY^kv-k{ksbE*Dl%Qf%N@hQCfY~iUw!=F-*$cpf2
z3wix|aL<TqR7Y;}gRV7Q6u)-qpm%oMjSmV6D=p0OrNXwr5;y^b5cF7C7&Mp&D`?Ob
z8ESq3ScyN7w@J>BV0b;W@z^%7S{>9Z^T^fLOI68_;l@+Qzaxo`nAI8emTV@rRhEKZ
z?*z_{oGdI~R*#<2{bkz$G~^Qef}$*4OYTgtL$e9q!FY7EqxJ2`zk6SQc}M(k(_MaV
zSLJnTXw&@djco1~a(vhBl^&w=$fa9{Sru>7g8SHahv$&Bl(D@(Zwxo_3r=;VH|uc5
zi1Ny)J!<(KN-EcQ(xlw%PNwK8U>4$9nVOhj(y0l9X^vP1TA>r_7WtSExIOsz`nDOP
zs}d>Vxb2Vo2e5x8p(n~Y5ggAyvib>d)6?)|E@{FIz?G3PVGLf7-;BxaP;c?7ddH$z
zA+{~k^V=bZuXafOv!RPsE1GrR3J2TH<Ny`yVx$sah_BnMO|Vl_4M%y|BVBOcD(&Tf
zIi%w5mBkQA-m8WhIS+m)@HEq^i=}^RPX#BvtKJYieRDhM9CpMXBxjmn?hoV<pKsfM
zQ3`)(<)?1Do&LG^9T4w<TIx#Djhk>9uB=Z67gok+u`V#}BR86hB1xl}H4v`F+mRfr
zYhortD%@IGfh!JB(NUNSDh+qDz?4ztEgCz&bIG-Wg7w-ua4ChgQR_c+z8dT3<1?uX
z*G(DKy_LTl*Ea!%v!RhpCXW1WJO6F`bgS-SB;Xw9<cxOL&fF^435YAz<*2lIsx>#!
z<*K}=#wVu9$`Yo|e!z-CPYH!nj7s9dEPr-E`DXUBu0n!xX~&|%#G=BeM?X@shQQMf
zMvr2!y7p_gD5-!Lnm|a@z8Of^EKboZsTMk%5VsJEm>Vs<fWSaAAk=E0a4xz;CoE+n
zvV|`k(cS-gI#<~znD&6(Dyi8%>J4W7Kv{<|#4f-qDE$D-W>gWT%<wM^e7+vR+ZVxu
zJA%k!wV1jm=-?CPfHci1I%oS6_$rRC_i%Dy1_C}}(R>z-!qXnDHhOvLk=?^a1*|0j
z{pW{M0{#1VcR5;F!!fIl<yJC4LQf<m+NFcvrhH-9Oq`TslF!sxh9CTya<1|Z@Sf8S
z#)!cL{VHJYkWIKNj^M2D@K4#yCJQKlT2}zO7tRTvNED*cmVv~6G8g$V6W>LVNh_Gj
zbnW(_j?0c2q$EHIi@fSMR{OUKBcLr{Y&$hrM8XhPByyZa<R$b|!F4rBVu<@_&`m0`
zvC-aJ+X!p>Xy|dd&{hYQRJ9@Fn%h3p7*VQolBIV@Eq`=y%5BU~3RPa^$a?ixp^cCg
z+}Q*X+CW9~TL29@OOng(#OAOd!)e$d%sr}^KBJ-?-X&|4HTmtemxmp?cT3uA?md4%
zT8yZ0U;6Rg6JHy3fJae{6TMGS?ZUX6+gGTT{Q{)SI85$5FD{g-eR%O0KMpWPY`4@O
zx!hen1*8^E(*}{m^V_?}(b5k3hYo=T+$&M32+B`}81~KKZhY;2H{7O-M@vbCzuX0n
zW-&HXeyr1%I3$@ns-V1~Lb@wIpkmx|8I~ob1Of7i6BTNysEwI}=!nU%q7(V_^+d*G
z7G;07m(CRTJup!`cdYi93r^+LY+`M*>aMuHJm(A8_O8C#A*$!Xvddgpjx5)?_EB*q
zgE8o5O>e~9IiSC@WtZpF{4Bj2J5eZ>uUzY%TgWF7wdDE!fSQIAWCP)V{;HsU3ap?4
znRsiiDbtN7i9hapO;(|Ew>Ip2TZSvK9Z^N21%J?OiA_&eP1{(Pu_=%JjKy|HOardq
ze?zK^<n_C~sSO$T&zHJ&gqMJm2ooswNa9fe;pI&q8BGtsLvsv{E`UcDopP-qDeO>K
zA%sj<KGR#nku^U`P7U%dm^(-)^vJ8a7zEx#hISA%f9a1Ybx@Dr&>F64*Wufad%H<)
z^|t>e*h+Z1#l=5wHexzt9HNDNXgM=-OPWKd^5p!~%SIl>Fo&7BvNpbf8{NXmH)o{r
zO=aBJ;meX1^{O%q;kqdw*5k<?!FYD}X~SRg{bAptI6CT~WZcECii<d{!~H9SptJA{
z(IMO5d`_qI=h*DGo=n0v@_q*TN1Rb~B&ITpk8DJlRXa*ROudIg-K94et8*W|ahl(A
z2RLvW1}v%VuO9`Ef9t?PKUXTW2f&D}3vrtNJ87$D?Y9if%$|t@;m`i#_BSRV)jj(n
z<)v7wOK4@tW$UKKWR0fsc^c<~vm5M`u2vnP<@`C7-1h}V)vH?GIQ6kut>!Y7%t_30
zy{nGRVc&5qt?dBwLs+^Sfp;f`YVMSB#C>z^a9@fpZ!xb|b-JEz1LBX7ci)V@W+k<d
z?qR|O?7_P?Q6<qQfw{t}<omxO-y4wzz13f^3s3)!sA+n!=}0n9^jL6z6UFtDDE}Mp
z!BsppJn%YvdkxcpH0L^o3RScOB1lQrKBaMr+6<a345~U+wL$oOCB}VtK17ZH;V1Ue
zdj4e4ug6v=rEE8!n9=MxEf@easRS`JT*=LVd(P_|@2%P^bJF0dJak~<TFSD+7ZH;0
zk0}Z5&3UxSBxu~{Rz*8BKG13&fcf@9dyUN>vQ89KWA0T~L<vZ;GW*aTR}HF1-jedY
z#-MsfGyBFAcQAdcd`Yx-bcvlJbsoc$%4C5;EuOf%FC1$=NHxR@P$wjlROtPJ?~8@j
z{p*zq)|ri!j1uu-Pw*x?ETPT6(jkMz{tB)03YK+l%8c_vwo>j$aCcfW#nD5bt&Y_<
z-q{4ZXDqVg?|0o)j1%l0^_it0WF*LCn-+)c!2y5yS7aZIN$>0LqNnkujV*YVes(v$
zY@_-!Q;!ZyJ}Bg|G-~w@or&u0RO?vlt5*9~yeoPV_UWrO2J54b4#{D(D>jF(R88u2
zo#B^@iF_%S>{iXSol8jpmsZuJ?+;epg>k=$d`?GSegAVp3n$`GVDvK${N*#L_1`44
z{w0fL{2%)0|E+qgZtjX}itZz^KJt4Y;*8uSK}Ft38+3>j|K(PxIXXR-t4VopXo#9#
zt|F{LWr-?34y`$nLBVV_*UEgA6AUI65dYIbqpNq9cl&uLJ0~L}<=ESlOm?Y-S@L*d
z<7vt}`)TW#f%Rp$Q}6@3=j$7Tze@_uZ<ObsOT=LjG!@YPQ+Y%TP2q;%&e6bD0<;#D
zn1mKO23ndd^;;2ec_vb`0m}1R5{A-e6@I<Gaf6P$y+!C|ZytXPFNr}*6sJD;{rbI+
zRwg~nC(gjZ<H0G$h5d*YGLSy%7k#zcB&IGLVazVInCg9bgF6KKKSeDarF+`2IFlWj
z%#J~%w5&}@qlKlZ9XX8WVB)+9_$hOD{jg_1meULyOnTAY(X(RGDVFl%IWWYYn*#Gf
zs5wy97!DZR>O@aMn<|si{?S}~maII`VTjs&?}jQ4_cut9$)PEqMukwoXobzaKx^MV
z2fQwl+;LSZ$qy%Tys0oo^K=jOw$!YwCv^e<e%~cuMqeXJnyNEIpgKcP&BSGZ3-V#G
zgnyc%fsRb47ImAxDT<IihCipil@oTF)0wHSZ%ab4RM$MVn<5Pqo=k;p=s1{wkr4K3
zPn=Vq->i4NBVauL)tN%=wz9M{uf{IB(BxK|lT*pFkmN<Z(NFM5`sDgUq1$L^2{X$m
zQ<@5WTkRGfqF>K_1tV`nb%jH=a0~VNq2RCKY(rG7jz!-D^k)Ec)yS%17pE#o6&eY+
z^qN(hQT$}5F(=4lgNQhlxj?nB4N6ntUY<e6n(3tLO%M0YHj0diWfkmtmb0?9X&BDU
zs6Tl5CHz~g>6(?+R#B?W3hY_a*)hnr4PA|v<bL3cOEhhyT5k=(qGlmAL3eDw%3aS)
z+mMt2HXmQhxUE+tIpq`0N<C;yWn7~iBEGnslqQO0EY^z~!M$i!^_m>J<6p`K3Z5Hy
z{{8(|ux~NLUW=!?9Qe&WXMTAkQnLXg(g=I@(VG3{HE13OaUT|DljyWXPs2FE@?`iU
z4GQlM&Q=T<4&v@Fe<+TuXiZQT3G~v<S1*NrZ8z<H*IRys?O`Oqz|}FcV<W%7zks=K
zjhgy^OR8^T{XcG5A)q#Ixd7)hWJZgOgp%s-!KiICJ<7)nHG%9IeF-=|(W+fGO(~eL
zUZW|&`a8*ZnEW_JOqB-k$82w~>Z&^POfmI1K2h6t4eD}Gk5XFGpbj1n_g*{qmD6Xy
z`6<o)fI|_!EcP+Bw?+2|y3t!@@OewwE@am14Pw<&ymmicd%g=pQX-4Dl6iXM5Mi<r
zx3XG;>Vv|lLZtLmrnv*{Q%xxtcWVj3K4M%$bdBk_a&ar{{GWyu#ljM;dII;*jP;QH
z#+^o-A4np{@|Mz+LphTD0`FTyxYq#wY)*&Ls5o{0z9yg2K+K7ZN>j1>N&;r+Z`vI|
zDzG1LJZ+sE?m?>x{5LJx^)g&pGEpY=fQ-4}{x=ru;}FL$inHemOg%|R*ZXPodU}Kh
zFEd5#+8rGq$Y<_?k-}r5zgQ3jRV=ooHiF|@z_#D4pKVEmn5CGV(9VKCyG|sT9nc=U
zEoT67<jXapz33SQGdVleW*J=p6l-iq5HGgGZNX3gcnDtqDqT6Lxf&Cy#Ap6*__@(N
zI9l&1+PZ(2&t7;rjbr<N3;GXPQmR+Jb=l@GOikZr!v7KeKwAmIz6g%ucSA?oWgocV
zk;d7L7JWl9$p0E+2q4zN?=f=Aph6SF??-{0uw#y<{6dXC$UJvvFots-eZ*CWmiR<m
z^L^@#CZ2{u<>R`C->KY8Wp-fEcjjFm^;Cg(ls|*ABVHq8clBE(;~K^b+S>6uj70g?
z&{XQ5U&!Z$SO7zfP+y^8XBbiu*Cv-yJG|l-oe*!s5$@Lh_KpxYL2sx`<G0?@o|1&5
z++RB?zrCfT7`A&iZHeO}uiAn(9Y;?H+|QxaD&F$T&wYPv^@%QzORq4V7h)QaA?IS+
zFB!z6yTuA4F{2w*bnO?o`KM7U>B|V=dETN>5K+C+CU~a_3cI8{vbu$TNVdGf15*>D
zz@f{zIlorkY>TRh7mKuAlN9A0>N>SV`X)+bEHms=mfYTMWt_AJtz_h+JMmrgH?mZt
zm=lfdF`t^J*XLg7v+iS)XZROygK=CS@CvUaJo&w2W!Wb@aa?~Drtf`JV^cCMjngVZ
zv&xaIBEo8EYWuML+vxCpjjY^s1-ahXJzAV6hTw%ZIy!FjI}aJ+{rE&u#>rs)vzuxz
z+$5z=7W?zH2>Eb32dvgHYZtCAf!=OLY-pb4>Ae79rd68E2LkVPj-|jFeyqtBCCwiW
zkB@kO_(3wFq)7qwV}bA=zD!*@UhT`geq}ITo%@O(Z5Y80nEX~;0-8kO{oB6|(4fQh
z);73T!>3@{ZobPwRv*W?7<u$fR#FIIDQ|?d;-=4~nL_DQNR_L(s2gGB|Bi%bXbI)!
ztn@6?NW&ORN!+hVmb|xpUMHeP-Y*-8YoeQ$=7K(Sd>m0Ml9GmJBCJd&6E?hdj9lV=
z4flNfsc(J*DyPv?RCOx!MSvk(M952PJ-G|JeVxWVjN~SN<fFWRb2=9964Bd}-9L0#
za&bfyJOi!#T%8p@)e{#M*HC~_RDcB;kF@?XCf0o$;#0Tz<%{^IxQ6b()`kCzGw`pn
zvVV06qCVS*7lZ)(o7Gp6ekOkuzzxs?O%%&Yp1+cWnn|fKYX<Z-8@MV#wqF)qqV5*o
zSnWk1rIdh6FPQo!-hS8qsY!O5JD<AlIn95(ae6Jd?fWIAFM+L&sw_o{)ZY*mza^{a
zFgSda?4Av^CAF7cj@(}R6JgOpyFKsFTD;d44h4&<Jz-_1F5J{G+LW?&6IhxYcs@xb
zl@w&aT)k@tK}w%(8c;t<C(7s<T@#tgO(Q)4E9>S6n-_Ge3Q;TGE;EQvZg86%wZ`MB
zSMQua(i*R8a75!6$QRO^(o7sGoomb+Y{OMy;m~Oa`;P9Yqo><o$qrN{Uy#{EYZAYV
zhkQ~i`~tBVbX%VYXh`B$bAR$*>?bJAhqXxLr7_3g_n>f#UVtxG!^F#1+y@os6x(sg
z^28bsQ@8rw%Gxk-stAEPRbv^}5sLe=VMbkc@J<s@rA3iE(48`CbnWn(=&3DF#J=}a
z4FTXYopd?mZI}}1ZlC8~VV`QLNWV;~TVEZ~uaDc-&}W%0xomagCDhH<gooe&naXnn
z<tUH-X!YNVZ5{|0$(F_l%}+PcEZ$(<;b4&E&i=){rcO+Hkk=zdTK^Ffd=*LS^6eUA
zUbs7^NXMxkl#^HyJ=dcJiSCooRo<stw%BQ{lj}<*D~N?4*Cut%z#~2r#dSIApv9<Q
zjHtNwb#+f5agUh9@-@^){GvYFJ5KG7zCVqj%Df~m{m3x+{p&MW3!dR+pvL^5ZRmC0
zC309}MqA9m^d9B_Vk}86VV~U#6&}A3g}?sHV+qTd>jimqjvmd!3E7+QnL>|(^3!R}
zD-l1l7*Amu@j+PWLGHXXaFG0Ct2Q=}5YNUxEQHCAU7gA$sSC<5OGylNnQUa>>l%sM
zyu}z6i&({U@x^hln**o6r2s-(C-L50tQvz|zHTqW!ir?w&V23tuYEDJVV#5pE|OJu
z7^R!A$iM$YCe?8n67l*J-okwfZ+ZTkGvZ)tVPfR;|3gyFjF<h<Cj<zZh5#4y5>)8V
zyXXN=!*bpyRg9#~Bg1+U<pnWYhrolu{FPCsV0iobLA4JkV_p&4r@K1M;NHG>DYCt0
ztp4&?t1X0q>uz;an<Pmca*5{xy^4kc>n$OrZs{5*r`(oNvw=$7O#rD|Wuv*wIi)4b
zGtq4%BX+kkagv3F9Id6~-c+1&?zny%w5j&nk9SQfo0k4LhdSU_kWGW7axkfpgR`8*
z!?UTG*Zi_baA1^0<wK9e#G~fPDt@KdN$SZ|%nA9j-17!`BH9vUH0o`1P&6J*h<;ef
zVW;53QYa7AXJdrlTA-n?%wp6d3?_b6<x05IZ{WEejqFp)B0lVPV-bRe>eda8S|@&F
z{)Rad0kiLjB|=}XFJhD(S3ssKlveFFmkN{Vl^_nb!o5M!RC=m)V&v2%e?ZoRC@h3>
zJ(?pvToFd`*Zc@HFPL#=otWKwtuuQ_dT-Hr{S%pQX<6dqVJ8;f(o)4~VM_kEQkMR+
zs1SCVi~k>M`u1u2xc}>#D!V&6nOOh-E$O&SzYrjJdZpaDv1!R-QGA141WjQe2s0J~
zQ;AXG)F+K#K8_5HVqRoRM%^EduqOnS(j2)|ctA6Q^=|s_WJYU;Z%5bHp08HPL`YF2
zR)Ad1z{zh`=sDs<zGHk8(=f(sFR?;R<HJ%pYo-KSa+@gOo;(hTO4p7NJfbujY~Kee
zGHQPHC}zX0H$dR?nrR`jLKzUvcA{-a5@SQ^UbQXYN=CS}aw?OAqkUt?H8F&>^&V}J
z%$Z$!jd7BY5AkT?j`eqMs%!Gm@T8)4w3GYEX~IwgE~`d|@T{WYHkudy(47brgHXx&
zBL1yFG6!!!VOSmDxBpefy2{L_u5yTwja&HA!mYA#wg#bc-m%~8aRR|~AvMnind@zs
zy>wkShe5&*un^zvSOdlVu%kHsEo>@puMQ`b1}(|)l~E{5)f7gC=E$fP(FC2=F<^|A
zxeIm?{EE!3sO!Gr7e{w)Dx(uU#3WrFZ>ibmKSQ1tY?*-Nh1TDHLe+k*;{Rp!Bmd_m
zb#^kh`Y*8l|9Cz2e{;RL%_lg{#^Ar+NH|3z*Zye>!alpt{z;4dFAw^^H!6ING*EFc
z_yqhr8d!;%nHX9AKhFQZBGrSzfzYCi%C!(Q5*~hX>)0N`vbhZ@N|i;_972WSx*>LH
z87?en(;2_`{_JHF`Sv6Wlps;dCcj+8IJ8ca6`DsOQCMb<Z@pezuQ&fWzt;cz#SUWI
zcqV2XJ90lftQ?~%HDz)~)GJXKcKN}4st=)aT3chrg_EA{?3LcT)!JaRZ}=sv*>3n#
z3)_w%FuJ3>fjeOOtWyq)ag|PmgQbC-s}KRHG~enBcIwqIiGW8R8jFeBNY9|YswRY5
zjGUxdGgUD26wOpwM#8a!Nuqg68*dG@VM~SbOroL_On0N6QdT9?)NeB3@0FCC?Z|E0
z6TPZj<t(m7DtKHBH@$**2Zo{c79USiF>(AsPtwCw>*{eDEE}Gby>0q{*lI+g2e&<d
zeHwJP(&NSri;iaCB`Kw+7PmoLhp%WLBbMtYj3S7->(YQrsY&uGM{O~}(oM@YWmb*F
zA0^rr5~UD^qmNljq$F#ARXRZ1igP`MQx4aS6*MS;Ot(1L5jF2NJ;de!NujUYg$dr#
z=TEL_zTj2@>ZZN(NYCeVX2==~=aT)R30gETO{G&GM4XN<+!&W&(WcDP%oL8PyIVUC
zs5AvMgh6qr-2?^unB@mXK*Dbil^y-GTC+>&N5HkzXtozVf93m~xOUHn8`HpX=$_v2
z61H;Z1qK9o;>->tb8y%#4H)765W4E>TQ1o0PFj)uTOPEvv&}%(_<LSzDTRe;Ie+2@
ztS!_=d%s5$G(s@--l3N6rQ)s8U_l;8K^1JNd@9$&rF%j>mG0ISmyhnQV33Z$#&yd{
zc{>8V8XK$3u8}04CmAQ#I@XvtmB*s4t8va?-IY4@CN>;)mLb_4!&P3XSw4pA_NzDb
zORn!blT-aHk1%Jpi>T~oGLuh{DB)JIGZ9KOsciWs2N7mM1JWM+lna4vkDL?Q)z_Ct
z`!mi0jtr+4*L&N7jk&LodVO#6?_qRGVaucqVB8*us6i3BTa<Q)$L85GR#EfdqV+R=
zf3l>^^EI0x%EREQSXV@f!lak6Wf1cNZ8>*artIJ(ADO*=<-an`3zB4d*oO*8D1K!f
z*<txU<LU~pP7SiW&ptI|Ssyh1rN!%<&LcD}5;B1lVw_<Fz9i;*7Icnh+iR{wkbxFv
zHQ>A@P1bZCNtU=p!742MrAj%&5v%Xp_dSX@4YCw%F|%Dk=u|1BOmo)HsVz)nD5USa
zR~??e61sO(;PR)iaxK{M%QM_rIua9C^4ppVS$qCT9j2%?*em?`4Z;4@>I(c%M&#cH
z>4}*;ej<4cKkbCAjjDsyKS8rIm90O)Jjgyxj5^venBx&7B!xLmzxW3jhj7sR(^3Fz
z84EY|p1NauwXUr;FfZjdaAfh%ivyp+^!jBjJuAaKa!yCq=?T_)R!>16?{~<b2tOP~
z47Nm=L%=a2H5%-;PoTI9Zf8Q{gX)6FgL99Sq~HCCHEEWym2icXnIe}8P_;ArgG0CO
zf`4Rr(ciS_AIGt|OsCGh)=l12V2IHdqu&-WW<-O!NRu$)_PXwf_YA1=lIto-SBdBp
zc;mWJN=QE`GD!ww=QztESZcD3U_Jx*+2x>p)FQ3LDoMyG%hL#pR!f@P%*;#90rs_y
z@9}@r1BmM-SJ#DeuqCQk=J?ixDSwL*wh|G#us;dd{H}3*-Y7Tv5m=<O-p8_PlVR?L
zh4I(^CY;zbW$TKH9!Xrci9D`~7Tt_MnPoyJiw3E%9=)V8`no!#&SD?Z3i8z<VyM}0
zABD#E*H)<&R|%HW;*e1VGvE8RGjpVF<el}tkQ-ZH>bQJMcH+_S`zVtf;!0kt*(zwJ
zs+kedTm!A}cMiM!qv(c$o5K%}Yd0|nOd0iLjus&;s0Acvoi-PFrWm?+q9f^FslxGi
z6ywB`QpL$rJzWDg(4)C4+!2cLE}UPCTBLa*_=c#*$b2PWrRN46$y~yST3a2$7hEH=
zNjux+wna^AzQ=KEa_5#9Ph=G1{S0#hh1L3hQ`@HrVnCx{!fw_a0N5xV(iPdKZ-HOM
za)LdgK}1ww*C_>V7hbQnTzjURJL`S%`6nTHcg<XB+ozL*{rR!_$M~K9Ao~6H!H^=h
zwoacr(!lN?6COXY0RI?8^Y3)nD5dew#%KWle2X)4QJ|3aSbkvB3|XvJ4T7PtDp@RC
zL=FRTdKkZak;Ble+c&|%U<4_;=Pv@V_7`H`L@;$HHik1Cov%9Y?v|ejzhoH-_ORGg
z?z#NpZ8<kuALb{N_e(NeGkem>S+dB6b_;PY1FsrdE8(2K6<T$5h-ID+y%Pgc&YiJj
zQSx)n1qnTmVVNMYY68M{^SPS)&CE>FN>37!62j_cBlui{jO^$dPkGHV>pXvW0EiOA
z<TH9~Xay1oO$zQ#3a3<TF-+#*^SkQT;5{#&5>qW`YaSUBWg_v^Y5tPJfWLcLpsA8T
zG)<v7DAcVy#7Wn65S?qZDrUX35PlA`Aoi+&wVKj813Fm5$JK2HOhK_!#&jYh-6-UE
z?+!tn`6hPZXOsq_tvt7v))8yvK|C^QB-3YDBn&zFRg<%>!x>pKMpt!lv3&KV!-um=
zKCir6`bEL_LCFx4Z5bAFXW$g3Cq`?Q%)3q0r852XI*Der*JNuKUZ`C{cCuu8R8nkt
z%pnF>R$uY8L+D!V{s^9>IC+bmt<05h**>49R*#vpM*4i0qRB2uPbg8{{s#9yC;Z18
zD7|4m<9qneQ84uX|J&f-g8a|nFKFt34@Bt{CU`v(SYbbn95Q67*)_Esl_;v291s=9
z+#2F2apZU4Tq=x+?V}CjwD(P=U~d<=mfEFuyPB`Ey82V9G#Sk8H_Ob_RnP3s?)S_3
zr%}Pb?;lt_)Nf>@zX~D~TBr;-LS<1I##8z`;0ZCvI_QbXNh8Iv)$LS=*gHr;<k-Rm
zCOX3iwRBMS%2HbhB&55bKxXVrjksHaE!$yhFQVOkB9&b;RXWYu12Q{oZxRnIOVr=+
zV;u%|w58=ulh(mY=94oS*pT{cO%ppm(zvJWm<qAqWJ+tsD$mc#zQ-$!O_aUVS(xv&
zlic&3<NOINl%vfa(YE-09OenqqI00N?`6YZ&y5jRWu1$*;ND0xgkIT8GGJ<pZ_BqS
zfzf6E9oArEF5xqlU<TZaFS?_~jIlVR?u(-sg0I7Ln4&`lfjy*Sukl^_TcEsDm~(l}
z+s}VbwTMn&y0~O&Noc7}EK>}dgb=w5$3k2la1keIm|=7<-JD>)U%=Avl0Vj@+&vxn
zt-)`vJxJr88D&!}2^{GPXc^nmRf#}nb$4MMkBA21GzB`-Or`-3lq^O^svO7Vs~FdM
zv`NvzyG+0T!P8l_&8gH|pzE{N(gv_tgDU7SWeiI-iHC#0Ai%Ixn4&nt{5y3(GQs)i
z&uA;~_0shP$0Wh0VooIeyC|lak__#KVJfxa7*mYmZ22@(<^W}FdKjd*U1CqSjNKW%
z*z$5$=t^+;Ui=MoDW~A7;)Mj%ibX1_p4gu>RC}Z_pl`U*{_z@+HN?AF{_<AT&sf>W
z?M_X@o%w8fgFIJ$fIzBeK=v#*`mtY$HC3tqw7q^GCT!P$I%=2N4FY7j9nG8aIm$c9
zeKTxVKN!UJ{#W)zxW|Q^K!3s;(*7Gbn;e@pQBCDS(I|Y0euK#dSQ_W^)sv5pa%<^o
zyu}3d?Lx`)3-n5Sy9r#`I{+t6x%I%G(iewGbvor&I^{lhu-!#}*Q3^itvY<Y65Bs!
z6}9J&T3Jmx%Jeo0UA1RUWfC4^3~`bOw#&=(RdYfoBOtonl9x?Q%%ud_8xGfac}V3S
z_t?8@P9D{AMY+HQj#M?0#<Loprwk<zPs3>(^UWXgvthH52zLy&T+B)Pw;5>4D6>74
zO_EBS)>l!zLTVkX@NDqyN2cXTwsUVao7$HcqV2%t$YzdAC&T)dwzExa3*kt9d(}al
zA~M}=%2NVNUjZiO7c>04YH)sRelXJYpWSn^aC$|Ji|E13a^-v2MB!Nc*b+=KY7MCm
zqIteKfNkONq}uM;PB?vvgQvfKLPMB8u5+Am=d#<Ofl>>g+o&Ys<k|1Ag^|(Lcq#YS
zJ3m+ShjMEKKXbb?#zc6~_{8T^k&I4kx<j?2OLnw(e9?2R%ab*KIh|OcYkV*-ppCU+
z&<4=VL>b>dX9EC8q?D$pJH!MTA<fJX`-o>qa=DS5$cb+;hEvjwVfF{4;M{5U&^_+r
zvZdu_rildI!*|*A$TzJ&apQWV@p{!W`=?t(o0{?9y&vM)V)ycGSlI3`;ps(vf2PUq
zX745#`cmT*ra7XECC0gKkpu2eyhFEUb?;4@X7weEnLjXj_F~?<g~DII^Bcx&poTYi
zLVuwObActGKn>OzL1U1L0|s6M+kIhmi%`n5vvDALMagi4`wM<y{<R6>c=JV{XiO+^
z?s9i7;GgrRW{Mx)d7rj)?(;|b-`iBNPqdwtt%32se@?w4<^KU&585_kZ=`Wy^oLu9
z?DQAh5z%q;UkP48jgMFH<isTC5e=i>Tf#m<K<awZyB<dC!4ZWVVj?0l^>j?#z|=w=
z(q6~17Vn}P)J3M?O)x))%a5+>TFW3No~TgP;f}K$#icBh;rSS+R|}l&#X9BCa%1Et
zwk~hMkhq;MOw^Q5`7oC{CUUyTw9x>^%*FHx^qJw(LB+E0WBX@{Ghw;)6aA-KyYg8p
z7XDveQOpEr;B4je@2~usI5BlFadedX^ma{b{ypd|RNYqo#~d*mj&y`^iojR}s%~vF
z(H!u`yx68D1Tj(3(m;Q+Ma}s2n#;O~bcB1`lYk%Irx60&-nWIUBr2x&@}@76+*zJ5
ze&4?q8?m%L9c6h=J$WBzbiTf1Z-0Eb5$IZs>lvm$>1n_Mezp*qw_pr8<8$6f)5f<@
zyV#tzMCs51nTv_5ca`x`yfE5YA^*%O_H<xfnQ6>?;tWYdM_kHPubA%vy47i=9>Bq)
zRQ&0UwLQHeswmB1yP)+Bi<gYuF=;5%P5fb($ua)vN{<dTS}pc$-noYj&~P(-vz}$v
zu3jpy02nRu2m5&K8!o)7k}0wq<;X00@Xx7A<mINk!<+VpN#`s2^mC5Ofe4$`&tl#*
z>R;S+Vc-5TX84KUA;8VY9}yEj0eESSO`7HQ4lO<y)w_Q~B}%2$aGK(6Ummn<`kl%;
z`ex#21X!9UBm3Vc-U~%seDuubCS=6He};CM149#aL;PRFuT<U<#xD2*e6V!HB9TS@
z-1@gJDr5k3GW(TMRP`M0C}32Sp)@iN+m7Q7FVkR-!Q93t0T{<wiGM)0t%$WJc@v;>
z4(CyA8y1G7_C;6kd4U3K-aNOK!sHE}KL_-^EDl(vB42P$2Km7<xlD85HX*0-hkMZF
zkjr5ZvT-#;Mth(cu<tj#atu~`yerH!&_Rq;m6S6;E=E^t8E;_e)$<aCEe^z9S}-Gm
zR}d6r*AN)OHk0vR$wldVl&!rNQoW*!$WBpDRw`=6+$-g54384TvT>$WGqNy=%fqB+
zSLdrlcbEH=T@W8V4(TgoXZ*G1_aq$K^@ek=TVhoKRjw;HyI&coln|uRr5mMOy2GXP
zwr*F^Y|!Sjr2YQXX(Fp^*`Wk905K%$bd03R<H!tySet(EP)5Lj`0&gFCZ@coqtHFV
zq;TC+Ud)isOY`?v*vYVa0u2u<OuzeQhQx-th#lEeb|E85m0u7j#xz<Q(27O50YNZG
z_X!_ZeKj36XsF4fNkWJ-X&&`{PiP|d5I{)ntoL7!_lyc3!C3?s@K?fxx2uj~W~|6a
z@37XYDSt)e<cy5Hg6yFElSnilL`l_9#54dfOVI=v!_cyZ8P0}j&eAUCbFyagF03t)
ziN>4(igl0&7IIm*#f`A!DCarW9$h$z`kYk9MjjqN&5-DsH@8xh63!fTNPxWsFQhNv
z#|3RjnP$Thdb#Ys7M+v|>AHm0BVTw)EH}>x@_f4zca&3tXJhTZ8pO}aN?(dHo)44Z
z_5j+YP=jMlFqwvf3lq!57-SAuRV2_gJ*wsR_!Y4Z(trO}0wmB9%f#jNDHPdQGHFR;
zZXzS-$`;7DQ5vF~oSgP3bNV$6Z(rwo6W(U07b1n3UHqml>{=6&-4PALATsH@Bh^W?
z)ob%oAPaiw{?9HfMzpGb)@Kys^J$CN{uf*HX?)z=g`J(uK1YO^8~s1(ZIbG%Et(|q
z$D@_QqltVZu9Py4R0Ld8!U|#`5~^M=b>fnHthzKBRr=i+w@0Vr^l|W;=zFT#PJ?*a
zbC}G#It}rQP^Ait^W&aa6B;+0gNvz4cWUMzpv(1gvfw-X4xJ2Sv;mt;zb2Tsn|kSS
zo*U9N?I{=-;a-OybL4r;PolCfiaL=y@o9{%`>+&FI#D^uy#>)R@b^1ue&AKKwuI*`
zx%+6r48EIX6nF4o;>)zhV_8(IEX})NGU6Vs(yslrx{5fII}o3SMHW7wG<xJ7RkURX
zL?-%U*5SbEvYh>tK9oIO4OM&@@ECtXSICLcPXoS|{;=_yj>hh*%hP27yZwOmj4&Lh
z*Nd@OMkd!aKReoqNOkp5cW*lC)&C$P?+H3*%8)6HcpBg&IhGP^77XPZpc%WKYLX$T
zsSQ$|ntaVVOoRat$6lvZO(G-QM5s#N4j*|N_;8cc2v_k4n6zx9c1L4JL*83F-C1Cn
zaJhd;>rHXB%%ZN=3_o3&Qd2YOxrK~&?1=UuN9QhL$~OY-Qyg&})#ez*8Np<qwhY!r
zPGi5Uv36_KU&P;Ysny7Yn7Aq*w^YJk+j;r5!{54y2KTRW=n4P9Q$RrUV@IzXwTG1s
zzW93%6>QW_*<cOtWE@YNsI)L#ntpV!%&tkEA2b<G(kTCfol|w3coc&So$?P2SFmWk
zBWp7V`+IlUb`e$B*<dRPJ-ehhZQ$M{k7#onRlEE~dw{L=-9ElX-V5A(;-ZBE+Yf{^
z{+-Mf7yUbWUdboXPA1sh*z~xCt^6m6c{6_JCok9HQbYRhr51?*l;sOM;AIxuJ4Q$p
z`CgAJ+<9O64PUJ^k}^%FQclq}Wk!;S2TZ^{;?u15<et5AgcPi>a&kD&ANjedxT0Ar
z<6r{eaVz3`d~+N~vkMaV8{F?RBVemN(jD@S8qO~L{rUw#=2a$V(7rLE+kGUZ<%pdr
z?$DP|Vg#gZ9S}w((O2NbxzQ^zTot=89!0^~hE{|c9q1hVzv0?YC5s42Yx($;hAp*E
zyoGuRyphQY{Q2ee0Xx`1&lv(l-SeC$NEyS~8iil3_aNlnqF_G|;zt#F%1;J)jnPT&
z@iU0S;wHJ2$f!juqEzPZeZkjcQ+Pa@eE<F$7REzl$4Vg!h~1-QZGdPJ^bJ@K4OS*c
zP-fR4iXy^QA;#1=y2VI*LRPhjykLV({@6o-twx$xfBE}QnTt6vqFElm=UM-(NfZCi
z=lx&9)JZKEFO|hbLCVw#&(sbpFfqulk`VBkNi?$lD5(B0WM5ff*mCA1f5%740p~O|
ztQOb8UFr=BBea^EKn!z+v}nk*YvS7NtKQ8K+R4>RSLKsWf=`{R@yv7AuRh&ALRTAy
z8=g&nxsSJCe!QLchJ=}6|LshnX<g_y(YX??7D<ya@4%V<9h+|Ic_N&p+^6cL1%rRw
zI`_<$r7i-QeU%G7oxJ6b$}<GVE+7g7j;H#VPbD7FMNK~{pfkqz8k&Qk100>IK)SNd
zRkJNiqHwKK{SO;N5m5wdL&qK`v|d?5<4!(FAsDxR>Ky#0#t$8XCMptvNo?|SY?d8b
z`*8dVBlXTUanlh6n)!EHf2<Z;<pqvCOZ=A2H>&PDG8sXNAt6~u-_1EjPI1|<=33T8
zEnA00E!`4Ave0d&VVh0e>)Dc}=FfAFxpsC1u9ATfQ`-Cu;mhc8Z>2;uyXtqpLb7(P
zd2F9<3cXS<T6BO6%Wff4)w8RK^!PZ}fJ&%B?D(O0phg;sxkMq1g;&s2yVy|dlo7$&
zut6p%Pt5t7R%%o@lpz7mamy48(tCjGd57eFCrjgxV_IjQOo{Eq=LdqW@am;MINbXP
zIQr$cxXwNaQ_H6v`p4(aUBXrmz}**&%<Zzfbtj+pDbBMu#7x_{KfkOxH1}OCyx<aM
zu@SXrn_{seG?|N7mo)o<BmjNPRWwBLiQLKA5vhgn!8ZTe76=gv#-hh7?ex$Xtz9>}
znMg?{&8_YFTGRQZEPU-XPq55%51}RJpw@LO_|)CFAt62-_!u_Uq$csc+7|3+TV_!h
z+2a7Yh^5AA{q^m|=KSJL+w-EWDBc&I_I1vOr^}P8i?cKMhGy$CP0XKrQzCheG$}G#
zuglf8*PAFO8%xop7KSwI8||liTaQ9NCAFarr~psQt)g*pC@9bORZ>m`_GA`_K@~&%
zijH0z;T$fd;-Liw8%EKZas>BH8nYTqsK7F;>>@YsE=Rqo?_8}UO-S#|6~CAW0Oz1}
z3F(1=+#wrBJh4H)9jTQ_$~@#9|Bc1Pd3rAIA_&vOpvvbgDJOM(yNPhJJq2%PCcMaI
zrbe~toYzvkZYQ{ea(Wiyu#4WB#RRN%bMe=SOk!CbJZv^m?Flo5p{W8|0i3`hI3Np#
zvCZqY%o258CI=SGb+A3yJe~J<XAm<h+@x%=dk!>H^i{uU`#U#fvSC~rWTq+K`E%J@
zasU07&pB6A4w3b?d?q<ZUdN`d9`jSQ6}@hE_t>}2=0rA#SA7D`X+zg@&zm^iA*HVi
z009#PUH<%lk4z~p^l0S{lCJk1Uxi=F4e_DwlfHA`X`rv(|JqWKAA5nH+u4Da+E_p+
zVmH@lg^n4ixs~*@gm_dgQ&eDmE1mnw5wBz9Yg?QdZwF|an67Xd*x!He)Gc8&2!urh
z4_uXzbYz-aX)X1>&iUjGp;P1u8&7TID<T*k)hrSs$ZMYU#eY?f%J<TYM`ZV5WD$80
zG6we^sim<v0ffzyR3HV@k#_?T5yB1?r-E~gnJ!jx=#l~KWX=|*TsGqUMbMy7&Dlm$
zkg`~ug9}A)NTCqAmF?i{?tn%$xnbe}sXgn0Ns#1Tz9yxnXess97ti7|9c?mVx|E|M
zsw|@!R#sWRksSuwE0qkq{xVpVBsF7Y5`nBxFc=Vb@S*=tu3_rkiM*j^3$OH{X3IB$
zsB0-+Fdr>0bTH-jCL&Xk8b&<MC!nk<L_l*|?aq$M0{!H9`RQ21GGD+c^BcX*2|SYI
zugFZ`gqDwwr<(%$82O_6nOWDm!eA(RGpBfa<+B;MKzgz`W@E7E&XQR*%r|=RjJ(AQ
z1GcBC!v)wKu_J~RfHh}+ZjQp_Xx>;;6p2op_=y^m@Nq*0{#o!!A;wNAFG@0%Z9rHo
zcJs?Th>Ny6+hI`+1XoU*ED$Yf@9f91m9Y=#N(HJP^Y@ZEYR6I?oM{>&Wq4|v0IB(p
zqX#Z<_3X(&{H+{3Tr|sFy}~=bv+l=P;|sBz$wk-n^R`G3p0(p>p=5ahpaD7>r|>pm
zv;V`_IR@tvZreIuv2EM7ZQHhO+qUgw#kOs%*ekY^n|=1#x9&c;Ro&I~{rG-#_3ZB1
z?|9}IFdbP}^DneP*T-JaoYHt~r@EfvnPE5<mj|3vYvi%XA!0DTe17}~aG2h7eq*~r
z9|l2u19&ExDJOsRZ$@8=z;;HhZw$_SviSm}uAwc_ow2rT=iX2K1>EKUwIxjPbsr$%
zfWW83pgWST7*B(o=kmo)74$8UU)v0{@4DI+ci&%=#90}!CZz|rnH+Mz=HN~97G3~@
z;v5(9_2%eca(9iu@J@aqaMS6*$TM<otkyEUfDAtMmVO5=3I}?EG6T26ue>w!S>H(b
z4(*B!|H|8&EuB%mITr~O?vV<E-8Z6S)k5lzkIaVLJC566nZk>Ef%(Gr)6E=>H~1VR
z&1YOXluJSG1!?TnT)_*YmJ*o_Q@om~(GdrhI{$Fsx_zrkupc#y{DK1WOUR>tk>ZE)
ziOLoBkhZZ?0Uf}cm>GsA>Rd6V8@JF)J*EQlQ<=JD@m<)hyElXR0`pTku*3MU`HJn|
zIf7$)RlK^pW-$87U;431;<klhG5_ER>Ye4Ie+l~_B3*bH1>*yKzn23cH0u(i5pXV!
z4K?{3oF7ZavmmtTq((wtml)m6i)8X6ot_mrE-QJCW}Yn!(3~aUHYG=^fA<^~`e3yc
z-NWTb{gR;DOUcK#zPbN^D*e=2eR^_!(!RKkiwMW@@yYtEoOp4XjOGgzi`;=8<Yusf
zN5l6kO$1L;ws<m1`Zh#?`63unV{T(2V21gcCYV&FhZqe6Nass1MK|Z4KyXbkzmY5}
zZ?_?UexvC&zoC0o1N+Vde1)9v5Lgfss-n~Y`wrFPCpU&f2y~X5VS8!)_$jxG?x+Q>
zi3`Ccw1%L*y(FDj=C7Ro-V?q)-%p?Ob2ZElu`eZ99n14-ZkEV#y5C+{Pq87Gu3&>g
zFy~Wk7^6v*)4pF3@F@rE__k3ikx(hzN3@e*^0=KNA6|jC^B5nf(XaoQaZN?Xi}Rn3
z$8&m*KmWvPaUQ(V<#J+S&zO|8P-#!f%7G+n_%sXp9=J%Z4&9OkWXeuZN}ssgQ#Tcj
z8p6ErJQJWZ+fXLCco=RN8D{W%+*kko*2-LEb))xcHwNl~Xmir>kmAxW?eW50Osw3#
zki8Fl$#fvw*7rqd?%E?}ZX4`c5-R&w!Y0#EBbelVXSng+kUfeUiqofPehl}$ormli
zg%r)}?<O#LIQ<x^r>%=?_pHb9`Cq9Z|B`L8b>(!+8HSX?`5+5mm81AFXfnAt1*R3F
z%b2RPIacKAddx%JfQ8l{3U|vK@W7KB$CdLqn@wP^?azRks@x8z59#$Q*7q!KilY-P
zHUbs(IFYRGG1{~@RF;Lqyho$~7^hNC`NL3kn^Td%A7dRgr_&`2k=t+}D-o9&C!y^?
z6MsQ=tc3g0xkK(O%DzR9nbNB(r@L;1zQrs8mzx&4dz}?3KNYozOW5;=w18U6$G4U2
z#2^qRLT*Mo4bV1Oeo1PKQ2WQS2Y-hv&S|C7`xh6=Pj7MNLC5K-zokZ67S)C;(F0Dd
zloDK2_o1$Fmza>EMj3X9je7e%Q`$39Dk~GoOj89-6q9|_WJlSl!!+*{R=t<I5W)Q1
zkAGZ6mVbAZdwNx+cM^(`G%H7T29zgao{aSHP_2`opHKbyoo@LZV-ND6*ct<1X->Gp
z8u|MuSwm^t7K^nUe+^0G3dkGZr3@(X+T<R{A2|{q4h1HZkio;YA1t6>L5eah)K^Tn
zXEtHmR9UIaEYgD5Nhh(s*fcG_lh-mfy5iUF3xxpRZ0q3nZ=1qAtUa?(LnT9I&~uxX
z`pV?+=|-Gl(kz?w!zIieXT}o}7@`QO>;u$Z!QB${a08_bW0_o@&9cjJUXzVyNGCm8
zm=W+$H!;_Kzp6WQqxUI;JlPY&`V}9C$8HZ^m?NvI*JT@~BM<?RV=J&{dty%0kuvcV
zvDY*i(P?K=6~(~xZAsj_c^PMb&#Z`Y|Lurd8fSVQU$p5WH?x?Xpj)rsBdv*QxJ##A
zM=~|M*Y>=()T()Ii#+*$y@lTZBkmMMda><ZXF}$122DAC4inciHEXN*L_tT(?E|%+
zt7Py*&-=;dUzJ7C=EUZz8ph9x9vB|ACLKw@s&c^<^F0YA3k;p}2F-(+6L*|cO&Kx|
zGV=>7s#O(1YZR+zTG@&<R7(G2<E$<wduz9!FnD8M=}U%cAl$d*6}Sq3Sm>}!EXFG{
zEWPSDI5bFi;NT>Yj*FjH((=oe%t%xYmE~AGaOc4#9K_XsVpl<4SP@E!TgC0qpe1oi
zNpxU2b0(lEMcoibQ-G^cxO?ySVW26HoBNa;n0}CWL*{k)oBu1>F18X061$SP{Gu67
z-v-Fa=Fl^u3lnGY^o5v)Bux}<gD3`?Qhv)PX)U=^-kffCXQ$p2csKZNM5x8!RMUOX
zrn9?t`{WKqC0A+hrI3CS?R@viwL~gPCU^BRur-hw0CEwaK7f#%S}_w7_H%2lZVcgk
zQL;J=ry;kmi}ZUr-!!m`rCH2ERpwJ6Q|G`5r-Xy0r?6;<g{<5%zr{9CmP^vf>bNZ~
z5pL+7F_Esoun8^5>z8NFoIdb$sNS&xT8_|`GTe8zSXQzs4r^<Z>g0kZjg(b0b<J|)
z&kyXHVzP24v$IxevEHN?k6>Jvz`g<70u9Z3fQILX1Lj@;@+##bP|FAOl)U^9U>0rx
zGi)M1(Hce)LAvQO-pW!MN$;#ZMX?VE(22lTlJrk#pB0FJNqVwC+*%${Gt#r_tH9I_
z;+#)#8cWAl?d@R+O+}@1A^hAR1s3UcW{G+>;X4utD2d9X(jF555}!TVN-hByV6t+A
zdFR^aE@GNNgSxxixS2p=on4(+*+f<8xrwAObC)D5)4!z7)}m<cS(iD4<A0N$g+SqA
zl%O;ERC__&2rvP%TMdpBGey$+i_(aSuJSoOVG@%hWSWo?*uZz-46eyt;fOY4@j*cs
z(Nlf$ie?ANAv6K4_-a2q*kk+$A3)y-+s^rqkRC|T=Yj2fF?eZ}!9uZg3msy525K;C
zG$r&@M9n%7`Sgm&aIl}13Vz%ip9hGWt!og5bdx1qTG)j2nL>Tpb7&ofF3u&9&wPS<
zB62WHLGMhmrmOAgmJ+|c>qEWTD#jd~lHNgT0?t-p{T<Fhnjc^O*n1^SI<&BNNFb%X
zHxbuJadh!4YtYH|wpEljX5ubnIb*m`KO@(XQ|K!ErMf$l_=~Nst8I^_;~LFMY;jPd
z>=~#E<K9VH{%))?p1uEh9GO_D_^6?&!kOhc5(&300G7)A4!13Ozm(lvh<tIpVpv;w
z$Zq4R)GbGst(09X1uL^1TcWYOO$_QS5|?mAC8?<QY1GusEAbgtUMGPRN?~sU>McB|
z=AoDKOL+qXCfk~F)-Rv**V}}gWFl>liXOl7Uec_8v)(S#av99PX1sQIVZ9eNLkhq$
zt|qu0b?GW_uo}TbU8!jYn8iJeIP)r@;!Ze_7mj{AUV$GEz6bDSDO=D!&C9!M@*S2!
zfGyA|EPlXGMjkH6x7OMF?gKL7{GvGfED=Jte^p=91FpCu)#{whAMw`vSLa`K#atdN
zThnL+7!ZNmP{rc=Z>%$meH;Qi1=m1E3Lq2D_O1-X5C;!I0L>zur@tPAC<By>9*7<!
z3r5ih2IB%6&?*r6Z<C9~bdv;$Jz)vwe<Nu0(L5l%QJ@HdxjvyfFnvb*!a}9oGNK6E
zqHxM7juWe=SSnY{v&Q7EoMOb}E}wD)CsC?77@`e0AQsRgp-@%+t|BGqN=<`p&67Ay
z|1Ca)Xw?J?`0+tpDJa4VbOI+nCoMRhc94J)*YTm*Cvm6NKcmS0S8lEaP@BDlDO2j!
z3B#9mbQbob%QSF`NGB1uJE%GFPC5TQVb=AS_#@8Xn3od@{x#f5jU7spPqbI@;gM2n
zy<$hk+Hy??zt_V4Zq9&R;7&^l#vS@`iD+}{y4jLIDKXTJNC<QY9H?-HD>Je<e@N~V
zM8{whHc_Y)oJRTaE@}6XBK;XqJh6DOZ%b~};oF1$Ja8>h)`;eec}1`nkRP(%iv-`N
zZ@ip-g|7l6Hz%j%gcAM}6<zu1Fy2Y69l>-nrC8oA$BkOTz^?dakvX?`^=ZkYh%vUE
z9+&)K1UTK=ahYiaNn&G5nHUY5niLGus@p5E2@RwZufRvF{@$hW{;{3QhjvEHMvduO
z#Wf-@oYU4ht?#uP{N3utVzV49mEc9>*TV_W2TVC`6+oI)zAjy$KJrr=*q##&kobiQ
z1vNbya&OVjK`<C+)|Y=S6qD0g+yj}rJu+*{Nv+8EH`6C*w=QvJZy_0aJA=(RR*FuE
z=Ve*%{0>2pdRr<aX@8G=KRVz8TtomBSpcq@r(_ajX~o2yoaeZ}oez2h)8-QBk)?}3
z07=L4P3BU4*%bpPu*ZY*FM)E8NlN*R9eF#VQ}7$t%LL}o3#|L+gi2ok?oW7%M=|~p
zC5<%;sq@8S<pakq(618P52%D<(#5rYl@k)nhPsY1k)aFy(uH>M?LuK6BgrLN7H_3m
z!qpNKg~87XgCwb#I=Q&0rI*l$wM!qTkXrx1ko5q-f;=R2fImRMwt5Qs{P*p^z@9ex
z`2#v(qE&F%MXlHpdO#QEZyZftn4f05ab^f2vjxuFaat2}jke{j?5GrF=WYBR?gS(^
z9SBiNi}anzBDBRc+QqizTTQuJrzm^bNA~A{j%ugXP7McZqJ}65l10({wk++$=e8O{
zxWjG!Qp#5OmI#XRQQM?n6?1ztl6^D40hDJr?4$Wc&O<sMJO3^;cmzln7W^zYPW<c)
z|Nn)@|5@a8iRp(7<VO~{rdqT_5uSV!nd9F~6^REIQGA!cD-9=NGWybr;?0kXWZrN^
z3+v>_{*OfMfxe)V0=e{|N?J#fgE>j9jA<EEh|%C%>ajze$iN!*yeF%jJU#G1c@@rm
zolGW!j?W6Q8pP=lkctNFdfgUMg92wlM4E$aks1??M$~WQfzzzXtS)wKrr2sJeCN4X
zY(X^H_c^PzfcO8Bq(Q*p4c_v@F$Y8cH<tNdh?t1Gk+qA{Pne*ng|&%*k<pK?D`Q}5
zVD>LrH$`pJ2}=#*8%JYdqsqnGqEdBQMpl!Ot04tUGSXTQdsX&GDtjbWD=prcCT9(+
z&UM%lW%Q3yrl1yiYs;LxzIy>2G}EPY6|sBhL&X&RAQrSAV4Tlh2nITR?{6xO9ujGu
zr*)^E`>o!c=gT*_@6S&>0POxcXYNQd&HMw6<|#{eSute2C3{&h?Ah|cw56-AP^f8l
zT^kvZY$YiH8j)sk7_=;gx)vx-PW`hbSBXJGCTkpt;ap(}G2GY=2bbjABU5)ty%G#x
zAi07{Bjhv}>OD#5zh#$0w;-vvC@^}<H!J~9x8ns3P(-h{dr(SdVxo7mkj}AsjC5HV
zo6g6-m3quL?mvNQgld&;Wk&NDE-R7EZ)*~rtG<Lq_zyu{lXW&{xOyIFvsws8eo>F!
z#X$@)zIs1L^E;2xDAwEjaXhTBw2<{&JkF*`;c3<1U@A4MaLPe{M5DGGkL}#{cHL%*
zYMG+-Fm0#qzPL#V)TvQVI|?_M>=zVJr9>(<nvsf&9hvsWr%#7CsQ**Fe-0<7veWn*
zbd^GxM~>6ib*#z8q@mYKXDP`k&A4A};xMK0h=yrMp~JW{L?mE~ph&1Y1a#4%SO)@{
zK2juwynUOC)U*hVlJU17%llUxAJFuKZh3K0gU`a<X-1W{<+F6zY3jg>P)pc~b<Vo8
zn2YAtCd;B0Avz@7p^Po{xMRCQYS{JVW8Z`GH$zG=#SS&KZ2A$u^x!Isx6mLPi?<ZN
z*{kt-YdG0}`9!9hbnjn<=b=7lTPuWEpF+k^SZAjar2B<DQb{uEO;vTv3FqIDI3!LU
zvasv6BD^}y#db_7<6NwPQSk6X)=~uy$Zd95xS~u)s@;O!EALmaQ@kYB`EY75*h2)s
z-R#8r)o{~&P%kZgz*(Kw!pn_O3rshJwHWRYI|!$r!a4#|kLw{Kz&k3CZ#RtrYB!Yu
z*A++a?kRokM)%Uo3N_uT!~ugsw#&4oIID7K+!k+)I;<)Si^E{(i)cD@HTao5;+q!0
zbwB*KzCL0ZC~g-PH7MbBVgTO07?^K#9=bcG8FQEIE=(6id^)U|^hS5OYQT5$J-!Sa
zBvfO%E+b9eID~Xvvo@#oSJO3E?jiXTQ<upuXRYN+dqAs$<{%yP2cnwB9G5^{RErN2
z5a`n%B*&Qd&SoW|&P~{87+q;P_bbKnMD-j91aHnUm-Ol<>E~mM!i1mi!~LTf>1Wp<
zuG+ah<cN%^mGc@zm->p^gH8g8-M$u{HUWh0m^9Rg@cQ{&DAO{PTMudV6c?ka7+AO&
z746QylZ&Oj`1aqfu?l&zGtJnpEQOt;OAFq19MXTcI~`ZcoZmyMrIKDFRIDi`FH)w;
z8+*8tdevMDv*VtQi|e}CnB_JWs>fhLOH-+Os2Lh!&)Oh2utl{*AwR)QVLS49iTp{6
z;|172Jl!Ml17unF+pd+Ff@jIE-{Oxv)5|pOm@CkHW?{l}b@1>Pe!l}VccX#xp@xgJ
zyE<&ep<?&Ja!<vf;^Rc_Ext&<l)$GW^vhyI+JCe2O3`LUd|)s%0qsYi2%EvJz-tM3
zKY=mZW?7k^N!wTSw*{;yb$3mRD9vNKYL6QIU4KGF{JZXpqeFF?UNh<Hsu=#~nZ?*`
z8?`-sY#3wWljoYqahkg_LR+fxC=Ok@srcz_lf5JG(Aw?<nC(WNHZ^iNeqvbZ784f|
zUF|zFa%ZSkIT}iZS*J5%>$=*vT=}7vtvif0B?9xw_3Gej7mN*dOHdQPtW5kA5_zGD
zpA4tV2*0E^OUimSsV#?Tg#oiQ<Gc63Xnq8{B?9(QSV36W&7QYB_fY=P6DiK#CwX}S
zgr8jyAKT1k<~JoNlpe8K#uDWD6A;w{rqu&jtmBFgY_BM6uK=HK6yOqhbD)4G&d4Zx
zgx}5JZQcjx2iiz|qys{K@f>>%4D@1F5@AHwT8Kgen$bSMHD3sXCkq8^(uo7CWk`mT
zuslYq`6Yz;L%wJh$3l1%SZv#QnG3=NZ=BK4yzk#HAPbqXa92;3K5?0kn4TQ`%E%X}
z&>Lbt!!QclYKd6+J7Nl@xv!uD%)*bY-;p`y^ZCC<%LEHUi$l5biu!sT3TGGSTPA21
zT8@B&a0lJH<Is)g$je?v)zrGnVnN*a?`1A_B7jSFYFL!G^YdU54T8BJ`&=Grt0wbK
zm=GTh#mq0;L&QL~1)M*45{rzjOV&&Ibr2i!Ltb})&Q3g>Vn1I$I3I1I{W9fJAYc+8
zVj8>HvD}&O`TqU2AAb={?eT;0hyL(R{|h23=4fDSZKC32;wWxsV<K&5XXRr5uQ}LF
z+0CB-DJWvs=zyhUDM(~V3gV_A(2WHskwSfbLhWS!Vr~&q4bY$lqS1mvz2zv7a&eyv
zq27v0&hua?e7Hjc)2G9WDUS0kzHi?zAo?IsP=#m-cTywmevo}cL`cE(<Xi1(J>j`P
z3J3{M$PwdH!ro*Cn!D&=jnFR>BNGR<<|I8CI@+@658Dy(lhqbhXfPTVecY@L8%`3Q
z1Fux2w?2C3th60jI~%OC9BtpNF$QPqcG+Pz96qZJ71_`0o0w_q7|h&O>`6U+^BA&5
zXd5Zp1Xkw~>M%RixTm&OqpNl8Q+ue=92Op_>T~_9UON?ZM2c0aGm=^A4ejrXj3dV9
zhh_bCt-b9`uOX#cFLj!vhZ#lS8Tc47OH>*)y#{O9?AT~KR9LntM|#l#Dlm^8{nZdk
zjMl#>ZM%#^nK2TPzLcKxqx24P7R1FPlBy7LSBrRvx>fE$9AJ;7{PQm~^LBX^k#6Zq
zw*Z(zJC|`!6_)EFR}8|n8&&Rbj8y028~P~sFXBFRt+tmqH-S3<%N;C&WGH!f3{7cm
zy_fCAb9@HqaXa1Y5vFbxWf%#zg6SI$C+Uz5=CTO}e|2fjWkZ;Dx|84Ow~bkI=LW+U
zuq;KSv9VMboRvs<muUdEos4J@28PT^*5txvGZbKDaszyz$QdH{051B8A}wS50ihLR
z^}*xLvwA_M{Vi%9v2EHPcjW2dClsn~)MPlr{(wj9a}gF+Q-M)HC}0<xaSL~ZQN-$F
z7pVo2NF$PZ!~7c5`YO~K2nWlk*2_#MS>9)}2PAO|b(JCEC_A0wq{uEj|3x@}*=bOd
zwr{TgeCGG>HT<@Zeq8y}vTpwDg#UBvD)BEs@1KP$^3$sh&_joQPn{hjBXmLPJ{tC)
z*HS`*2+VtJO{|e$mM^|q<Nl<aNnR+M;uGuLoy^|5_yMTrUl*Jc;J-xFCNFUlNS9`1
z>v1R*8i(m1`%)}g=SU#T#0KlTM2RSvYUc1fP+va|4;5}Bfz98UvDCpq7}+SMV&;nX
zQw~N6qOX{P55{#LQkrZk(e5YGzr|(B;Q;ju;2a`q+S9bsEH@i1{_Y0;hWYn1-79jl
z5c&bytD*k)GqrVcHn6t-7kinadiD>B{Tl`ZY@`g|b~pvHh5!gKP4({rp?D0aFd_cN
zhHRo4dd5^S6ViN(>(28qZT6E>??aRhc($kP`>@<+lIKS5HdhjVU;>f7<4))E*5|g{
z&d1}<wI2Yxf4k?!umu<cm>D|vpuV^eRj5j|xx9nwaCxXFG?Qbjn~_WSy=N}P0W>MP
zG-F%70lX5Xr$a)2i6?i|iMyM|;Jtf*hO?=Jxj12oz&>P=1#h~lf%#fc73M2_(SUM-
zf&qnjS80|_Y0lDgl&I?*eMumUklLe_=Td!9G@eR*tcPOgIShJipp3{A10u(4eT~DY
zHezEj8V+7m!knn7)W!-5QI3=IvC<r`G1r;-#=KH#^bDsbD^<>^as5+TW1@Ern@yX|
z7Nn~xVx&fGSr+L%4iohtS3w^{-H1A_5=r&x8}R!YZvp<2T^YFvj8G_vm}5q;^UOJf
ztl=X3iL;;^^a#`t{Ae-%5Oq{?M#s6Npj+L(n-*LMI-yMR{)qki!~{5z{&`-iL}lgW
zxo+tnvICK=lImjV$<vu==Ri_*yyu6*srp=+w%VMI++>Z|O_c<d`u5Z43azu#^&ypv
z2XQf<KjK;)X-?wB*Sewpf;vW`6)cGyqY0^Kmt<sX6AgDavh{KfTqndPyGjf#w5CPH
zd5wvsmzb)a>Yj_PlEYCzu-XBz&XC-JVxUh9;6*z4fuBG+H{voCC;`~GYV|hj%j_&I
zDZCj>Q_0RCwFauYoVMiUSB+*Mx`tg)bWmM^SwMA+?lBg12QUF_x2b)b?qb88K-YUd
z0dO}3k#QirBV<5%jL$#wlf!60dizu;tsp(7XLdI=eQs?P`tOZYMjVq&jE)qK*6B^$
zBe>VvH5TO>s>izhwJJ$<`a8fakTL!yM^Zfr2hV9`f}}VVUXK39p@G|xYRz{fTI+Yq
z20d=)iwjuG9RB$%$^&8#(c0_j0t_C~^|n+c`Apu|x7~;#cS-s=X1|C*YxX3ailh<R
zTW0JnWEDqjPC~D*L>g_|0`g!E&GZJEr?bh#T<kIti^!4|N+ecge$#dzW2oYeVA6W^
zTf=2ts!v<D6N@P&^Yk^QSZQdun$SpPGW!lb8i(GI;CLFfP&>pb8siR=JxWKc{#w7g
zWznLwi;zLFmM1g8V5-P#RsM@iX>TK$xsWuujcsVR^7TQ@!+vCD<>Bk9tdCo7Mzgq5
zv8<xjOE`)Xl$&nfKK_(a*GxWq=IP<8*TsiQ<?73@Fo<n&f=T#zZE61~c1WExC#Z*C
zBR?0KIU<_708sM|Ni}WhSK@G4$2@TsRGI0k6P~Edb~#f7+1%73{4^^R;XGADxxf+k
zSKP@Qw?N!!n%j~Ps{Av<y>d>dK9x8C@Qoh01u@3h0X_`SZ<H1Jt*l+r%vhj38gu7(
zi%Y(Yu(yCRu7j&QPtzY&|NIVK<{aX%!5|>luTb@5o;{4{{eF!-4405x8X7hewZWpz
z2qEi4UTiXTvsa(0X7kQH{3VMF>W|6;6iTrrYD2fMggFA&-CBEfSqPlQDxqsa>{e2M
z(R5PJ7uOooFc|9GU0ELA%m4&4Ja#cQpNw8i8ACAoK6?-px+oBl_yKmenZut#Xumjz
zk8p^OV2KY&?5MUwGrB<d@yk90?8kfe*7#9+-#&)Q0>Oo?ki`Sxo#?-Q4gw*Sh0k`@
zFTaYK2;}%Zk-68`#5DXU$2#=%YL#S&<HGFJsB^*5Aw|=c;4ki9<qCK7e%Vj(VHL~6
z&DTbldm(&0B0fTx|5re(!MJSE^QU1#`&m2qUm7Nf|9k}h=kY)0pa1#ZNlE^hgpfxc
z$@}d>MTN8bF+!J2VT6x^XBci6O)Q#JfW{<sb5)HkTF~_Sa_M^vi<UXTocVSE>YMz)
zOBM>t2rSj)n#0a3cjvu}r|k3od6W(SN}V-cL?bi<J46HHYSLL&OeFRm%u#)=VN9PH
zxaTYq?JHLwz2fTT`H!RbdHX@6n6p6?mn|3kIU%%1k}C2(3hi^IDh(udokZ1xF-p+u
z0u<3zht=l5wn_zAAWK?U0XT-L6xs5k3ZJ=V1H`#dpB4>*Iz-8uOcCcsX0L>ZXjLqk
zZu2uHq5B|Kt>e+=pPKu=1P@1r9WLgYFq_TNV1p9pu0erHGd!+bBp!qGi+~4<N?Fq)
zn=ndP#eVyN4)AOmF>A(RsYN@CyXNrC&hxGmW)u5m35Om<gLIl43|ftfxD;4@0U%W{
zfCt<dp}9hk8dzvf-#}P{$rRcsI2FbF%>WwX`I+0yByglO`}HC4nGE^_HUs^&A(uaM
zKPj^=qI{&ayOq#z=p&pnx@@k&I1JI>cttJcu@Ihljt?6p^6{|ds`0MoQwp+I{3l6`
zB<9S((RpLG^>=Kic`1LnhpW2=Gu!x`m~=y;A`Qk!-w`IN;S8S930#vBVMv2vCKi}u
z6<-VPrU0AnE&vzwV(CFC0gnZYcpa-l5T0ZS$P6(?9AM;`Aj~XDvt;Jua=jIgF=Fm?
zdp=M$>`phx%+Gu};;-&7T|B1AcC#L4@mW5SV_^1BRbo6;2PWe$r+npRV`yc;T1mo&
z+~_?7rA<BY)cqU~+}^_%&5(AuHg02IxD?AG?j^Zhn%1`rT{GFYPZA>+(Um&o@Tddl
zL_hxvWk~a)yY}%j`Y+200D%9$bWHy&;(yj{jpi?Rtz{J66ANw)UyPOm;t6FzY3$hx
zcn)Ir79nhFvNa7^a{SHN7XH*|Vlsx`CddPnA&Qvh8aNhEA;mPV<ryWQl0P?MiPwBL
z+vex2kKClH;6k1Et=IFG!&SyN$8+S#_UnR?aFa6Eq|~rBS)8W_vwKAj+o^X)(9027
z*WrGQ$Ej`dD5*y_K^!R^&+N3W?cTJmXL9S<fpm^mH*?0O@w{qI>v;Ah=k<*u!Zq^7
z<=xs*iQTQOMMcg|(NA_auh@x`3#_LFt=)}%SQppP{E>mu_LgquAWvh<>L7tf9+~rO
znwUDS52u)OtY<~!d$;m9+87aO+&`#2ICl@Y>&F{jI=H(K+@3M1$rr=*H^dye#~TyD
z!){#Pyfn+|ugUu}G;a~!&&0aqQ59U@UT3|_JuBlYUpT$2+11;}JBJ`{+lQN9T@QFY
z5+`t;6(TS0F?OlBTE!@7D`8#URDNqx2t6`GZ{ZgXeS@v%-eJzZOHz18aS|svxII$a
zZeFjrJ*$IwX$f-Rz<J3Ld3QGgbbgt9L|A^RC+}TLgII?Lz8a4l887}}cuTMGGhsX*
z9&mmFqP?djyuRYNLb|y#gPeE?&x5*{yL4yV`z1bx{$hup<=h=EzEhKN_egi{3sPw}
z!?<6KVR?6VYA;nDAIyA2AKd4Ab>r_G>xbu@euGl)B7pC&S+CmDJBg$BoV~jxSO#>y
z33`bupN#LDoW0feZe0%q8un0rYN|eRAnwDHQ6e_)xBTbtoZtTA=Fvk){q}9Os~6mQ
zKB80VI_&6iSq`LnK7*kfHZoeX6?WE}8yjuDn=2#JG$+;-TOA1%^=DnXx%w{b=w}tS
zQbU3XxtOI8E(!%`64r2`zog;5<0b4i)xBmGP^jiDZ2%HNSxIf3@wKs~uk4%3Mxz;~
zts_S~E4>W+YwI<-*-$U8*^HKDEa8oLbmqGg?3vewnaNg%Mm)W=)lcC_J+1ov^u*N3
zXJ?!BrH-+wGYziJq2Y#vyry6Z>NPgkEk+Ke`^DvNRdb>Q2Nlr#v%O@<5hbflI6EKE
z9dWc0-ORk^T}jP!nkJ1imyjdVX@GrjOs%cpgA8-c&FH&$(4od#x6Y&=LiJZPINVyW
z0snY$8JW@>tc2}DlrD3StQmA0Twck~@>8dSix9CyQOALcREdxoM$Sw*l!}bXKq9&r
zysMWR@%OY24@e`?+#xV2bk{T^C_xSo8v2ZI=lBI*l{RciPwuE>L5<W5z;@6p;6;|O
z%1xS<PrHS@9bs_>@uhz@{!l)rtVlWC>)6(G)1~n=Q|S!{E9~6*f<w%m`;Qd>dpa*n
z!()-8EpTdj=zr_Lswi;#{TxbtH$8*G=UM`I+icz7sr_SdnHXrv=?iEOF1UL+*6O;%
zPw>t^kb<Y!37E>W9X@oEXx<97%lBm-9?O_7L!DeD)Me#rwE5<?Y(}PPRapoJOytLr
zH%=!UQ}Y5J_(3KVTFf%D7DXvmTFStSsvMk1_bhZw*QC=UXI9MplG;au>4t~UBu9VZ
zl_I1tBB~>jm@bw<SOr`xU7_Kg$PU){Os_I8cve<UKbUg-U~fB$8f2Y<)c>0Aljz8!
zXBB6ATG6i<ky6{p$)@{!N}M!yKr)m#;X?<H(Z75&7#=qg5yAe!nNXMBxO$uuu4{+;
zB;Z$SC9Hkye>ByKIxs!qr%pz%wgqbg(l{65DP4#v(vqhhL{0b#0C8mq`bnqZ1OwFV
z7mlZZJFMACm>h9v^2J9+^_zc1<NQ`E;}bmano=+KqF=1iDw+>=JjL#qM5ZHaThH&n
zXPTsR8(+)cj&>Un{6v*z?@VTLr{TmZ@-fY%*o2G}*G}#!bmqpoo*<pdMvH^(qd~4b
z&U$~Fo(WzrnMy~ykcI{stgLy~unZF&M1>Ay@U!JI^Q@7gj;Kg-HIrLj4}#ec<Vnys
z#0P7P+6h@<uM?dbofaPCeGw4^GKj)BhZ;UWJ+<6Nx^ge1;*1yP2rFzRz&wW{MTEr2
zHXxRizPbhoG%+`mqNb$aK0~}2_bn~FMY2@vFZ0AA!pFio4f|r;(+@Q1=`h#RqX!CO
zrKiCBy`_GlRuCrdEk+*L2qw)Xi3a$4Yu;T-ek#YzAVQMsU=A4R@x`B#O+Rf$w;qdW
z?}xS=&C)dEt1bY5wPQ*Qhbfh3qM{iKuWW?ZRgK1yH>4~D2~X6vo;ghep-@&yOivYP
zC19L0D`jjKy1Yi-SGPAn94(768<MS&a!S%v@?~BDz5em7uiJCVng8mCX4kKzoQ6PZ
z2Tk0a6O=C#;z%H(u6zVb=|H2_?Mkm8Gc%N0k^Pp7o_nH69Yyq@mT_v(ZVS($NBa&F
z6xwW+#+_X3s)pC4l=DX;IIvOLHG0qBsgo?lu%3&9euMN`&SyK73Bo<x@&AHA*=am&
z1@no;r9Z{@*~p)rGlS`fyJCBB`|!&7#=qvn{2=@K-S4-@S0u|BDv=7_-i!Ic_QmBs
zjXb>Tcf$urAf{)1)9W58P`6MA{YG%O?|07!g9(b`8PXG1B1Sh0?HQmeJtP0M$O$hI
z{5G`&9XzYhh|y@qsF1GnHN|~^ru~HVf#)lOTSrv=S<uFZ_;?KwDx~9UUr?%y@ex}8
z_9H~!Xc3m^qNrtT@3y|;1c?=J#VjGm2#~m8gbETU8K{z_hDYEnF$+2Q2Oc9Mp&ga4
z#Mhq}0`Jk@q}^00F79AOKffu=y|_%9nA^(yl2kj(9G$y+k?BKg2^S**>@DyR$UKQk
zjdEPFDz{uHM&UM;=mG!xKvp;xAGHOBo~>_=WFTmh$chpC7c`~7?36h)7$fF~Ii}8q
zF|YXxH-Z?d+Q+27Rs3X9S&K3N+)OBxMHn1u(vlrUC6ckBY@@jl+mgr#KQUKo#VeFm
zFwNYgv0<%~Wn}KeLeD9e1$S>jhOq&(e*I@L<=I5b(?G(zpqI*WBqf|Zge0&aoDUsC
zngMRA_Kt0>La+Erl=Uv_J^p(z=!?XHpenzn$%EA`JIq#yYF?JLDMYiPfM(&Csr#f{
zdd+LJL1by?xz|D8+(fgzRs~(N1k9DSyK@LJygwaYX8dZl0W!I&c^K?7)z{2is;OkE
zd$VK-(uH#AUaZrp=1z;O*n=b?QJkxu`Xsw&7yrX0?(CX=I-C#T;yi8a<{E~?vr3W>
zQrpPqOW2M+AnZ&p{hqmHZU-;Q(7<pG4gt)B4$6wsrn;hWv_Oig17Y?jJ&7E4<tmZn
zOCP%0<fYi!jPBWOw9w}#K7$n=jY!?ZAO-w*mO9|G92xj4(OrW0?2j);##sDv4x>?-
zP8L|Q0RM<y7372ia7WA3T&finv`tA1B}OSEw3SiAZho>~sB0w1w53f&Kd*y}ofx@c
z5Y6B8qGel+uT1JMot$nT1!Tim6{>oZzJXdyA+4euOLME?5Fd_85Uk%#E*ln%y{u8Q
z$|?|R@Hpb~yTVK-Yr_S#%NUy7EBfYGAg>b({J|5b+j-PBpPy$Ns`PaJin4JdRfOaS
zE|<<io8>HjH%NuJgsd2wOlv>~y=np%=2)$M9LS|>P)zJ+Fei5vYo_N~B0XCn+GM76
z)Xz3tg*FRVFgIl9zpESgdpWAavvVViGlU8|UFY{{gVJskg*I!ZjWyk~OW-Td4(mZ6
zB&SQreAAMqwp}rjy`HsG<WwCuHn5_unq_y9e#cRc8<%lnA}KbA9;x1=pR7&&N!F-G
zjdr@AW->({l2&q5Y52<@AULVAu~rWI$UbFuZs>Sc*x+XI<+ez%$U)|a^unjpiW0l0
zj1!<ZReHVMm7dlC$9b#yLY{IPu{3a%?*mdb?Ln7M9kK-6dElH{UJFdM&-U|~tV)|A
zbcx=;RI5^&eB34O5VoIsgM>K0(b6$8LOjzRqQ~K&dfbMIE=TF}XFAi)$+h}5SD3lo
z%%Qd>p9se=VtQG{kQ;N`sI)G^u|DN#7{aoEd<IbwTtn<2Y5Nlu3=6HqY@ID|;XJ`>
zkksYP%_X$Rq08);-s6o>CGJ<}v`qs%eYf+J%DQ^2k68C%nvikRsN?$ap--f+vCS`K
z#&~)f7!N^;sdUXu54gl3L=LN>FB^tuK=y2e#|hWiWUls__n@L|>xH{%8lIJTd5`w?
zSwZbnS;W~DawT4OwSJVdAylbY+u5S+ZH{4hAi2&}Iv~W(UvHg(1GTZRPz`@{SOqzy
z(8g&Dz=$PfRV=6FgxN~zo+G8OoPI&d-thcGVR*_^(R8COTM@bq?fDwY{}WhsQS1AK
zF6R1t8!RdFmfocpJ6?9Yv~;WYi~XPgs(|>{5})j!<TEFe=Er$+pf$t`J5iiJseKY6
zOKcLAm!-S>AR!voO7y9&cMPo#80A(`za@t>cx<0;qxM<p_$AQsg0LlIt|lbiT;}c3
zw^mT}aw%3C?rkh$t46uo%m3)>@S*m(jYP)dMXr*?q0E`oL;12}VAep179uEr8c<=D
zr5?A*C{eJ`z9Ee;E$8)ME<J+@MZh2qBdMetA0Ap@SWv(BczRx8QLfufLwM}8P0mCM
zqL)NPc0jmFO8S}^g)dV@LX%jnUO0Nfp9J$lfwZiNA(bY@QLPrgG(eM{>CqatHkbHH
z&Y+ho0B$31MIB-xm&;xyaFCtg<{m~M-Q<p|>DbY)fQ>Q*Xibb~8ytxZQ?QMf9!%cV
zU0_X1@b4d+Pg#R!`OJ~DOrQz3@cpi<UUDp%7N@Va%&%d{hBCU%M}b3(4mHNaXl%^x
zy!Jj<1JK)G8qrZwHKQaxXMHgDJ>Gy~XSKjZQQ|^4J1puvwKeScrH8o{bscBsowomu
z^f12kTvje`yEI3eEXDHJ6L+O{Jv$HVj%IKb<P1JL_~J>|J{IvD*l6IG8WUgDJ*UGz
z3!C%>?=dlfSJ>4U88)V+`U-!9r^@AxJBx8R;)J4Fn@`~k>8>v0M9xp90OJElWP&R5
zM#v*vtT}*Gm1<v7k$Q8)e+>^)Bv!s7<Pmunc}KvQIoTurYA$VFfn68@NS2!fMC<J7
zU5k+UNB7w2H5=t<P?=shL{5Ib0NG240C`@MTdpWV847hZ=*V+;L(?h<*^25EoClgz
zyD7a#m?)n<0d;}sfn7Zdh>2T3PB0yVIjJW)H7a)ilkAvoaH?)jjb`MP>2z{%Y?}83
zUIwBKn`-MSg)=?R)1Q0z3b>dHE^)D8LFs}6ASG1|da<c-!XQ(Z6e^nFF6CW&kh!QD
zJBO*^4S)F;_i)EMF6B*oE&=d8{@I29Wcz|o39n|gU$iV{0mmf~bE{AKN63AsId2PB
zg*_mqkTRn*8K3S&kIzHn;I0dhO)-->Dly_^lOSy&zIIhm*HXm1?VS=_iacG);_I9c
zUQH1>i#*?oPIwBMJkzi_*>HoUe}_4o>2(SHWzqQ=;TyhAHS;Enr7!#8;sdlty&(>d
zl%5cjri8`2X^Ds`jnw7>A`X|bl=U8n+3LKLy(1dAu8`g@9=5iw$R0qk)w8Vh_Dt^U
zIglK}sn^)W7aB(Q<l{uKGQ*rm=eJZ(-a1nFbLMjzjPyq^Zl*<ly16J->>HvrX=rxB
z+*L)3DiqpQ_%~|m=44LcD4-bxO3OO*LPjsh%p(k?&<Y@4%3KJjIC&Ci<sWjP2Dfw=
zuyvM4SPH14EA{O`2rzE>jvLp0py57oMH|*IMa(<|{m1(0S|x)?R-mqJ=I;_YUZA>J
z62v*eSK;5w!h8J+6Z2~oyGdZ68waWfy09?4fU&m7%u~zi?YPHPgK6LDwphgaYu%0j
zurtw)AYOpYKgHBrkX189mlJ`q)w-f|6>IER{5Lk97%P~<Lp)MD3iR}ejbGt7Rtt!H
zbM>a-JyCRFjejW@L>n4vt6#hq;!|m;hNE||LK3nw1{bJOy+eBJjK=QqNjI;Q6;Rp5
z&035pZDUZ#%Oa;&_7x0T<7!RW`#YBOj}F380Bq?MjjEhrvlCATPdkCTTl+2efTX$k
zH&0zR1n^`C3ef~^sXzJK-)52(T}uTG%OF8yDhT76L~|^+hZ2hiSM*QA9*D5odI1>&
z9kV9<p~_g)xTTw=X;R>jC~twA5MwyOx(lsGD_ggYmztXPD`2=_V|ks_FOx!_J8!zM
zTzh^cc+=VNZ&(OdN<cEfx!)Rv#OxA~Op%fRB@%V*lRYTee=t2@R^;Yw?#mEg+C=Q=
zojy#mB^&>=y4Juw)@8-85lwf_#VMN!Ed(eQiRiLB2^2e`4dp286h@v@`O%_b)Y~A;
zv}r6U?zs&@uD_+(_4bwoy7*uozNvp?bXFoB8?l8yG0qsm1JYzIvB_OH4_2G*IIOwT
zVl%HX1562vLVcxM_RG*~w_`FbIc!(T=3>r528#%mwwMK}uEhJ()3ME<NoNRheH>by
zQQjzqjWkwfI~;Fuj(Lj=Ug0y`>~C7`w&wzjK(rPw+Hpd~EvQ-ufQOiB4OMpyUKJhw
zqEt~jle9d7S~LI~$6Z->J~QJ{Vdn3!c}g9}*KG^Kzr^(7V<ce%+9mXv^Yaa3Jhd!0
zVk?95!P$`MAquqor+9D#c(4q*0U*gkAX5okY6G!AZg^p?IbWVd!~IAXj%<mibcw^E
z0M3HMVXuXDmhDXxE;Vjmfy%F+0X%+{&lK~`;T7cS`cLHThTCpHZupIqw|&Aqppk3r
z-&np;eZoZM2&XOVoZ;>I5Gk(mHLL{itj_hG?&K4Ws0+T4gLfi3eu$N=`s36geNC?c
zm<tGIMBC*Y4;VwmbLfiAj7y{1&1Jb>!~}vG6lx9Uf^5M;bWntF<-{p^bruy~f?sk9
zcETAPQZLoJ8JzMMg<-=ju4keY@SY%Wo?u9Gx=j&dfa6LIAB|IrbORLV1-H==Z1zCM
zeZcOYpm5><v|;Qz(!vWawg1_tKdRVrHI_W5DOUncaXPaZDhIYYS>U2fU7V*h;%n`8
zN95Qh<STRuU64jVjbmKjdqZSJY%8zw4$Tfj@Wvru9*X0H8*3HTGDxdEq_neggWPUu
z?xft@*y1f4!?2gYA)>fD994={1*<2vKLCNF)feKOGk`R#K~G=;rfq}|)s20&MCa65
zUM?xF5!&e0lF%|U!#rD@I{~OsS_?=;s_MQ_b_s=PuWdC)q|UQ&ea)DMRh5>fpQjXe
z<T?`@;|?};a~ft^83ljDfAQ3!94d~hNv5n{)4AwKJATa`zA71ee}fN!jaN8Z#4EjL
z-f$?vQg}|9Xo{%n!=1Mx&dq=e%YrtN37{wyLgfqAgdwo({~~Q__5WR5p+@9NOz51F
zn`CL;9K(yDAz%jg^1P_Hc`Bi##Ur7V7Egt@oIK-E#LjT)$}{W%w45C#V=-fOXxI=t
z^7_J*h#~Pik#Js#zy5ys39=Vz5a6#V82w{&CtitoXAwOl8~H^TQXd+vIaX<UxmEZ+
zVA?E;a0GBuKV>%9#*x=7{iRCtBKT#H>#v%>77|{4_slZ)XCY{s3<vj3F!Lf~Ms<;i
zbhaGgzo{F~=cvK)<7sgUCyNidX;S2p_?WD^=yZOmYaGxQQ-~@!!w5=kxBhe-MppxS
zf%rYJdpz6$k?w>j_r{tdpvb#|r|sbS^dU1x70$eJMU!h{Y7Kd{dl}9&vxQl6Jt1a`
zHQZrWyY0?!vqf@u-fxU_@+}u(%Wm>0<h|8_^}%F!#OlpyrbcO<dw!GUDNyxENZ?*z
zXa;m>I#KP48tiAPYY!T<suq7MlJU4p2C@*^!}?Z}Bs+ffZEdwIV~rhP4EI#LVSE#E
zKAv&oq@=|P;@PtQ@(J{wnUWAbS17e!I7@`^bq|U&TSNB%V@)WhqU`zr*SYoRa15`t
zq@?ryhS#AfQ#j8*PNC?6U-qg<^sQ_jI^Oh8HLIjwIVAJWx<QIp$*(EZ9$rxFs<o(f
z&qU=|nW^RP$x<u*s5N|2WXF}vN|`Y{xjc0I<5vRQ@T4U1{aj`*N<gWmUnEJdAd=LM
zS<sS>dW(o|KtVI|EUB9V`CBBN<Jb6P#IAaNVgj&r>aBLVih7+yMVF|GSoIQD0Jfb{
z!OXq;(>Z?O`1gap(L~bUcp>Lc@Jl-})^=6P%<~~9ywY=$iu8pJ0m*hOPzr~q`23eX
zgbs;VOxxENe0UMVeN*>uCn9Gk!4siN-e>x)pIKAbQ<D_NGuAv_X}p9rcKdkJ-CY72
zY;M@t?NA)MG(kc+%pPv#HrW@CR&+GK&%ZfgLEA^}da`PjtxP`2he{N2tMkOQBzSdU
zqbmpW3;gHqz$`asO$luCw6=w|wgSS|BN5dhU^m;NTBn4zBEe1bKmQJTcIjeq=_4;-
z<%Lk#6J$}CB#|%0(w^Q++N0xCR7{uhNVvN{SCZ__oxC7+<4L39n=PVh0~(Pz$Z2kz
zsD-eU@YACA>z!G)TcqIJ0`JBBaX>1-4_XO_-HCS^vr2vjv#7KltDZdyQ{tlWh4$Gm
zB>|O1cBDC)yG(sbnc*@w6e%e}r*|IhpXckx&;sQCwGdKH+3oSG-2)Bf#x`@<4ETAr
z0My%7RFh6ZLi<P3fz)VD6=F(UIjNi&4<Piytn-i3OvEhi7O_1<!4Bb=elUisJ5+JC
zX3<Z{mUVV<bu6}1{$m+MIUKl?IZ(DneHsoYb;kLtxDj9+Q`hKxkGfO!F3`9no26-x
zqe3&#LrJ-tqEc7B*%q?Pp5?r>Z_;X6Mu1YmXx7C$lSZ^}1h;j`EZd6@%JNUe=btBE
z%s=Xmo1Ps?8G`}9+6>iaB8bgjUdXT?=trMu|4yLX^m0Dg{m7rpKNJey|EwHI+nN1e
zL^>qN%5Fg)dGs4DO~uwIdXImN)QJ*Jhpj7$fq_^`{3fwpztL@WBB}OwQ#Epo-mqMO
zsM$UgpFiG&d#)lzEQ{3Q;)&zTw;SzGOah-Dpm{!q7<8*)Ti_;xvV2TYXa}=faXZy?
z3y?~GY@kl)>G&EvEijk9y1S`*=zBJSB1iet>0;x1Ai)*`^{pj0JMs)KAM=@UyOGtO
z3y0BouW$N&TnwU6!%<gf6*u=C<iEed;KBwJxLRtV%EsYYZE^_I&am&FwOQIrs&rNv
zsJkfwCitU8wV%PAV4*8&C!5{qUgyYY#T}|<>zS%nIrnANvZF&vB1~P5_d`x-giHuG
zPJ;>XkVoghm#kZXRf>qxxEix;2;D1CC~NrbO6NBX!`&_$iXwP~P*c($EVV|669kDO
zKoTLZNF4Cskh!Jz5ga9uZ`3o%7Pv`d^;a=cXI|>y;zC3rYPFLQkF*nv(r>SQvD*##
z(Vo%^9g`%XwS0t#94zPq;mYGLKu4LU3;txF26?V~A0xZbU4Lmy`)>SoQX^m7fd^*E
z+%{R4eN!rIk~K)M&UEzxp9dbY;_I^<z6SRx&;ge+MnfR=LP4lbl*GlbJMl=;M7>c}
zOc{wlIrN_P(PPqi51k_$>Lt|X6A^|CGYgKAmoI#Li?;Wq%q~q*L7ehZkUrMxW67Jl
zhsb~+U?33QS>eqyN{(odAkbopo=Q$Az?L+NZW>j;#~@wCDX?=L5SI|OxI~7!Pli;e
zELMFcZ<bg~PJE<rY>tJY3!|=Gr2L4>z8yQ-{To>(f80*#;6`4IAiqUw`=Pg$%C?#1
z_g@hIGerILSU>=P>z{gM|DS91A4cT@PEIB^hSop!uhMo#2G;+tQSpDO_6nOnPWSLU
zS;a9m^DFMXR4?*X=<qwp0>}d7l;nXuHk&0|m`NQn%d?8|Ab3A9l9Jh5s120ibWBdB
z$5YwsK3;wvp!Kn@)Qae{ef`0#NwlRpQ}k^r>yos_Ne1;xyKLO?4)t_G4eK<Q62tM^
zi3!pz7{^fEGTr8{(f#W&Re=O*i3#l1dMP2CM@R9Dz7(}LH_=oT4s2({F6)NqjLkfn
zWyb9}W9)`Eu!Z8~Tk)-$ftsw64V9oQ!&L>~wkUS2A&@_;)K0-03XGBzU+5f+uMDxC
z(s8!8!RvdC#@`~fx$r)TKdLD6fWEVdEYtV#{ncT-ZMX~eI#UeQ-+H(Z43vVn%Yj9X
zLdu9>o%wnWdvzA-#d6Z~vzj-}V3FQ5;axDIZ;i(95IIU=GQ4WuU{tl-{gk!5{l4_d
zvvb&uE{%!iFwpymz{wh?bKr1*qzeZb5f6e<hIoTpEPx(5QYd%^TYj)|S%=LSr!JTs
zz!;*wB%3?qZoTm|(U@GJ+#WuaK@<xquK@r4JW{I|?LhkR#^Q(lZ<%iY8sqr4Yy6*A
zRP{^`YZZkjC>6m_ozRF&zux2mlK=v_(_s^R6b5l<OklUMWKH5m9CK)GA(}BNrnAhY
z)mdhvSSE{gE9<H_hJ>u?_W4W3#<$zeG~Pd)^!4tzhs}-Sx$FJP>)ZGF(hVTH|C3(U
zs0PO&*<Bq@X!wy{g3X=$ULK*~ws9t@GTdzNv=8$q3p#^9{iAshe2<iFXWu|*=#t*^
zHiMowYBuE7!#m)z7kwaYz#Uc(_5ibIU;zg~@927U0DWlH<0UlQF4CPh*e--2*e>h_
zNA-&qZpTP$$LtIgfiCn07}XDbK#HIXdmv8zdz4TY;ifNIH-0jy(gMSByG2<C3EzZ8
zhJn#!of$=`Z!hW|DTzs`N(xHpzG~5_y<$0J`1RsK1TZ1v{7!~LCAC@6G637W!~rk|
zLx+h*<9F&&V-5Ie2REOa1?BIx`oEMIjt$k+8IcS%|EII70E=pQ-+-W`(g+CBps;jE
zhtk~$2oej@U6M;lmo$jPN{1kgAl)GCrAtadSp-2s|A(twE-P34{pWf1IZMp@&U{nf
zIWy<|G__isvfkx&jFyQpKg<vGx_3kCalUAl^%NntK#6(2lW1e<U)CGbFQUPSU&Hih
zN~SsTvwJ7vUK%oWe<^FW<$VJlS91FR+Ang7i@BCO7_QPS9$yRY9L+a`GWU$_BS$My
z%KO<mCE#1|s27xKI4jobQyI#G#shn67pXsz&cAj4?7POazD<?>EF~Th#eb_TueZC`
zE?3I>UTMpKQ})=C;6p!?G)M6w^u*A57bD?2X`m3X^6;&4%i_m(uGJ3Z5h`nwxM<)H
z$I5m?wN>O~8`BGnZ=y^p6;0+%_0K}Dcg|K;+fEi|qoBqvHj(M&aHGqNF48~XqhtU?
z^ogwBzRlOfpAJ+Rw7IED8lRbTdBdyEK$gPUpUG}j-M42xDj_&qEAQEtbs>D#dRd7Y
z<&TpSZ(quQDHiCFn&0xsrz~4`4tz!CdL8m~HxZM_agu@IrBpyeL1Ft}V$HX_ZqDPm
z-f89)pjuEzGdq-PRu`b1m+qBGY{zr_>{6Ss>F|<HR3fdmQIEk)2Sh}0yO~96C1H<%
z?QzVeMOyeG53X0w(8tYWACBt{TjL#WIIj{m`My#tMB;vJ{a~L+FxMlWMgTKK^KR0o
zJ;X}EooSp!+2+G$e0wWSL-uZ;icHwY>xHZlJj9dt5HD$u`1*WZe)qEIuDSR)%z+|n
zatVlhQ?$w#XRS7xUrFE;Y8vMGhQS5*T{ZnY=q1P?w5g$OKJ#M&e??tAmPWHMj3xhS
ziGxapy?kn@$~2%ZY;M8Bc@%$pkl%Rvj!?o%agBvpQ-Q61n9kznC4ttrRNQ4%GFR5u
zyv%Yo9~yxQJWJSf<lJl-iWu&1UwGnK(pvra?!Ge}y|x}g-8E3%rQnB2p@S*aS0l>j
z?#HY$y=O<nlXsK9%dUnfsdN1u-Swe<-W_b&r&^uHFD7qA9zLa8;*KhGP$Wd1TRU3&
ztEwlUTD>~F|2pZs22pu|_&Ajd<gZcA$Jk5{2YpKm>+D(Mt!nPUG{|1nlvP`=R#kKH
zO*s$r_%ss5h1YO7k0bHJ2CXN)Y<zvl5N}16U~{2_GuG6q#_|JfMPqxfGtP5?Y4Mg|
zyuvVEU!;&g*bD4Uw&V&*(NB>d6C<gbrz78@@`&t*Y)2+zhDQ!r1~__bZ$!MIY{hdK
zBvhOU_=wf9=WDc_17is97>Hn~W!R=SqkWe=&nAZu(Q1G!xgcUilM@YVei@2@a`8he
z9@pM`)VB*=e7-MWgLlXlc)t;fF&-AwM{E-EX}pViFn0I0CNw2bNEnN2dj!^4(^zS3
zobUm1uQnpqk_4q{pl*n06=TfK_C>UgurKFjRXsK_LEn};=79`TB12tv6KzwSu*-C8
z;=~ohDLZylHQ|Mpx-?yql>|e=vI1Z!epyUpAcDCp4T|*RV&X`Q$0ogNwy6mFALo^@
z9=&(9txO8V@E!@6^(W0{*~CT>+-MA~vnJULBxCTUW>X5>r7*eXYUT0B6+w@lzw%n>
z_VjJ<2qf|(d6jYq2(x$(ZDf!yVkfnbvNmb5c|hhZ^2TV_LBz`9w!e_V*W_(MiA7|=
z&EeIIkw*+$Xd!)j<aFr1R~xS}s~%p?Tvbh^pTwhKxj)!tQV8+Fl)bzUj`73ZqG~f+
zWSqF|`Gl$F?L)li$PwFjgAh#|DN8z!3tX5Sk_}`_4}-ZspoOseDU{j7Ti8%*vj}b6
z!IL&Z(PW4r+7(`f(&N9n^0NAMH0{AUeVSnnjZI%3h9AB_P13b({Q?6h@ewu{vztxi
zi*&5Pl_mU)Ysqz^vmyhLIWWvN)Hw=`Cx$Vrwrqq?{hpCEd*k5Ph0hP@wEBG#s4-aR
zr>8<@_<}A5;~A_>3JT*kX^@}cDoLd>Qj<`Se^wdUa(j0dp+Tl8EptwBm{9OGsdFEq
zM`!pjf(Lm(`$e3<VugKu#}L&f$tPP-i|8Q%zt8Y0zy98R@0)>FLOjqA5LnN5o!}z{
zNf}rJuZh@yUtq&ErjHeGzX4(!luV!jB&;FAP|!R_QHYw#^Z1LwTePAKJ6X&IDNO#;
z)#I@Xnnzyij~C@UH~X51JCgQeF0&hTXnuoElz#m{heZRexWc<T<>0k4<>0+ClX7%0
zEBqCCld1tD9Zwkr4{?Nor19#E5-YKfB8d?qgR82-Ow2^AuNevly2*tHA|sK!ybYkX
zm-sLQH72P&{vEAW6+z~O5d0qd=xW~rua~5a?ymYFSD@8&gV)E5@RNNBAj^C99+Z5Z
zR@Pq55mbCQbz+Mn$<DWdXQ3R#5&V?~bks;#i}6WLoWplVhIsF#fA%#X=}+{bA9=wr
zM^>d_CMW<-+?TU960agEk1J<>d>0K=pF19yN))a~4>m^G&tc*xR+yMD*S=yip-q=H
zIlredHpsJV8H(32@Zxc@bX6a21dUV95Th--8pE6C&3F>pk=yv$yd6@Haw;$v4+Fcb
zRwn{Qo@0`7aPa2LQOP}j9v>sjO<JEcz!71PwCy&w1EL#RH@3db^Ta;FM00H0|Mp0R
zTpn{$THw|Y^1IL=kOtj&J`-2ec-4zB&kyxvlF+QM;i6t6y+_@6dbj@S^owU3pQ_HH
z9V4D!R*q77p6}D`1gWi#=H#L`<?!BK(-r>o5K<lY0`DON8bR;qp%j?!ikO3v{CO;C
zr0hoVGpgX&#zAv@v~t0WKK3UWhFI@!4za_cZypgom@RlHWXjhb*zkH>qvn|`FLizX
zB+@<Q$;$QqzF2GLY>-u4Lw|jsvz{p^>n8Vo8H2peIqJJnMN}A)q6%$Tmig7eu^}K2
zrh$X?T|ZMsoh{6pdw1G$_T<`Ds-G=jc;qcGdK4{?dN2-XxjDNbb(7pk|3JUVCU4y;
z)?LXR>f+AAu)JEiti_Zy#z5{RgsC}R(@jl%9YZ>zu~hKQ*AxbvhC378-I@{~#%Y`Z
zy=a=9YpewPIC+gkEUUwtUL7|RU7=!^Aa}Mk^6uxOgRGA#JXjWLsjFUnix|Mau{hDT
z7mn*z1m5g`vP(#tjT0Zy4eAY(br&!RiiXE=ZI!{sE1#^#%x^Z7t1U)b<;%Y}Q9=5v
z;wp<LcU26iy~^KE9SueUhM9hSw5kFoch;KoAlT!eZTy6~rH?gNli?L&L}beKU`4T0
z({~FKWDwz-RkBOo`jHu$QZ~kQ5hqg(17SNo!H8^sKoQ@sO@9*??XWU5dC7fKZfAM^
z2&bW;u5NQsiN78LoRoCLadg3L1V;2%Am2iq%z(Q$=@X7Rr39Bjk?oA-7B^0IaaHoZ
z3%j;&y}ZdKT?VLFIiCAzK=`ZWp2^>DCEZ@OE36TWT=|gxigT@VaW9BvHS05;_P(#s
z8z<ixvefPSW(R``v-ey(C3!C1-J|HQHNtMWDk@k-%_AI{727f2fp)E3nzP2zne83t
z(KHQ3Yp(UnUc1B>I4XFQys}q)<X?lz9;PIDH}W2ejg(xq4^Dln*?prNo2!$AYL(&x
zQ^n*upjhh><`tkX$WnSarn{3e!s}4(J!=Yf>+Y>cP3f;vr63f2{|S^`_pWc)^5_!R
z*(x-fuBxL51@xe!lnDBKi}Br$c$BMZ3%f2Sa6kLabiBS{pq*yj;q|k(86x`PiC{p6
z_bxCW{>Q2BA8~Ggz&0jkrcU+-$ANBsOop*ms>34K9lNYil@}jC;?cYP(m^P}nR6FV
zk(M%48Z&%2Rx$A&FhOEirEhY0(dn;-k(qkTU)sFQ`+-ih+s@A8g?r8Pw+}2;35WYf
zi}VO`jS`p(tc)$X$a>-#WXoW!phhatC*$}|rk>|wUU71eUJG^$c6_jwX?iSHM@6__
zvV|6%U*$sSXJu9SX?2%M^kK|}a2QJ8AhF{fuX<l$E^Sy6fzZeBWpXwtZtJ*+^5CvK
zm5o@)Vb`rsjDy{;ty&^h;yuf(Qr~Ixfg8~=YlY3#vkGe-He?J$+-qAU_lqZP;hegA
zk*AEh4ihR~5Jo#08klD@qHx90U57vSVf9#s#`LJAUz(qMmmvGKi`3#h#kmAJjG9h6
zQ)B)8jyj(255#*8@2i<tO5B5CO)}P|yt3DVt)qJDZd`sE+o{(_Ii^q?>rHZxXsI~O
zGKX45!K7p*MCPEQ=gp?eu&#AW*pR{lhQR##P_*{c_DjMGL|3T3-bSJ(o$|M{ytU}>
zAV>wq*uE*qFo9KvnA^@juy{x<-u*#2NvkV={Ly}ysKYB-k`K3@K#^S1Bb$8Y#0L0#
z`6IkSG&|Z$ODy|VLS+y5pFJx&8tvPmMd8c9FhCyiU8~k6FwkakUd^(_ml8`rnl>JS
zZV){9G*)xBqPz^LDqRwyS6w86#D^~xP4($150M)SOZRe9sn=>V#aG0Iy(_^Yc<Qa{
zc=f(3k0FXE4g8yHjnttlIF~$;u0A21@bchm@(lE%*(K8|UX&n%>PpIz8QYM-#s+n%
z@Jd?xQq?Xk6=<3xSY7XYP$$yd&Spu{A#uafiIfy8gRC`o0nk{ezEDjb=q_qRAlR1d
zFq^*9Gn)yTG4b}R{!+3hWQ+u3GT~8nwl2S1lpw`s<ATc7q8AYRlt3+=;0YO5Kh=m6
zcJQSxR8f1@n@G{FQOYA>0X_qpxv)g+JIkVKl${sYf_nV~B>Em>M;RlqGb5WVil(89
zs<BCtUSSVUPQs2-L)cP6#hn*j_NRz!rNALK#^L&c9rXdhSPT_+NmK*)Z5xF$xiJ=3
z8+Mc<!WJ?e3I&g_14W8h)QxMzSB66MIj*RP^*N)W9*O3{I9!<#lwG5$#G;69c_Ici
z`@Ou~cYuw(AE3NQtoUi`%GvRnV9k1A0~o8pga`->=ld@|#;dq1*vQGz=7--Br-|l)
zZ%Xh@v8>B7P?~}?Cg$q9_={59l%m~O&*a6TKsCMAzG&vD>k2WDzJ6!tc!V)+oxF;h
zJH;apM=wO?r_+*#;ulohuP=E>^zon}a$<j`_j%GZX3(oc_SxO~-G*=c4ZAbD8%BzP
zd)Pi)VtGNDLDj>NnlcQ{1$SO*i=jnGVcQa^>QOILc)e6;eNTI>os=eaJ{*^DE+~jc
zS}TYeOykDmJ=6O%>m`i*>&pO_S;qMySJIyP=}4E&J%#1zju$RpVAkZbEl+p%?ZP^C
z*$$2b4t%a(e+%>a>d_f_<<lO{*K50r$dT8<<B_m+L}7)kTP?9nuT8`~rXnwmPpNu&
z_<Hj7^*-8j&~7D0OWBmB6J|2NeYzm{G=39Rh<aW*6|DbSdXI^GaeRfwgIs@eF%-$X
z>JjxI#J1x;=hPd1zFPx=6T$;;X1TD*2(edZ3f46zaAoW>L53vS_J*N8TMB|n+;LD|
zC=GkQPpyDY#Am4l49chDv*gojhRj_?63&&8#doW`INATAo(qY#{q}%nf@eTIXmtU<
zdB<7YWfyCmBs|c)cK>1)v&M#!yNj#4d$~pVfDWQc_ke1?fw{T1Nce_b`v|Vp5ig(H
zJvRD^+p<xU1eMV2Dp)d&jL}1T-4yJBks?w&E4)Bl#ayf5z?e)=tGbQS;h3(gA$e=k
z6KY(=q)^im5{@d1i=Ix4={^<VU*;0T*7?%g*~`NlJ)S&FWzzYph<0?QcO=pLP8?e$
z*FaH6Y-^O^gO|=h>s46^hLX;=e2!2e;w9y1D@!D$c@Jc&%%%IL=<b6daWfefB)Aj<
zmFAkvPGmuOH|UXs98|Izd34i4mjd%!t1Qfh2QG#C`?Q72>+xzw55&2?darw=9g~>P
z9>?Kdc$r?6c$m%x2S$sdpPl>GQZ{rC9mPS63*<SW1ss4Nyr-0;)>qjCVa?OIBj!fW
zm|g?>CVfG<LKn)qVK&7vOUVLdB{HCz?|MJr^jJ<qMG*a<=xVmP)}?vXFtiYfxJQ@S
z#a>XNjOfcyqImXR_(tXS(F{FcoNzKvG5R$IgGaxC@)i(e+$ME}vPVIhd|mx2IIE+f
zM?9opQHIVgBWu)^A|RzXw!^??S!x)SZOwZaJkGjc<_}2l^eSBm!eAJG9T>EC6I_sy
z?bxzDIAn&K5*mX)$RQzDA?s)-no-XF(g*yl4%+GBf`##bDXJ==AQk*xmnatI;SsLp
zP9XTHq5mmS=iWu~9E<z?vk<wVk?axOB(w*1mgxPEOC4Q_bKOg8aZS|<Jy7e5qZiZy
zi_|O~v^<Tb8jU^hW(}=ov(p@txag^UbHjwTdt5JHG|siOz_cTtZE_L!P;3VdkA;2O
zLo^GkBN2HNqX9mQqP?;}M=Weu;f8w@!h2(}g9(ObqEVL=EgisIBV{7fu4ome13nCE
zdwW~^rkG^r1c_Jwl>S>b%Q=1aMa|ya^vj$@qz9S!ih{T8_PD%Sf_QrNKwgrXw9ldm
zHRVR98*{C?_XNpJn{<p15xt>abA!oix_mowRMu^2lV-LPi;0+?-F(>^5#OHX-fPED
zCu^l7u3E%STI}c4{J2!)9S<WqRBxZXWrLfD3v(g<)+j7~DBJ!D1`Yc*cLPVUN6i!o
z<WHr{5RdXyi7LHb^NKbKUg}tH*PPH!`V-!@Sd!s(E-vzsn6!5N&eAaqoX%HxTMM{P
zIJeCXkWwFSIEY&)8%SeRPki$2eJ?TcIF$5@j`=f}32hbX8_y10W!UQZL+acoY3HWL
z^6U9-tleDkD!6JsRBj>UlGP_@!d?5W^QJXOI-Ea`hFMKjR7TluLvzC-ozCPn1`Tpy
z!vlv@_Z58ILX6>nDjTp-1LlFMx~-%GA`aJvG$?8*Ihn;mH37eK**rmOEwqegf-Ccx
zrIX4;{c~RK>XuTXxYo5kMiWMy)!IC{*DHG@E$hx?RwP@+wuad(P1{@%tRkyJRqD)3
zMHHHZ4boqDn>-=DgR5VlhQTpfVy182Gk;A_S8A1-;U1RR>+$62>(MUx@Nox$vTjHq
z%QR=j!6Gdyb5wu7y(YUktwMuW5<@jl?m4cv4BODiT5o8qVdC0MBqGr@-YBIwnpZAY
znX9(_uQjP}JJ=!~Ve9#5I~rUnN|P_3D$LqZcvBnywYhjlMSFHm`;u9GPla{5Q<X)1
z%$Q)YQ_xs_u@fVbNBxjMBTpgM&=XlBlp}w#R&41H+3NH%W*0}&d|5rv#al8&><AlF
z8HoEcIWb_>D7(7*6Tb3Svr8;(nuAd81q$*uq6HC_&~je*Ca7hP4sJp0av{M8480wF
zxASi7Qv+~@2U%Nu1Ud;s-G4CTVWIPyx!sg&8ZG0<u*j8bI(fE4R+~6W9t@%ANP1F@
zp$eJoBlfrurBBjoT#vaVVYUuEOoWffDHI4t?-V4p5pZZ3DkD`0^rkb1n)as8WP>Wq
zG_}i3C(6_1>q3w!EH7$Kwq8uBp2F2N7}l65mk1p*9v0&+;th=_E-W)E;w}P(j&it;
zv5o9#E7!G0XmdzfsS{efPNi`1b44~SZ4Z8f<yhFr_4W{*sa2b)64y#l+N#ywviYKA
zHs^$|vSmQ9h25pfc|F}ni`8kid}w)OD+3UEhP%9Dlwy33NMgJ*oN!k%?qfbTx#r!J
zY-dPtmtNT~GY1Wt*spshItZ8i4R+jh2L%btp^)9t=mbb(EpeeR#tnR}gtoxxvFD|m
zhb}`&kCesZUqA7FVifG~RXu8NP->uX!I}#8g+(wxzQwUT#Xb2(t<I|Vdp4<hf#R}E
zO$m~GhlyfnIij1YM1#7L8*;8lzFA>bY1+EUhG<XbGlkEvuzFKy+tnOPm$r=L#YRzV
zwl2E?nbHJTp_m!TZ`;N8RAqq@pSx_H9#jNyRdy^@&BAm<aBE+@>KoT@KEU9Ktl>_0
z%bjDJg;#*gtJZv!-Zs`?^}<Hop~&Xqn<t%=;~lIDY-u92ye&Z%8~1AbQ5!`jhH%qI
zx(5`}Haa*r;yTwa;Iry8BUl6}+9-EGitaF$Aq_C?<%Xbp{$*-bSPHf$IdY92oxi$9
zcggG$CBdW=NKdNvJ@yJUY`u+>v5eKmnbjqlvnSzE@_SP|LG_PJ6CYU+6zY6>92%E+
z=j@TZf-iW4(%U{lnYxQA;7Q!b;^brF<nu9$;OS+a41|h`ofOZC21#Y@_xv+k3^Ljg
zEP^3r*gL6M9RW3lIubK}wzMJ3Vq#cPO<cz7xXnc!R;|M8d|v`nL0G&xB&n;gb?&kd
z#fHl)FBAfL#Kd5aQG;&jsz|6*t@OWoiXQ1Qs^e+x9z47f=xOXd8X%iV!R%6NpDAQ2
zTW=KVlc2NZatQ2fBO>8n0D>)`q5>|WDDXLrqYU_tKN2>=#@~OE7grMnNh?UOz-O~6
z6%rHy{#h9K0AT+lDC7q4{hw^|q6*Ry;;L%Q@)Ga}$60_q%D)rv(CtS$CQbpq9|y1e
zRSrN4;$Jyl{m5bZw`$8TGvb}(LpY{-cQ)fcyJv7l3S52TLXVDsphtv&aPuDk1OzCA
z4A^QtC(!11`IsNx_HnSy?>EKpHJWT^wmS~hc^p^zIIh@9f<nT83VyE*=trSIMwSK+
z4z|GFEwin?jV;*T(G2VW4|oi4V$|b?I7v{*;m?4!2KEM4VBj1m$Qrmh{2}a>6U@I2
zC=Mve{j2^)mS#U$e{@Q?SO6%LDsXz@SY+=cK_QMmXBIU)j!$ajc-zLx3V60EXJ!qC
zi<%2x<u`s6FSLLTv<|cn{|Pp5g+jgo+oN!0JAnt({C-&Q&xt&X`rRaf=9UHOa<(4N
zfldWS^e<RZds8PXAUYACtOvF|eLw<Vj~BBG`@{geDFA=A=_Ck#1^*lKsG6XUA_1@M
zoBr4<KCuuKk`3G@{&%Sre^J!KjgXRO0MHWfIlj?6Nl?i8wO?T>8Q24YN+&8U@CIlN
zrZkcT9yh%LrlGS9`G)KdP(@9Eo-AQz@8GEFWcb7U=a0H^ZVbLmz{+&M7W(nXJ4sN8
zJLR7eeK(K8`2-}j(T7JsO`L!+CvbueT%izanm-^A1Dn{`1Nw`9P?cq<h|F<+{0IyH
zi8D-XK*RiZ>;7no+XfC`K(GO9?O^5zNIt4M+M8LM0=7Gz8UA@Z0N+lg+cX)NfazRu
z5D)~<a5^&n0jI1r5GnDy`M#F|h(qiMKHrd*pVsPffa+}n9r&yvC)xjiO5V)D0jSV-
zGGG|~f~m<FCo&&kY6Y0iR%(jt514*XxER=je_N@~Rw;NXK<|(S7GRz;_L~O|?EJRP
zzEl0Kks34-UgZF@NftnKd<^I$K_P>HA^(u%w^cz+@2@_#S|u>GpB+j4KzQ^&Wcl9f
z&hG#bCA(Yk0D&t&aJE^xME^&E-&xGHhXn%}psEIj641H+Nl-}boj;)Zt*t(4wZ5DN
z@GXF$bL=&pBq-#v<R9RxTU-1O0|)yvA4xba;H&`N3f&14aD_soWPVR}ep`@)E(vu3
zg+~Bz&teka`w8=Ja~S`ahL2bA^D*6KQ5+`#qlg3T%XFrkbl~4(ejf_wBkMZ1i+KP8
z00S5Rd}okl9{h}KZ(|NNa{T{z1?aDD2_Ewt0=3{h!$WTV6A%3M@xSczn`QhM8DRK3
zVgI-y{Oy6kEY8q4IhtAi<boY%ILQqtp!`V34lt$V&$-R4ftA$S;AfcY{Zw*wfIWkO
zN%HJ)*Zw68;IpdP8#sgQ9Ski076v-mF^6ATl(pNMM1g`517i@FK>kTkh>7hl%K5|3
z{`Vn9b$iR-SoGENp}bn4;fR3>9sA%X2@1L3aE9yTra;Wb#_`xWwLSLdfu+PAu+o3|
zGVnpzPr=ch{uuoHjtw7+_!L_2;knQ!DuDl0R`|%jr+}jFzXtrHIKc323?JO{l&;VF
z*L1+}JU7%QJOg|<!Bd8Mzh5$(Z*X{#@KZSM#9zVz<vk}ZGJI*_HMvjW>5|Tc|D8fN
zJORAg=_vsy{ak|o);@)Yh8Lkcg@$FG3k@ep36BRa^>~UmnRPziS>Z=`Jb2x*Q#`%A
zU*i3&Vg?TluO@X0O<nja==1v+{2K<RX!qLBMf>;r2Jl6LKLUOVhSqg1*qOt^|8*c7
zo(298@+r$k_wQNGHv{|$tW(T8L+4_`FQ{kEW5Jgg{yf7ey4ss_(SNKfz(N9lx&a;<
je(UuV8hP?p&}TPdm1I$XmG#(RzlD&B2izSj9sl%y5~4qc

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
index 3999f7f3f6..ca8f2653b1 100644
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionSha256Sum=3e1af3ae886920c3ac87f7a91f816c0c7c436f276a6eefdb3da152100fef72ae
+distributionSha256Sum=9d926787066a081739e8200858338b4a69e837c3a821a33aca9db09dd4a41026

From b038f93f9711f6a48e96fa82f5830534502d58f6 Mon Sep 17 00:00:00 2001
From: Andriy Redko <andriy.redko@aiven.io>
Date: Fri, 5 Jan 2024 04:31:57 -0500
Subject: [PATCH 013/143] Refactor SSL handler retrieval to use HttpChannel /
 TranportChannel APIs instead of typecasting (#3917)

### Description
This is cherry-pick from
https://github.com/opensearch-project/security/pull/3514 to use the
channel properties instead of type-casting

### Issues Resolved
Closes  https://github.com/opensearch-project/security/issues/3911

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
The change is covered by existing test suites

### Check List
- [X] New functionality includes testing
- [X] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
---
 .../security/filter/NettyAttribute.java       | 17 ++++++++--------
 .../security/filter/OpenSearchRequest.java    | 15 ++------------
 .../transport/SecuritySSLRequestHandler.java  | 20 +------------------
 3 files changed, 12 insertions(+), 40 deletions(-)

diff --git a/src/main/java/org/opensearch/security/filter/NettyAttribute.java b/src/main/java/org/opensearch/security/filter/NettyAttribute.java
index 46bf0296cb..3a035a390b 100644
--- a/src/main/java/org/opensearch/security/filter/NettyAttribute.java
+++ b/src/main/java/org/opensearch/security/filter/NettyAttribute.java
@@ -12,7 +12,7 @@
 
 import java.util.Optional;
 
-import org.opensearch.http.netty4.Netty4HttpChannel;
+import org.opensearch.http.HttpChannel;
 import org.opensearch.rest.RestRequest;
 
 import io.netty.channel.Channel;
@@ -25,11 +25,12 @@ public class NettyAttribute {
      * Gets an attribute value from the request context and clears it from that context
      */
     public static <T> Optional<T> popFrom(final RestRequest request, final AttributeKey<T> attribute) {
-        if (request.getHttpChannel() instanceof Netty4HttpChannel) {
-            Channel nettyChannel = ((Netty4HttpChannel) request.getHttpChannel()).getNettyChannel();
-            return Optional.ofNullable(nettyChannel.attr(attribute).getAndSet(null));
+        final HttpChannel httpChannel = request.getHttpChannel();
+        if (httpChannel != null) {
+            return httpChannel.get("channel", Channel.class).map(channel -> channel.attr(attribute).getAndSet(null));
+        } else {
+            return Optional.empty();
         }
-        return Optional.empty();
     }
 
     /**
@@ -50,9 +51,9 @@ public static <T> Optional<T> peekFrom(final ChannelHandlerContext ctx, final At
      * Clears an attribute value from the channel handler context
      */
     public static <T> void clearAttribute(final RestRequest request, final AttributeKey<T> attribute) {
-        if (request.getHttpChannel() instanceof Netty4HttpChannel) {
-            Channel nettyChannel = ((Netty4HttpChannel) request.getHttpChannel()).getNettyChannel();
-            nettyChannel.attr(attribute).set(null);
+        final HttpChannel httpChannel = request.getHttpChannel();
+        if (httpChannel != null) {
+            httpChannel.get("channel", Channel.class).ifPresent(channel -> channel.attr(attribute).set(null));
         }
     }
 
diff --git a/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java b/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
index 80ede8b2c1..e86012f594 100644
--- a/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
+++ b/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
@@ -17,7 +17,6 @@
 import java.util.Optional;
 import javax.net.ssl.SSLEngine;
 
-import org.opensearch.http.netty4.Netty4HttpChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestRequest.Method;
 
@@ -41,21 +40,11 @@ public Map<String, List<String>> getHeaders() {
 
     @Override
     public SSLEngine getSSLEngine() {
-        if (underlyingRequest == null
-            || underlyingRequest.getHttpChannel() == null
-            || !(underlyingRequest.getHttpChannel() instanceof Netty4HttpChannel)) {
+        if (underlyingRequest == null || underlyingRequest.getHttpChannel() == null) {
             return null;
         }
 
-        // We look for Ssl_handler called `ssl_http` in the outbound pipeline of Netty channel first, and if its not
-        // present we look for it in inbound channel. If its present in neither we return null, else we return the sslHandler.
-        final Netty4HttpChannel httpChannel = (Netty4HttpChannel) underlyingRequest.getHttpChannel();
-        SslHandler sslhandler = (SslHandler) httpChannel.getNettyChannel().pipeline().get("ssl_http");
-        if (sslhandler == null && httpChannel.inboundPipeline() != null) {
-            sslhandler = (SslHandler) httpChannel.inboundPipeline().get("ssl_http");
-        }
-
-        return sslhandler != null ? sslhandler.engine() : null;
+        return underlyingRequest.getHttpChannel().get("ssl_http", SslHandler.class).map(SslHandler::engine).orElse(null);
     }
 
     @Override
diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
index 39312e29ad..078c822357 100644
--- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
+++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
@@ -36,13 +36,9 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.TaskTransportChannel;
-import org.opensearch.transport.TcpChannel;
-import org.opensearch.transport.TcpTransportChannel;
 import org.opensearch.transport.TransportChannel;
 import org.opensearch.transport.TransportRequest;
 import org.opensearch.transport.TransportRequestHandler;
-import org.opensearch.transport.netty4.Netty4TcpChannel;
 
 import io.netty.handler.ssl.SslHandler;
 
@@ -111,21 +107,7 @@ public final void messageReceived(T request, TransportChannel channel, Task task
         }
 
         try {
-
-            Netty4TcpChannel nettyChannel = null;
-
-            if (channel instanceof TaskTransportChannel) {
-                final TransportChannel inner = ((TaskTransportChannel) channel).getChannel();
-                nettyChannel = (Netty4TcpChannel) ((TcpTransportChannel) inner).getChannel();
-            } else if (channel instanceof TcpTransportChannel) {
-                final TcpChannel inner = ((TcpTransportChannel) channel).getChannel();
-                nettyChannel = (Netty4TcpChannel) inner;
-            } else {
-                throw new Exception("Invalid channel of type " + channel.getClass() + " (" + channel.getChannelType() + ")");
-            }
-
-            final SslHandler sslhandler = (SslHandler) nettyChannel.getNettyChannel().pipeline().get("ssl_server");
-
+            final SslHandler sslhandler = channel.get("ssl_server", SslHandler.class).orElse(null);
             if (sslhandler == null) {
                 if (SSLConfig.isDualModeEnabled()) {
                     log.info("Communication in dual mode. Skipping SSL handler check");

From 03fd79fe910e209cd092c92ad3a2507b8cc20d07 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Fri, 5 Jan 2024 15:00:26 -0500
Subject: [PATCH 014/143] Add additional ignore_headers audit configuration
 setting (#3885)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Craig Perkins <craig5008@gmail.com>
---
 .../test/framework/AuditFilters.java          |  9 +++++
 .../security/OpenSearchSecurityPlugin.java    | 11 +++++-
 .../security/auditlog/config/AuditConfig.java | 38 +++++++++++++++++--
 .../auditlog/impl/AbstractAuditLog.java       |  5 ---
 .../security/auditlog/impl/AuditMessage.java  |  9 +++--
 .../security/support/ConfigConstants.java     |  1 +
 .../config/AuditConfigFilterTest.java         |  4 ++
 .../config/AuditConfigSerializeTest.java      |  7 ++++
 .../auditlog/impl/AuditMessageTest.java       | 24 +++++++++---
 .../dlic/rest/api/AuditApiActionTest.java     |  2 +-
 10 files changed, 92 insertions(+), 18 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
index f984becefa..087342eb6f 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
@@ -34,6 +34,8 @@ public class AuditFilters implements ToXContentObject {
 
     private List<String> ignoreRequests;
 
+    private List<String> ignoreHeaders;
+
     private List<String> disabledRestCategories;
 
     private List<String> disabledTransportCategories;
@@ -49,6 +51,7 @@ public AuditFilters() {
 
         this.ignoreUsers = Collections.emptyList();
         this.ignoreRequests = Collections.emptyList();
+        this.ignoreHeaders = Collections.emptyList();
         this.disabledRestCategories = Collections.emptyList();
         this.disabledTransportCategories = Collections.emptyList();
     }
@@ -93,6 +96,11 @@ public AuditFilters ignoreRequests(List<String> ignoreRequests) {
         return this;
     }
 
+    public AuditFilters ignoreHeaders(List<String> ignoreHeaders) {
+        this.ignoreHeaders = ignoreHeaders;
+        return this;
+    }
+
     public AuditFilters disabledRestCategories(List<String> disabledRestCategories) {
         this.disabledRestCategories = disabledRestCategories;
         return this;
@@ -114,6 +122,7 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
         xContentBuilder.field("exclude_sensitive_headers", excludeSensitiveHeaders);
         xContentBuilder.field("ignore_users", ignoreUsers);
         xContentBuilder.field("ignore_requests", ignoreRequests);
+        xContentBuilder.field("ignore_headers", ignoreHeaders);
         xContentBuilder.field("disabled_rest_categories", disabledRestCategories);
         xContentBuilder.field("disabled_transport_categories", disabledTransportCategories);
         xContentBuilder.endObject();
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 3c04816c32..b0263e06d4 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1352,7 +1352,7 @@ public List<Setting<?>> getSettings() {
                     Function.identity(),
                     Property.NodeScope
                 )
-            ); // not filtered here
+            );
             settings.add(
                 Setting.listSetting(
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS,
@@ -1361,6 +1361,14 @@ public List<Setting<?>> getSettings() {
                     Property.NodeScope
                 )
             ); // not filtered here
+            settings.add(
+                Setting.listSetting(
+                    ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS,
+                    Collections.emptyList(),
+                    Function.identity(),
+                    Property.NodeScope
+                )
+            );
             settings.add(
                 Setting.boolSetting(
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS,
@@ -1393,6 +1401,7 @@ public List<Setting<?>> getSettings() {
                             Property.NodeScope
                         );
                     case IGNORE_REQUESTS:
+                    case IGNORE_HEADERS:
                         return Setting.listSetting(
                             filterEntry.getKeyWithNamespace(),
                             Collections.emptyList(),
diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 2cffd93dfa..7b173099b5 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -62,7 +62,8 @@
  *     "ignore_users" : [
  *       "kibanaserver"
  *     ],
- *     "ignore_requests" : [ ]
+ *     "ignore_requests" : [ ],
+ *     "ignore_headers" : [ ],
  *   },
  *   "compliance" : {
  *     "enabled": true,
@@ -82,6 +83,7 @@
 public class AuditConfig {
 
     public static final List<String> DEFAULT_IGNORED_USERS = Collections.singletonList("kibanaserver");
+
     private static Set<String> FIELDS = DefaultObjectMapper.getFields(AuditConfig.class);
 
     private AuditConfig() {
@@ -138,8 +140,11 @@ public static class Filter {
         private final Set<String> ignoredAuditUsers;
         @JsonProperty("ignore_requests")
         private final Set<String> ignoredAuditRequests;
+        @JsonProperty("ignore_headers")
+        private final Set<String> ignoredCustomHeaders;
         private final WildcardMatcher ignoredAuditUsersMatcher;
         private final WildcardMatcher ignoredAuditRequestsMatcher;
+        private final WildcardMatcher ignoredCustomHeadersMatcher;
         private final Set<AuditCategory> disabledRestCategories;
         private final Set<AuditCategory> disabledTransportCategories;
 
@@ -153,6 +158,7 @@ public static class Filter {
             final boolean excludeSensitiveHeaders,
             final Set<String> ignoredAuditUsers,
             final Set<String> ignoredAuditRequests,
+            final Set<String> ignoredCustomHeaders,
             final Set<AuditCategory> disabledRestCategories,
             final Set<AuditCategory> disabledTransportCategories
         ) {
@@ -166,6 +172,8 @@ public static class Filter {
             this.ignoredAuditUsersMatcher = WildcardMatcher.from(ignoredAuditUsers);
             this.ignoredAuditRequests = ignoredAuditRequests;
             this.ignoredAuditRequestsMatcher = WildcardMatcher.from(ignoredAuditRequests);
+            this.ignoredCustomHeaders = ignoredCustomHeaders;
+            this.ignoredCustomHeadersMatcher = WildcardMatcher.from(ignoredCustomHeaders);
             this.disabledRestCategories = disabledRestCategories;
             this.disabledTransportCategories = disabledTransportCategories;
         }
@@ -183,7 +191,8 @@ public enum FilterEntries {
                 ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES
             ),
             IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS),
-            IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS);
+            IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS),
+            IGNORE_HEADERS("ignore_headers", ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS);
 
             private final String key;
             private final String legacyKeyWithNamespace;
@@ -246,6 +255,9 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
             final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );
+            final Set<String> ignoreHeaders = ImmutableSet.copyOf(
+                getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())
+            );
 
             return new Filter(
                 isRestApiAuditEnabled,
@@ -256,6 +268,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
+                ignoreHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -290,7 +303,7 @@ public static Filter from(Settings settings) {
             );
             final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS);
             final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList());
-
+            final Set<String> ignoreHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList());
             return new Filter(
                 isRestApiAuditEnabled,
                 isTransportAuditEnabled,
@@ -300,6 +313,7 @@ public static Filter from(Settings settings) {
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
+                ignoreHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -403,6 +417,21 @@ WildcardMatcher getIgnoredAuditRequestsMatcher() {
             return ignoredAuditRequestsMatcher;
         }
 
+        @VisibleForTesting
+        WildcardMatcher getIgnoredCustomHeadersMatcher() {
+            return ignoredCustomHeadersMatcher;
+        }
+
+        /**
+         * Check if the specified header is excluded from the audit
+         *
+         * @param header
+         * @return true if header should be excluded
+         */
+        public boolean shouldExcludeHeader(String header) {
+            return ignoredCustomHeadersMatcher.test(header);
+        }
+
         /**
          * Check if request is excluded from audit
          * @param action
@@ -440,6 +469,7 @@ public void log(Logger logger) {
             logger.info("Index resolution is {} during request auditing.", resolveIndices ? "enabled" : "disabled");
             logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled");
             logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher);
+            logger.info("Auditing request headers {} is disabled.", ignoredCustomHeadersMatcher);
         }
 
         @Override
@@ -465,6 +495,8 @@ public String toString() {
                 + ignoredAuditUsersMatcher
                 + ", ignoreAuditRequests="
                 + ignoredAuditRequestsMatcher
+                + ", ignoredCustomHeaders="
+                + ignoredCustomHeadersMatcher
                 + '}';
         }
     }
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
index d97adc358b..e5f314cd29 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
@@ -927,11 +927,6 @@ boolean checkRestFilter(final AuditCategory category, final String effectiveUser
             }
             return false;
         }
-
-        // check rest audit enabled
-        // check category enabled
-        // check action
-        // check ignoreAuditUsers
     }
 
     protected abstract void save(final AuditMessage msg);
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 8b24a554d1..b57becc359 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -356,12 +356,15 @@ public void addRestParams(Map<String, String> params) {
         }
     }
 
-    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders) {
+    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, AuditConfig.Filter filter) {
         if (headers != null && !headers.isEmpty()) {
             final Map<String, List<String>> headersClone = new HashMap<>(headers);
             if (excludeSensitiveHeaders) {
                 headersClone.keySet().removeIf(AUTHORIZATION_HEADER);
             }
+            if (filter != null) {
+                headersClone.entrySet().removeIf(entry -> filter.shouldExcludeHeader(entry.getKey()));
+            }
             auditInfo.put(REST_REQUEST_HEADERS, headersClone);
         }
     }
@@ -376,14 +379,14 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
         if (request != null) {
             final String path = request.path().toString();
             addPath(path);
-            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders());
+            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter);
             addRestParams(request.params());
             addRestMethod(request.method());
 
             if (filter.shouldLogRequestBody()) {
 
                 if (!(request instanceof OpenSearchRequest)) {
-                    // The request body is only avaliable on some request sources
+                    // The request body is only available on some request sources
                     return;
                 }
 
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index f10dedade3..d4383c05de 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -165,6 +165,7 @@ public class ConfigConstants {
     );
     public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users";
     public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests";
+    public static final String SECURITY_AUDIT_IGNORE_HEADERS = "plugins.security.audit.ignore_headers";
     public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests";
     public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true;
     public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false;
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
index e40e65549f..a28d940862 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
@@ -57,6 +57,7 @@ public void testDefault() {
         assertTrue(auditConfigFilter.shouldExcludeSensitiveHeaders());
         assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredAuditRequestsMatcher());
         assertEquals(defaultIgnoredUserMatcher, auditConfigFilter.getIgnoredAuditUsersMatcher());
+        assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredCustomHeadersMatcher());
         assertEquals(auditConfigFilter.getDisabledRestCategories(), defaultDisabledCategories);
         assertEquals(auditConfigFilter.getDisabledTransportCategories(), defaultDisabledCategories);
     }
@@ -73,6 +74,7 @@ public void testConfig() {
             .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false)
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request")
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user")
+            .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header")
             .putList(
                 ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES,
                 BAD_HEADERS.toString(),
@@ -95,6 +97,7 @@ public void testConfig() {
         assertFalse(auditConfigFilter.shouldExcludeSensitiveHeaders());
         assertEquals(WildcardMatcher.from(Collections.singleton("test-user")), auditConfigFilter.getIgnoredAuditUsersMatcher());
         assertEquals(WildcardMatcher.from(Collections.singleton("test-request")), auditConfigFilter.getIgnoredAuditRequestsMatcher());
+        assertEquals(WildcardMatcher.from(Collections.singleton("test-header")), auditConfigFilter.getIgnoredCustomHeadersMatcher());
         assertEquals(auditConfigFilter.getDisabledRestCategories(), EnumSet.of(BAD_HEADERS, SSL_EXCEPTION));
         assertEquals(auditConfigFilter.getDisabledTransportCategories(), EnumSet.of(FAILED_LOGIN, MISSING_PRIVILEGES));
     }
@@ -121,6 +124,7 @@ public void testEmpty() {
         final Settings settings = Settings.builder()
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList())
+            .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList())
             .build();
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 0b50c2ac20..b0b93afc54 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -72,6 +72,7 @@ public void testDefaultSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
+            .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -107,6 +108,7 @@ public void testDefaultDeserialize() throws IOException {
         assertTrue(audit.shouldExcludeSensitiveHeaders());
         assertSame(WildcardMatcher.NONE, audit.getIgnoredAuditRequestsMatcher());
         assertEquals(DEFAULT_IGNORED_USER, audit.getIgnoredAuditUsersMatcher());
+        assertEquals(WildcardMatcher.NONE, audit.getIgnoredCustomHeadersMatcher());
         assertFalse(compliance.shouldLogExternalConfig());
         assertFalse(compliance.shouldLogInternalConfig());
         assertFalse(compliance.shouldLogReadMetadataOnly());
@@ -133,6 +135,7 @@ public void testDeserialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("test-user-1"))
             .field("ignore_requests", Collections.singletonList("test-request"))
+            .field("ignore_headers", Collections.singletonList("test-headers"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -196,6 +199,7 @@ public void testSerialize() throws IOException {
             true,
             ImmutableSet.of("ignore-user-1", "ignore-user-2"),
             ImmutableSet.of("ignore-request-1"),
+            ImmutableSet.of("test-header"),
             EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES),
             EnumSet.of(AUTHENTICATED)
         );
@@ -227,6 +231,7 @@ public void testSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2"))
             .field("ignore_requests", Collections.singletonList("ignore-request-1"))
+            .field("ignore_headers", Collections.singletonList("test-header"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -269,6 +274,7 @@ public void testNullSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
+            .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -287,6 +293,7 @@ public void testNullSerialize() throws IOException {
         // act
         final String json = objectMapper.writeValueAsString(auditConfig);
         // assert
+
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index d915c02e55..3b7fc916ef 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -28,6 +28,7 @@
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.auditlog.config.AuditConfig;
 import org.opensearch.security.securityconf.impl.CType;
 
 import static org.junit.Assert.assertEquals;
@@ -60,32 +61,45 @@ public class AuditMessageTest {
     );
 
     private AuditMessage message;
+    private AuditConfig auditConfig;
 
     @Before
     public void setUp() {
         final ClusterService clusterServiceMock = mock(ClusterService.class);
         when(clusterServiceMock.localNode()).thenReturn(mock(DiscoveryNode.class));
         when(clusterServiceMock.getClusterName()).thenReturn(mock(ClusterName.class));
+        auditConfig = mock(AuditConfig.class);
+        final AuditConfig.Filter auditFilter = mock(AuditConfig.Filter.class);
+        when(auditConfig.getFilter()).thenReturn(auditFilter);
         message = new AuditMessage(AuditCategory.AUTHENTICATED, clusterServiceMock, AuditLog.Origin.REST, AuditLog.Origin.REST);
     }
 
     @Test
-    public void testRestHeadersAreFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, true);
+    public void testAuthorizationRestHeadersAreFiltered() {
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false);
+        message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4")));
     }
 
+    @Test
+    public void testCustomRestHeadersAreFiltered() {
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(true);
+        message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
+        assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of());
+    }
+
     @Test
     public void testRestHeadersNull() {
-        message.addRestHeaders(null, true);
+        message.addRestHeaders(null, true, null);
         assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS));
-        message.addRestHeaders(Collections.emptyMap(), true);
+        message.addRestHeaders(Collections.emptyMap(), true, null);
         assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS));
     }
 
     @Test
     public void testRestHeadersAreNotFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, false);
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false);
+        message.addRestHeaders(TEST_REST_HEADERS, false, null);
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS);
     }
 
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
index b512ae2228..b3d916e8ed 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
@@ -682,7 +682,7 @@ private String getTestPayload() {
             + "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"],"
             + "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"],"
             + "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true,"
-            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"]},"
+            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"], \"ignore_headers\":[\"\"]},"
             + "\"compliance\":{"
             + "\"enabled\":true,"
             + "\"internal_config\":true,\"external_config\":true,"

From 045d4ef8a5d9bb8470e03c1b4d7cc68847b986cb Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 5 Jan 2024 15:16:54 -0500
Subject: [PATCH 015/143] Allow TransportConfigUpdateAction when security
 config initialization has completed (#3810)

### Description

Introduces another variable on DynamicConfigFactory called
`bgThreadComplete` that behaves differently than the `initialized`
variable. `bgThreadComplete` is a flag that signals to
TransportConfigUpdateAction that it can start accepting updates.

There are 2 ways the security index can be created from scratch:

1. If `plugins.security.allow_default_init_securityindex` is set to
**true** it will create the security index and load all yaml files
2. If `plugins.security.allow_default_init_securityindex` is set to
**false**, the security index is not created on bootstrap and requires a
user to run securityadmin to initialize security. When securityadmin is
utilized, the cluster does depend on
[TransportConfigUpdateAction](https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/SecurityAdmin.java#L975-L977)
to initialize security so there still needs to be an avenue where this
can update the config before `initialized` is set to **true**

This PR sets `bgThreadComplete` to **false** on node startup and
explicitly sets it to **true** once its ok for
TransportConfigUpdateAction to start accepting transport actions. In
case 2) up above, it can be set to **true** before DynamicConfigFactory
is `initialized` so that it can accept requests from securityadmin.

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Bug fix

### Issues Resolved

- Resolves https://github.com/opensearch-project/security/issues/3204

### Check List
- [X] New functionality includes testing
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
---
 .../security/ConfigurationFiles.java          |   5 +-
 .../security/SecurityAdminLauncher.java       |  18 +
 .../SecurityConfigurationBootstrapTests.java  | 159 +++++++++
 .../security/SecurityConfigurationTests.java  |   2 +-
 .../security/api/CreateResetPasswordTest.java |   2 +-
 .../http/OnBehalfOfJwtAuthenticationTest.java |   6 +-
 .../test/framework/cluster/LocalCluster.java  |  14 +-
 .../security/OpenSearchSecurityPlugin.java    |   8 +
 .../TransportConfigUpdateAction.java          |   6 +-
 .../ConfigurationRepository.java              | 320 ++++++++++--------
 .../securityconf/DynamicConfigFactory.java    |   1 -
 .../security/support/ConfigConstants.java     |   2 +
 .../InitializationIntegrationTests.java       |   6 -
 .../ConfigurationRepositoryTest.java          |   8 +-
 .../security/test/SingleClusterTest.java      |  12 -
 15 files changed, 396 insertions(+), 173 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java

diff --git a/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java b/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
index 287bc139b1..f3b7613aa1 100644
--- a/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
+++ b/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
@@ -31,12 +31,13 @@ public static Path createConfigurationDirectory() {
             String[] configurationFiles = {
                 "config.yml",
                 "action_groups.yml",
-                "config.yml",
                 "internal_users.yml",
+                "nodes_dn.yml",
                 "roles.yml",
                 "roles_mapping.yml",
                 "security_tenants.yml",
-                "tenants.yml" };
+                "tenants.yml",
+                "whitelist.yml" };
             for (String fileName : configurationFiles) {
                 Path configFileDestination = tempDirectory.resolve(fileName);
                 copyResourceToFile(fileName, configFileDestination.toFile());
diff --git a/src/integrationTest/java/org/opensearch/security/SecurityAdminLauncher.java b/src/integrationTest/java/org/opensearch/security/SecurityAdminLauncher.java
index 164b2cb714..81460d3d91 100644
--- a/src/integrationTest/java/org/opensearch/security/SecurityAdminLauncher.java
+++ b/src/integrationTest/java/org/opensearch/security/SecurityAdminLauncher.java
@@ -10,6 +10,7 @@
 package org.opensearch.security;
 
 import java.io.File;
+import java.nio.file.Path;
 
 import org.opensearch.security.tools.SecurityAdmin;
 import org.opensearch.test.framework.certificate.TestCertificates;
@@ -44,4 +45,21 @@ public int updateRoleMappings(File roleMappingsConfigurationFile) throws Excepti
 
         return SecurityAdmin.execute(commandLineArguments);
     }
+
+    public int runSecurityAdmin(Path configurationFolder) throws Exception {
+        String[] commandLineArguments = {
+            "-cacert",
+            certificates.getRootCertificate().getAbsolutePath(),
+            "-cert",
+            certificates.getAdminCertificate().getAbsolutePath(),
+            "-key",
+            certificates.getAdminKey(null).getAbsolutePath(),
+            "-nhnv",
+            "-p",
+            String.valueOf(port),
+            "-cd",
+            configurationFolder.toString() };
+
+        return SecurityAdmin.execute(commandLineArguments);
+    }
 }
diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java
new file mode 100644
index 0000000000..5b83e0d6d0
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java
@@ -0,0 +1,159 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.google.common.collect.ImmutableMap;
+import org.apache.commons.io.FileUtils;
+import org.awaitility.Awaitility;
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.action.admin.cluster.health.ClusterHealthRequest;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.ConfigHelper;
+import org.opensearch.test.framework.TestSecurityConfig.User;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.ContextHeaderDecoratorClient;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
+import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class SecurityConfigurationBootstrapTests {
+
+    private final static Path configurationFolder = ConfigurationFiles.createConfigurationDirectory();
+    private static final User USER_ADMIN = new User("admin").roles(ALL_ACCESS);
+
+    private static LocalCluster createCluster(final Map<String, Object> nodeSettings) {
+        var cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+            .loadConfigurationIntoIndex(false)
+            .defaultConfigurationInitDirectory(configurationFolder.toString())
+            .nodeSettings(
+                ImmutableMap.<String, Object>builder()
+                    .put(SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName()))
+                    .putAll(nodeSettings)
+                    .build()
+            )
+            .build();
+
+        cluster.before(); // normally invoked by JUnit rules when run as a class rule - this starts the cluster
+        return cluster;
+    }
+
+    @AfterClass
+    public static void cleanConfigurationDirectory() throws IOException {
+        FileUtils.deleteDirectory(configurationFolder.toFile());
+    }
+
+    @Test
+    public void testInitializeWithSecurityAdminWhenNoBackgroundInitialization() throws Exception {
+        final var nodeSettings = ImmutableMap.<String, Object>builder()
+            .put(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false)
+            .put(SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false)
+            .build();
+        try (final LocalCluster cluster = createCluster(nodeSettings)) {
+            try (final TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+                final var rolesMapsResponse = client.get("_plugins/_security/api/rolesmapping/readall");
+                assertThat(rolesMapsResponse.getStatusCode(), equalTo(SC_SERVICE_UNAVAILABLE));
+                assertThat(rolesMapsResponse.getBody(), containsString("OpenSearch Security not initialized"));
+            }
+
+            final var securityAdminLauncher = new SecurityAdminLauncher(cluster.getHttpPort(), cluster.getTestCertificates());
+            final int exitCode = securityAdminLauncher.runSecurityAdmin(configurationFolder);
+            assertThat(exitCode, equalTo(0));
+
+            try (final TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+                Awaitility.await()
+                    .alias("Waiting for rolemapping 'readall' availability.")
+                    .until(() -> client.get("_plugins/_security/api/rolesmapping/readall").getStatusCode(), equalTo(200));
+            }
+        }
+    }
+
+    @Test
+    public void shouldStillLoadSecurityConfigDuringBootstrapAndActiveConfigUpdateRequests() throws Exception {
+        final var nodeSettings = ImmutableMap.<String, Object>builder()
+            .put(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true)
+            .put(SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS, 5)
+            .build();
+        try (final LocalCluster cluster = createCluster(nodeSettings)) {
+            try (final TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+                cluster.getInternalNodeClient()
+                    .admin()
+                    .cluster()
+                    .health(new ClusterHealthRequest(OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX).waitForGreenStatus())
+                    .actionGet();
+
+                // Make sure the cluster is unavalaible to authenticate with the security plugin even though it is green
+                final var authResponseWhenUnconfigured = client.getAuthInfo();
+                authResponseWhenUnconfigured.assertStatusCode(503);
+
+                final var internalNodeClient = new ContextHeaderDecoratorClient(
+                    cluster.getInternalNodeClient(),
+                    Map.of(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true")
+                );
+                final var filesToUpload = ImmutableMap.<String, CType>builder()
+                    .put("action_groups.yml", CType.ACTIONGROUPS)
+                    .put("config.yml", CType.CONFIG)
+                    .put("roles.yml", CType.ROLES)
+                    .put("tenants.yml", CType.TENANTS)
+                    .build();
+
+                final String defaultInitDirectory = System.getProperty("security.default_init.dir") + "/";
+                filesToUpload.forEach((fileName, ctype) -> {
+                    try {
+                        ConfigHelper.uploadFile(
+                            internalNodeClient,
+                            defaultInitDirectory + fileName,
+                            OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX,
+                            ctype,
+                            DEFAULT_CONFIG_VERSION
+                        );
+                    } catch (final Exception ex) {
+                        throw new RuntimeException(ex);
+                    }
+                });
+
+                Awaitility.await().alias("Load default configuration").pollInterval(Duration.ofMillis(100)).until(() -> {
+                    // After the configuration has been loaded, the rest clients should be able to connect successfully
+                    cluster.triggerConfigurationReloadForCTypes(
+                        internalNodeClient,
+                        List.of(CType.ACTIONGROUPS, CType.CONFIG, CType.ROLES, CType.TENANTS),
+                        true
+                    );
+                    try (final TestRestClient freshClient = cluster.getRestClient(USER_ADMIN)) {
+                        return client.getAuthInfo().getStatusCode();
+                    }
+                }, equalTo(200));
+            }
+        }
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
index 76ea02494e..6b04737d18 100644
--- a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
@@ -70,7 +70,7 @@ public class SecurityConfigurationTests {
                 SECURITY_RESTAPI_ROLES_ENABLED,
                 List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName()),
                 SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST,
-                true
+                false
             )
         )
         .build();
diff --git a/src/integrationTest/java/org/opensearch/security/api/CreateResetPasswordTest.java b/src/integrationTest/java/org/opensearch/security/api/CreateResetPasswordTest.java
index 44f8dca20b..8a7795e90f 100644
--- a/src/integrationTest/java/org/opensearch/security/api/CreateResetPasswordTest.java
+++ b/src/integrationTest/java/org/opensearch/security/api/CreateResetPasswordTest.java
@@ -63,7 +63,7 @@ public class CreateResetPasswordTest {
                 SECURITY_RESTAPI_ROLES_ENABLED,
                 List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName()),
                 SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST,
-                true,
+                false,
                 ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX,
                 CUSTOM_PASSWORD_REGEX,
                 ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE,
diff --git a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
index 78af7ffc05..7210c53ad4 100644
--- a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
@@ -48,7 +48,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
-import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
@@ -128,8 +128,8 @@ private static OnBehalfOfConfig defaultOnBehalfOfConfig() {
         .users(ADMIN_USER, OBO_USER, OBO_USER_NO_PERM, HOST_MAPPING_OBO_USER)
         .nodeSettings(
             Map.of(
-                SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX,
-                true,
+                SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST,
+                false,
                 SECURITY_RESTAPI_ROLES_ENABLED,
                 ADMIN_USER.getRoleNames(),
                 SECURITY_RESTAPI_ADMIN_ENABLED,
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
index 64207ead5b..217ce99a81 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
@@ -133,7 +133,7 @@ public String getSnapshotDirPath() {
     }
 
     @Override
-    public void before() throws Throwable {
+    public void before() {
         if (localOpenSearchCluster == null) {
             for (LocalCluster dependency : clusterDependencies) {
                 if (!dependency.isStarted()) {
@@ -155,12 +155,12 @@ public void before() throws Throwable {
 
     @Override
     protected void after() {
-        System.clearProperty(INIT_CONFIGURATION_DIR);
         close();
     }
 
     @Override
     public void close() {
+        System.clearProperty(INIT_CONFIGURATION_DIR);
         if (localOpenSearchCluster != null && localOpenSearchCluster.isStarted()) {
             try {
                 localOpenSearchCluster.destroy();
@@ -297,6 +297,16 @@ private static void triggerConfigurationReload(Client client) {
         }
     }
 
+    public void triggerConfigurationReloadForCTypes(Client client, List<CType> cTypes, boolean ignoreFailures) {
+        ConfigUpdateResponse configUpdateResponse = client.execute(
+            ConfigUpdateAction.INSTANCE,
+            new ConfigUpdateRequest(cTypes.stream().map(CType::toLCString).toArray(String[]::new))
+        ).actionGet();
+        if (!ignoreFailures && configUpdateResponse.hasFailures()) {
+            throw new RuntimeException("ConfigUpdateResponse produced failures: " + configUpdateResponse.failures());
+        }
+    }
+
     public CertificateData getAdminCertificate() {
         return testCertificates.getAdminCertificateData();
     }
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index b0263e06d4..569380582b 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1793,6 +1793,14 @@ public List<Setting<?>> getSettings() {
                     Property.Filtered
                 )
             );
+            settings.add(
+                Setting.intSetting(
+                    ConfigConstants.SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS,
+                    0,
+                    Property.NodeScope,
+                    Property.Filtered
+                )
+            );
 
             // system integration
             settings.add(
diff --git a/src/main/java/org/opensearch/security/action/configupdate/TransportConfigUpdateAction.java b/src/main/java/org/opensearch/security/action/configupdate/TransportConfigUpdateAction.java
index 64149a7c97..6f1f99a434 100644
--- a/src/main/java/org/opensearch/security/action/configupdate/TransportConfigUpdateAction.java
+++ b/src/main/java/org/opensearch/security/action/configupdate/TransportConfigUpdateAction.java
@@ -125,8 +125,10 @@ protected ConfigUpdateResponse newResponse(
 
     @Override
     protected ConfigUpdateNodeResponse nodeOperation(final NodeConfigUpdateRequest request) {
-        configurationRepository.reloadConfiguration(CType.fromStringValues((request.request.getConfigTypes())));
-        backendRegistry.get().invalidateCache();
+        boolean didReload = configurationRepository.reloadConfiguration(CType.fromStringValues((request.request.getConfigTypes())));
+        if (didReload) {
+            backendRegistry.get().invalidateCache();
+        }
         return new ConfigUpdateNodeResponse(clusterService.localNode(), request.request.getConfigTypes(), null);
     }
 
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
index e7f375bef4..dfbeb16cb3 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
@@ -28,6 +28,8 @@
 
 import java.io.File;
 import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -37,10 +39,11 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.TimeUnit;
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
+import java.util.function.Supplier;
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
@@ -86,13 +89,13 @@ public class ConfigurationRepository {
     private final List<ConfigurationChangeListener> configurationChangedListener;
     private final ConfigurationLoaderSecurity7 cl;
     private final Settings settings;
+    private final Path configPath;
     private final ClusterService clusterService;
     private final AuditLog auditLog;
     private final ThreadPool threadPool;
     private DynamicConfigFactory dynamicConfigFactory;
-    private static final int DEFAULT_CONFIG_VERSION = 2;
-    private final Thread bgThread;
-    private final AtomicBoolean installDefaultConfig = new AtomicBoolean();
+    public static final int DEFAULT_CONFIG_VERSION = 2;
+    private final CompletableFuture<Void> initalizeConfigTask = new CompletableFuture<>();
     private final boolean acceptInvalid;
 
     private ConfigurationRepository(
@@ -108,6 +111,7 @@ private ConfigurationRepository(
             ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX
         );
         this.settings = settings;
+        this.configPath = configPath;
         this.client = client;
         this.threadPool = threadPool;
         this.clusterService = clusterService;
@@ -117,148 +121,150 @@ private ConfigurationRepository(
         cl = new ConfigurationLoaderSecurity7(client, threadPool, settings, clusterService);
 
         configCache = CacheBuilder.newBuilder().build();
+    }
 
-        bgThread = new Thread(() -> {
-            try {
-                LOGGER.info("Background init thread started. Install default config?: " + installDefaultConfig.get());
-                // wait for the cluster here until it will finish managed node election
-                while (clusterService.state().blocks().hasGlobalBlockWithStatus(RestStatus.SERVICE_UNAVAILABLE)) {
-                    LOGGER.info("Wait for cluster to be available ...");
-                    TimeUnit.SECONDS.sleep(1);
-                }
+    private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
+        try {
+            LOGGER.info("Background init thread started. Install default config?: " + installDefaultConfig);
+            // wait for the cluster here until it will finish managed node election
+            while (clusterService.state().blocks().hasGlobalBlockWithStatus(RestStatus.SERVICE_UNAVAILABLE)) {
+                LOGGER.info("Wait for cluster to be available ...");
+                TimeUnit.SECONDS.sleep(1);
+            }
 
-                if (installDefaultConfig.get()) {
+            if (installDefaultConfig) {
 
-                    try {
-                        String lookupDir = System.getProperty("security.default_init.dir");
-                        final String cd = lookupDir != null
-                            ? (lookupDir + "/")
-                            : new Environment(settings, configPath).configDir().toAbsolutePath().toString() + "/opensearch-security/";
-                        File confFile = new File(cd + "config.yml");
-                        if (confFile.exists()) {
-                            final ThreadContext threadContext = threadPool.getThreadContext();
-                            try (StoredContext ctx = threadContext.stashContext()) {
-                                threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true");
-
-                                createSecurityIndexIfAbsent();
-                                waitForSecurityIndexToBeAtLeastYellow();
-
-                                ConfigHelper.uploadFile(client, cd + "config.yml", securityIndex, CType.CONFIG, DEFAULT_CONFIG_VERSION);
-                                ConfigHelper.uploadFile(client, cd + "roles.yml", securityIndex, CType.ROLES, DEFAULT_CONFIG_VERSION);
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "roles_mapping.yml",
-                                    securityIndex,
-                                    CType.ROLESMAPPING,
-                                    DEFAULT_CONFIG_VERSION
-                                );
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "internal_users.yml",
-                                    securityIndex,
-                                    CType.INTERNALUSERS,
-                                    DEFAULT_CONFIG_VERSION
-                                );
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "action_groups.yml",
-                                    securityIndex,
-                                    CType.ACTIONGROUPS,
-                                    DEFAULT_CONFIG_VERSION
-                                );
-                                if (DEFAULT_CONFIG_VERSION == 2) {
-                                    ConfigHelper.uploadFile(
-                                        client,
-                                        cd + "tenants.yml",
-                                        securityIndex,
-                                        CType.TENANTS,
-                                        DEFAULT_CONFIG_VERSION
-                                    );
-                                }
-                                final boolean populateEmptyIfFileMissing = true;
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "nodes_dn.yml",
-                                    securityIndex,
-                                    CType.NODESDN,
-                                    DEFAULT_CONFIG_VERSION,
-                                    populateEmptyIfFileMissing
-                                );
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "whitelist.yml",
-                                    securityIndex,
-                                    CType.WHITELIST,
-                                    DEFAULT_CONFIG_VERSION,
-                                    populateEmptyIfFileMissing
-                                );
-                                ConfigHelper.uploadFile(
-                                    client,
-                                    cd + "allowlist.yml",
-                                    securityIndex,
-                                    CType.ALLOWLIST,
-                                    DEFAULT_CONFIG_VERSION,
-                                    populateEmptyIfFileMissing
-                                );
-
-                                // audit.yml is not packaged by default
-                                final String auditConfigPath = cd + "audit.yml";
-                                if (new File(auditConfigPath).exists()) {
-                                    ConfigHelper.uploadFile(client, auditConfigPath, securityIndex, CType.AUDIT, DEFAULT_CONFIG_VERSION);
-                                }
+                try {
+                    String lookupDir = System.getProperty("security.default_init.dir");
+                    final String cd = lookupDir != null
+                        ? (lookupDir + "/")
+                        : new Environment(settings, configPath).configDir().toAbsolutePath().toString() + "/opensearch-security/";
+                    File confFile = new File(cd + "config.yml");
+                    if (confFile.exists()) {
+                        final ThreadContext threadContext = threadPool.getThreadContext();
+                        try (StoredContext ctx = threadContext.stashContext()) {
+                            threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true");
+
+                            createSecurityIndexIfAbsent();
+                            waitForSecurityIndexToBeAtLeastYellow();
+
+                            final int initializationDelaySeconds = settings.getAsInt(
+                                ConfigConstants.SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS,
+                                0
+                            );
+                            if (initializationDelaySeconds > 0) {
+                                LOGGER.error("Test setting loaded to delay initialization for {} seconds", initializationDelaySeconds);
+                                TimeUnit.SECONDS.sleep(initializationDelaySeconds);
+                            }
+
+                            ConfigHelper.uploadFile(client, cd + "config.yml", securityIndex, CType.CONFIG, DEFAULT_CONFIG_VERSION);
+                            ConfigHelper.uploadFile(client, cd + "roles.yml", securityIndex, CType.ROLES, DEFAULT_CONFIG_VERSION);
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "roles_mapping.yml",
+                                securityIndex,
+                                CType.ROLESMAPPING,
+                                DEFAULT_CONFIG_VERSION
+                            );
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "internal_users.yml",
+                                securityIndex,
+                                CType.INTERNALUSERS,
+                                DEFAULT_CONFIG_VERSION
+                            );
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "action_groups.yml",
+                                securityIndex,
+                                CType.ACTIONGROUPS,
+                                DEFAULT_CONFIG_VERSION
+                            );
+                            if (DEFAULT_CONFIG_VERSION == 2) {
+                                ConfigHelper.uploadFile(client, cd + "tenants.yml", securityIndex, CType.TENANTS, DEFAULT_CONFIG_VERSION);
+                            }
+                            final boolean populateEmptyIfFileMissing = true;
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "nodes_dn.yml",
+                                securityIndex,
+                                CType.NODESDN,
+                                DEFAULT_CONFIG_VERSION,
+                                populateEmptyIfFileMissing
+                            );
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "whitelist.yml",
+                                securityIndex,
+                                CType.WHITELIST,
+                                DEFAULT_CONFIG_VERSION,
+                                populateEmptyIfFileMissing
+                            );
+                            ConfigHelper.uploadFile(
+                                client,
+                                cd + "allowlist.yml",
+                                securityIndex,
+                                CType.ALLOWLIST,
+                                DEFAULT_CONFIG_VERSION,
+                                populateEmptyIfFileMissing
+                            );
+
+                            // audit.yml is not packaged by default
+                            final String auditConfigPath = cd + "audit.yml";
+                            if (new File(auditConfigPath).exists()) {
+                                ConfigHelper.uploadFile(client, auditConfigPath, securityIndex, CType.AUDIT, DEFAULT_CONFIG_VERSION);
                             }
-                        } else {
-                            LOGGER.error("{} does not exist", confFile.getAbsolutePath());
                         }
-                    } catch (Exception e) {
-                        LOGGER.error("Cannot apply default config (this is maybe not an error!)", e);
+                    } else {
+                        LOGGER.error("{} does not exist", confFile.getAbsolutePath());
                     }
+                } catch (Exception e) {
+                    LOGGER.error("Cannot apply default config (this is maybe not an error!)", e);
                 }
+            }
 
-                while (!dynamicConfigFactory.isInitialized()) {
+            while (!dynamicConfigFactory.isInitialized()) {
+                try {
+                    LOGGER.debug("Try to load config ...");
+                    reloadConfiguration(Arrays.asList(CType.values()), true);
+                    break;
+                } catch (Exception e) {
+                    LOGGER.debug("Unable to load configuration due to {}", String.valueOf(ExceptionUtils.getRootCause(e)));
                     try {
-                        LOGGER.debug("Try to load config ...");
-                        reloadConfiguration(Arrays.asList(CType.values()));
+                        Thread.sleep(3000);
+                    } catch (InterruptedException e1) {
+                        Thread.currentThread().interrupt();
+                        LOGGER.debug("Thread was interrupted so we cancel initialization");
                         break;
-                    } catch (Exception e) {
-                        LOGGER.debug("Unable to load configuration due to {}", String.valueOf(ExceptionUtils.getRootCause(e)));
-                        try {
-                            Thread.sleep(3000);
-                        } catch (InterruptedException e1) {
-                            Thread.currentThread().interrupt();
-                            LOGGER.debug("Thread was interrupted so we cancel initialization");
-                            break;
-                        }
                     }
                 }
+            }
 
-                final Set<String> deprecatedAuditKeysInSettings = AuditConfig.getDeprecatedKeys(settings);
+            final Set<String> deprecatedAuditKeysInSettings = AuditConfig.getDeprecatedKeys(settings);
+            if (!deprecatedAuditKeysInSettings.isEmpty()) {
+                LOGGER.warn(
+                    "Following keys {} are deprecated in opensearch settings. They will be removed in plugin v2.0.0.0",
+                    deprecatedAuditKeysInSettings
+                );
+            }
+            final boolean isAuditConfigDocPresentInIndex = cl.isAuditConfigDocPresentInIndex();
+            if (isAuditConfigDocPresentInIndex) {
                 if (!deprecatedAuditKeysInSettings.isEmpty()) {
-                    LOGGER.warn(
-                        "Following keys {} are deprecated in opensearch settings. They will be removed in plugin v2.0.0.0",
-                        deprecatedAuditKeysInSettings
-                    );
+                    LOGGER.warn("Audit configuration settings found in both index and opensearch settings (deprecated)");
                 }
-                final boolean isAuditConfigDocPresentInIndex = cl.isAuditConfigDocPresentInIndex();
-                if (isAuditConfigDocPresentInIndex) {
-                    if (!deprecatedAuditKeysInSettings.isEmpty()) {
-                        LOGGER.warn("Audit configuration settings found in both index and opensearch settings (deprecated)");
-                    }
-                    LOGGER.info("Hot-reloading of audit configuration is enabled");
-                } else {
-                    LOGGER.info(
-                        "Hot-reloading of audit configuration is disabled. Using configuration with defaults from opensearch settings.  Populate the configuration in index using audit.yml or securityadmin to enable it."
-                    );
-                    auditLog.setConfig(AuditConfig.from(settings));
-                }
-
-                LOGGER.info("Node '{}' initialized", clusterService.localNode().getName());
-
-            } catch (Exception e) {
-                LOGGER.error("Unexpected exception while initializing node " + e, e);
+                LOGGER.info("Hot-reloading of audit configuration is enabled");
+            } else {
+                LOGGER.info(
+                    "Hot-reloading of audit configuration is disabled. Using configuration with defaults from opensearch settings.  Populate the configuration in index using audit.yml or securityadmin to enable it."
+                );
+                auditLog.setConfig(AuditConfig.from(settings));
             }
-        });
 
+            LOGGER.info("Node '{}' initialized", clusterService.localNode().getName());
+
+        } catch (Exception e) {
+            LOGGER.error("Unexpected exception while initializing node " + e, e);
+        }
     }
 
     private boolean createSecurityIndexIfAbsent() {
@@ -306,27 +312,37 @@ private void waitForSecurityIndexToBeAtLeastYellow() {
         }
     }
 
-    public void initOnNodeStart() {
+    public CompletableFuture<Boolean> initOnNodeStart() {
+        final boolean installDefaultConfig = settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false);
+
+        final Supplier<CompletableFuture<Boolean>> startInitialization = () -> {
+            new Thread(() -> {
+                initalizeClusterConfiguration(installDefaultConfig);
+                initalizeConfigTask.complete(null);
+            }).start();
+            return initalizeConfigTask.thenApply(result -> installDefaultConfig);
+        };
         try {
-            if (settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false)) {
+            if (installDefaultConfig) {
                 LOGGER.info("Will attempt to create index {} and default configs if they are absent", securityIndex);
-                installDefaultConfig.set(true);
-                bgThread.start();
+                return startInitialization.get();
             } else if (settings.getAsBoolean(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true)) {
                 LOGGER.info(
                     "Will not attempt to create index {} and default configs if they are absent. Use securityadmin to initialize cluster",
                     securityIndex
                 );
-                bgThread.start();
+                return startInitialization.get();
             } else {
                 LOGGER.info(
                     "Will not attempt to create index {} and default configs if they are absent. Will not perform background initialization",
                     securityIndex
                 );
+                initalizeConfigTask.complete(null);
+                return initalizeConfigTask.thenApply(result -> installDefaultConfig);
             }
         } catch (Throwable e2) {
             LOGGER.error("Error during node initialization: {}", e2, e2);
-            bgThread.start();
+            return startInitialization.get();
         }
     }
 
@@ -372,16 +388,26 @@ public SecurityDynamicConfiguration<?> getConfiguration(CType configurationType)
 
     private final Lock LOCK = new ReentrantLock();
 
-    public void reloadConfiguration(Collection<CType> configTypes) throws ConfigUpdateAlreadyInProgressException {
+    public boolean reloadConfiguration(final Collection<CType> configTypes) throws ConfigUpdateAlreadyInProgressException {
+        return reloadConfiguration(configTypes, false);
+    }
+
+    private boolean reloadConfiguration(final Collection<CType> configTypes, final boolean fromBackgroundThread)
+        throws ConfigUpdateAlreadyInProgressException {
+        if (!fromBackgroundThread && !initalizeConfigTask.isDone()) {
+            LOGGER.warn("Unable to reload configuration, initalization thread has not yet completed.");
+            return false;
+        }
         try {
             if (LOCK.tryLock(60, TimeUnit.SECONDS)) {
                 try {
                     reloadConfiguration0(configTypes, this.acceptInvalid);
+                    return true;
                 } finally {
                     LOCK.unlock();
                 }
             } else {
-                throw new ConfigUpdateAlreadyInProgressException("A config update is already imn progress");
+                throw new ConfigUpdateAlreadyInProgressException("A config update is already in progress");
             }
         } catch (InterruptedException e) {
             Thread.currentThread().interrupt();
@@ -489,7 +515,23 @@ public static int getDefaultConfigVersion() {
         return ConfigurationRepository.DEFAULT_CONFIG_VERSION;
     }
 
-    public AtomicBoolean getInstallDefaultConfig() {
-        return installDefaultConfig;
+    private class AccessControllerWrappedThread extends Thread {
+        private final Thread innerThread;
+
+        public AccessControllerWrappedThread(Thread innerThread) {
+            this.innerThread = innerThread;
+        }
+
+        @Override
+        public void run() {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+
+                @Override
+                public Void run() {
+                    innerThread.run();
+                    return null;
+                }
+            });
+        }
     }
 }
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
index ed61481885..f046b4c114 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java
@@ -315,7 +315,6 @@ public void onChange(Map<CType, SecurityDynamicConfiguration<?>> typeToConfig) {
         }
 
         initialized.set(true);
-
     }
 
     private static ConfigV6 getConfigV6(SecurityDynamicConfiguration<?> sdc) {
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index d4383c05de..3060e1b2dc 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -281,6 +281,8 @@ public enum RolesMappingResolution {
     // Illegal Opcodes from here on
     public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY =
         "plugins.security.unsupported.disable_rest_auth_initially";
+    public static final String SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS =
+        "plugins.security.unsupported.delay_initialization_seconds";
     public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY =
         "plugins.security.unsupported.disable_intertransport_auth_initially";
     public static final String SECURITY_UNSUPPORTED_PASSIVE_INTERTRANSPORT_AUTH_INITIALLY =
diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
index 79ab0c020b..7545822620 100644
--- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
+++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
@@ -302,12 +302,6 @@ public void testInvalidDefaultConfig() throws Exception {
                 HttpStatus.SC_SERVICE_UNAVAILABLE,
                 rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode()
             );
-
-            ClusterHelper.updateDefaultDirectory(defaultInitDirectory);
-            restart(Settings.EMPTY, null, settings, false);
-            rh = nonSslRestHelper();
-            Thread.sleep(10000);
-            Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("admin", "admin")).getStatusCode());
         } finally {
             ClusterHelper.resetSystemProperties();
         }
diff --git a/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java b/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
index c8f41433e0..5ce1873405 100644
--- a/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
+++ b/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
@@ -81,9 +81,9 @@ public void initOnNodeStart_withSecurityIndexCreationEnabledShouldSetInstallDefa
 
         ConfigurationRepository configRepository = createConfigurationRepository(settings);
 
-        configRepository.initOnNodeStart();
+        final var result = configRepository.initOnNodeStart();
 
-        assertThat(configRepository.getInstallDefaultConfig().get(), is(true));
+        assertThat(result.join(), is(true));
     }
 
     @Test
@@ -92,9 +92,9 @@ public void initOnNodeStart_withSecurityIndexNotCreatedShouldNotSetInstallDefaul
 
         ConfigurationRepository configRepository = createConfigurationRepository(settings);
 
-        configRepository.initOnNodeStart();
+        final var result = configRepository.initOnNodeStart();
 
-        assertThat(configRepository.getInstallDefaultConfig().get(), is(false));
+        assertThat(result.join(), is(false));
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/test/SingleClusterTest.java b/src/test/java/org/opensearch/security/test/SingleClusterTest.java
index 2839e1e283..cdde57a5c0 100644
--- a/src/test/java/org/opensearch/security/test/SingleClusterTest.java
+++ b/src/test/java/org/opensearch/security/test/SingleClusterTest.java
@@ -83,18 +83,6 @@ protected void setup(
         setup(initTransportClientSettings, dynamicSecuritySettings, nodeOverride, initSecurityIndex, ClusterConfiguration.DEFAULT);
     }
 
-    protected void restart(
-        Settings initTransportClientSettings,
-        DynamicSecurityConfig dynamicSecuritySettings,
-        Settings nodeOverride,
-        boolean initOpendistroSecurityIndex
-    ) throws Exception {
-        clusterInfo = clusterHelper.startCluster(minimumSecuritySettings(ccs(nodeOverride)), ClusterConfiguration.DEFAULT);
-        if (initOpendistroSecurityIndex && dynamicSecuritySettings != null) {
-            initialize(clusterHelper, clusterInfo, dynamicSecuritySettings);
-        }
-    }
-
     private Settings ccs(Settings nodeOverride) throws Exception {
         if (remoteClusterHelper != null) {
             Assert.assertNull("No remote clusters", remoteClusterInfo);

From df3465aec7c795773aa4dfe7c65084d9a2d82a36 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jan 2024 13:46:34 +0000
Subject: [PATCH 016/143] Bump com.google.errorprone:error_prone_annotations
 from 2.24.0 to 2.24.1 (#3929)

Bumps
[com.google.errorprone:error_prone_annotations](https://github.com/google/error-prone)
from 2.24.0 to 2.24.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/error-prone/releases">com.google.errorprone:error_prone_annotations's
releases</a>.</em></p>
<blockquote>
<h2>Error Prone 2.24.1</h2>
<p>Changes:</p>
<ul>
<li>Add an assertion to try to help debug <a
href="https://redirect.github.com/google/error-prone/issues/4225">google/error-prone#4225</a></li>
</ul>
<p>Full Changelog: <a
href="https://github.com/google/error-prone/compare/v2.24.0...v2.24.1">https://github.com/google/error-prone/compare/v2.24.0...v2.24.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/error-prone/commit/ecf7e103b265b3f51ce8e317fe9ddf4e9477c98e"><code>ecf7e10</code></a>
Release Error Prone 2.24.1</li>
<li><a
href="https://github.com/google/error-prone/commit/2bd7859957ebf205f1c73f9d38d9f85338b80773"><code>2bd7859</code></a>
Add an assertion to try to help debug <a
href="https://github.com/google/error-prone/i">https://github.com/google/error-prone/i</a>...</li>
<li><a
href="https://github.com/google/error-prone/commit/58a9e8082b2344f8fb2c3814112b46104708bbab"><code>58a9e80</code></a>
Update a few checks (and a class of tests, with AbstractToString) to
handle #...</li>
<li><a
href="https://github.com/google/error-prone/commit/fd21bc9e4e9737b86fdd792bf5e71f588aee5c27"><code>fd21bc9</code></a>
Reflow a comment that didn't appreciate being formatted in unknown
commit</li>
<li><a
href="https://github.com/google/error-prone/commit/63cf19274e382089693102a19bf31d7dbe791807"><code>63cf192</code></a>
Update <code>CanIgnoreReturnValueSuggester</code> summary.</li>
<li><a
href="https://github.com/google/error-prone/commit/5fa727a5e4e6a368a92c6f36224dbe9716ed5659"><code>5fa727a</code></a>
Actually test that <code>hasExtraParameterForEnclosingInstance</code>
works.</li>
<li>See full diff in <a
href="https://github.com/google/error-prone/compare/v2.24.0...v2.24.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.errorprone:error_prone_annotations&package-manager=gradle&previous-version=2.24.0&new-version=2.24.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 3a368bc8a7..e71bba82ec 100644
--- a/build.gradle
+++ b/build.gradle
@@ -499,7 +499,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.24.0"
+            force "com.google.errorprone:error_prone_annotations:2.24.1"
             force "org.checkerframework:checker-qual:3.42.0"
             force "ch.qos.logback:logback-classic:1.2.13"
         }
@@ -609,7 +609,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.24.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.24.1'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
     runtimeOnly 'org.ow2.asm:asm:9.6'

From 649a2fc43a3470b3c8c31fca0aec2ff6885e2ae2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jan 2024 13:47:12 +0000
Subject: [PATCH 017/143] Bump com.google.googlejavaformat:google-java-format
 from 1.19.1 to 1.19.2 (#3930)

Bumps
[com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format)
from 1.19.1 to 1.19.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/google-java-format/releases">com.google.googlejavaformat:google-java-format's
releases</a>.</em></p>
<blockquote>
<h2>v1.19.2</h2>
<h2>Changes</h2>
<ul>
<li>Improve support for string templates (<a
href="https://redirect.github.com/google/google-java-format/issues/1010">#1010</a>)</li>
<li>Handle <code>var</code> in record patterns (<a
href="https://redirect.github.com/google/google-java-format/issues/1020">#1020</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/google/google-java-format/compare/v1.19.1...v1.19.2">https://github.com/google/google-java-format/compare/v1.19.1...v1.19.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/google-java-format/commit/ffb9d5bc094cc8782524ebbc386951b1ad334362"><code>ffb9d5b</code></a>
Release google-java-format 1.19.2</li>
<li><a
href="https://github.com/google/google-java-format/commit/d157ec879b43c4837f71eaafb45a6e6d58071a9a"><code>d157ec8</code></a>
Handle <code>var</code> in record patterns</li>
<li><a
href="https://github.com/google/google-java-format/commit/38de9c4e05bc871496c232c1ccbfc4be06a580e2"><code>38de9c4</code></a>
Improve support for string templates</li>
<li>See full diff in <a
href="https://github.com/google/google-java-format/compare/v1.19.1...v1.19.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.googlejavaformat:google-java-format&package-manager=gradle&previous-version=1.19.1&new-version=1.19.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index e71bba82ec..89fce7faf9 100644
--- a/build.gradle
+++ b/build.gradle
@@ -740,7 +740,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.19.1') {
+    implementation('com.google.googlejavaformat:google-java-format:1.19.2') {
         exclude group: 'com.google.guava'
     }
 }

From f217fa85a45100de730025307924715accfd85f8 Mon Sep 17 00:00:00 2001
From: Derek Ho <dxho@amazon.com>
Date: Wed, 10 Jan 2024 15:47:22 -0500
Subject: [PATCH 018/143] Fix Bug with Install demo configuration running in
 cluster mode with -y (#3935)

Previous behavior prior to 2.11 would be that init security and cluster
mode would only be set if they were explicitly passed in. There is a
small bug that is setting them to be true if -y is passed in. This is
causing a few failures with duplicate keys in integration tests when -y
is passed in.

https://github.com/opensearch-project/security/blob/2.11/tools/install_demo_configuration.sh#L73-L98

---------

Signed-off-by: Derek Ho <dxho@amazon.com>
---
 .../security/tools/democonfig/Installer.java         |  3 ---
 .../security/tools/democonfig/InstallerTests.java    |  4 ++--
 .../democonfig/SecuritySettingsConfigurerTests.java  | 12 ++++++++++++
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
index 61acd7e4c9..864607a9c6 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
@@ -212,9 +212,6 @@ void gatherUserInputs() {
                     cluster_mode = confirmAction(scanner, "Enable cluster mode?");
                 }
             }
-        } else {
-            initsecurity = true;
-            cluster_mode = true;
         }
     }
 
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java
index 06c6edf734..268bd9ea0e 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java
@@ -193,8 +193,8 @@ public void testGatherInputs_withAssumeYes() {
 
         installer.gatherUserInputs();
 
-        assertThat(installer.initsecurity, is(true));
-        assertThat(installer.cluster_mode, is(true));
+        assertThat(installer.initsecurity, is(false));
+        assertThat(installer.cluster_mode, is(false));
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
index 27ba150a78..280d704fb8 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -241,6 +241,18 @@ public void testIsStringAlreadyPresentInFile_isPresent() throws IOException {
         assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, str2), is(equalTo(false)));
     }
 
+    @Test
+    public void testAssumeYesDoesNotInitializeClusterMode() throws IOException {
+        String nodeName = "node.name"; // cluster_mode
+        String securityIndex = "plugins.security.allow_default_init_securityindex"; // init_security
+
+        installer.assumeyes = true;
+        securitySettingsConfigurer.writeSecurityConfigToOpenSearchYML();
+
+        assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, nodeName), is(false));
+        assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, securityIndex), is(false));
+    }
+
     @Test
     public void testCreateSecurityAdminDemoScriptAndGetSecurityAdminCommands() throws IOException {
         String demoPath = installer.OPENSEARCH_CONF_DIR + "securityadmin_demo" + installer.FILE_EXTENSION;

From b8a315a321927a8f4490fb5a7023663ffc184e31 Mon Sep 17 00:00:00 2001
From: Owais Kazi <owaiskazi19@gmail.com>
Date: Thu, 11 Jan 2024 05:24:01 -0800
Subject: [PATCH 019/143] Add permission for get workflow step (#3937)

Description

Adds permission for a new Get Workflow Step API.
https://github.com/opensearch-project/flow-framework/pull/394


### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: owaiskazi19 <owaiskazi19@gmail.com>
---
 config/roles.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/roles.yml b/config/roles.yml
index e307ee7de3..ee9a61f1d5 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -396,3 +396,4 @@ flow_framework_read_access:
     - 'cluster:admin/opensearch/flow_framework/workflow/search'
     - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
     - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
+    - 'cluster:admin/opensearch/flow_framework/workflow_step/get'

From fdfe087ab0dae3366d4c57db6ab2289059dbc707 Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Thu, 11 Jan 2024 11:55:57 -0600
Subject: [PATCH 020/143] Add additional logging around `testShouldSearchAll`
 tests (#3932)

### Description
- Improve error message logging on mismatch in search response.

#### Example of new error message:
```
Suite: Test class org.opensearch.security.DlsIntegrationTests
  2> java.lang.AssertionError:
    Expected: Search hit with index <5> should contain field "artist"" with value equal to ""yes"
         but: Unexpected match in SearchResponse {"took":101,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":6,"relation":"eq"},"max_score":null,"hits":[{"_index":"first-test-index","_id":"INDEX_1_S1","_score":null,"_source":{"artist":"First artist","lyrics":"Very deep subject","stars":1,"genre":"rock","title":"Magnum Opus"},"sort":["INDEX_1_S1"]},{"_index":"first-test-index","_id":"INDEX_1_S2","_score":null,"_source":{"artist":"String","lyrics":"Once upon a time","stars":2,"genre":"blues","title":"Song 1+1"},"sort":["INDEX_1_S2"]},{"_index":"first-test-index","_id":"INDEX_1_S3","_score":null,"_source":{"artist":"Twins","lyrics":"giant nonsense","stars":3,"genre":"jazz","title":"Next song"},"sort":["INDEX_1_S3"]},{"_index":"first-test-index","_id":"INDEX_1_S4","_score":null,"_source":{"artist":"No!","lyrics":"Much too much","stars":4,"genre":"rock","title":"Poison"},"sort":["INDEX_1_S4"]},{"_index":"first-test-index","_id":"INDEX_1_S5","_score":null,"_source":{"artist":"yes","lyrics":"Little to little","stars":5,"genre":"blues","title":"Affirmative"},"sort":["INDEX_1_S5"]},{"_index":"first-test-index","_id":"INDEX_1_S6","_score":null,"_source":{"artist":"unknown","lyrics":"confidential secret classified","stars":6,"genre":"jazz","title":"confidential"},"sort":["INDEX_1_S6"]}]}}
    Field value is equal to "unknown"
        at __randomizedtesting.SeedInfo.seed([2CB66291B43A24:7C34555162F056C]:0)
        at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
        at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:6)
        at org.opensearch.security.DlsIntegrationTests.testShouldSearchAll(DlsIntegrationTests.java:294)
```

### Issues Resolved
- Resolved https://github.com/opensearch-project/security/issues/3830

### Testing
Ran the suite of integration tests with
[10x](https://github.com/opensearch-project/security/actions/runs/7464876335?pr=3932)
with no failures.

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../matcher/SearchHitContainsFieldWithValueMatcher.java          | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/integrationTest/java/org/opensearch/test/framework/matcher/SearchHitContainsFieldWithValueMatcher.java b/src/integrationTest/java/org/opensearch/test/framework/matcher/SearchHitContainsFieldWithValueMatcher.java
index c92924ebfe..7d1a6b3251 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/matcher/SearchHitContainsFieldWithValueMatcher.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/matcher/SearchHitContainsFieldWithValueMatcher.java
@@ -35,6 +35,7 @@ class SearchHitContainsFieldWithValueMatcher<T> extends TypeSafeDiagnosingMatche
 
     @Override
     protected boolean matchesSafely(SearchResponse searchResponse, Description mismatchDescription) {
+        mismatchDescription.appendText("Unexpected match in SearchResponse " + searchResponse.toString() + "\n");
         Long numberOfHits = readTotalHits(searchResponse);
         if (numberOfHits == null) {
             mismatchDescription.appendText("Total number of hits is unknown.");

From 37d3ca28492c29ea2e2a13ce1f95c43d9207a31e Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Thu, 11 Jan 2024 11:56:23 -0600
Subject: [PATCH 021/143] HeapBasedRateTracker uses time provider to allow
 simluating of time in unit tests (#3934)

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../ratetracking/HeapBasedRateTracker.java    | 10 ++++++-
 .../limiting/HeapBasedRateTrackerTest.java    | 27 ++++++++++---------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/opensearch/security/util/ratetracking/HeapBasedRateTracker.java b/src/main/java/org/opensearch/security/util/ratetracking/HeapBasedRateTracker.java
index 40b1f622d0..46aa577254 100644
--- a/src/main/java/org/opensearch/security/util/ratetracking/HeapBasedRateTracker.java
+++ b/src/main/java/org/opensearch/security/util/ratetracking/HeapBasedRateTracker.java
@@ -18,8 +18,10 @@
 package org.opensearch.security.util.ratetracking;
 
 import java.util.Arrays;
+import java.util.Optional;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
+import java.util.function.LongSupplier;
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
@@ -33,16 +35,22 @@ public class HeapBasedRateTracker<ClientIdType> implements RateTracker<ClientIdT
     private final Logger log = LogManager.getLogger(this.getClass());
 
     private final Cache<ClientIdType, ClientRecord> cache;
+    private final LongSupplier timeProvider;
     private final long timeWindowMs;
     private final int maxTimeOffsets;
 
     public HeapBasedRateTracker(long timeWindowMs, int allowedTries, int maxEntries) {
+        this(timeWindowMs, allowedTries, maxEntries, null);
+    }
+
+    public HeapBasedRateTracker(long timeWindowMs, int allowedTries, int maxEntries, LongSupplier timeProvider) {
         if (allowedTries < 2) {
             throw new IllegalArgumentException("allowedTries must be >= 2");
         }
 
         this.timeWindowMs = timeWindowMs;
         this.maxTimeOffsets = allowedTries > 2 ? allowedTries - 2 : 0;
+        this.timeProvider = Optional.ofNullable(timeProvider).orElse(System::currentTimeMillis);
         this.cache = CacheBuilder.newBuilder()
             .expireAfterAccess(this.timeWindowMs, TimeUnit.MILLISECONDS)
             .maximumSize(maxEntries)
@@ -89,7 +97,7 @@ private class ClientRecord {
         private short timeOffsetEnd = -1;
 
         synchronized boolean track() {
-            long timestamp = System.currentTimeMillis();
+            long timestamp = timeProvider.getAsLong();
 
             if (this.startTime == -1 || timestamp - getMostRecent() >= timeWindowMs) {
                 this.startTime = timestamp;
diff --git a/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java b/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java
index c92c328564..aaae27e8c3 100644
--- a/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java
+++ b/src/test/java/org/opensearch/security/auth/limiting/HeapBasedRateTrackerTest.java
@@ -17,7 +17,9 @@
 
 package org.opensearch.security.auth.limiting;
 
-import org.junit.Ignore;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.function.LongSupplier;
+
 import org.junit.Test;
 
 import org.opensearch.security.util.ratetracking.HeapBasedRateTracker;
@@ -27,9 +29,12 @@
 
 public class HeapBasedRateTrackerTest {
 
+    private final AtomicLong currentTime = new AtomicLong(1);
+    private LongSupplier timeProvider = () -> currentTime.getAndAdd(1);
+
     @Test
     public void simpleTest() throws Exception {
-        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 5, 100_000);
+        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 5, 100_000, timeProvider);
 
         assertFalse(tracker.track("a"));
         assertFalse(tracker.track("a"));
@@ -40,9 +45,8 @@ public void simpleTest() throws Exception {
     }
 
     @Test
-    @Ignore // https://github.com/opensearch-project/security/issues/2193
     public void expiryTest() throws Exception {
-        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 5, 100_000);
+        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 5, 100_000, timeProvider);
 
         assertFalse(tracker.track("a"));
         assertFalse(tracker.track("a"));
@@ -58,20 +62,20 @@ public void expiryTest() throws Exception {
 
         assertFalse(tracker.track("c"));
 
-        Thread.sleep(50);
+        currentTime.addAndGet(50);
 
         assertFalse(tracker.track("c"));
         assertFalse(tracker.track("c"));
         assertFalse(tracker.track("c"));
 
-        Thread.sleep(55);
+        currentTime.addAndGet(55);
 
         assertFalse(tracker.track("c"));
         assertTrue(tracker.track("c"));
 
         assertFalse(tracker.track("a"));
 
-        Thread.sleep(55);
+        currentTime.addAndGet(55);
         assertFalse(tracker.track("c"));
         assertFalse(tracker.track("c"));
         assertTrue(tracker.track("c"));
@@ -79,21 +83,20 @@ public void expiryTest() throws Exception {
     }
 
     @Test
-    @Ignore // https://github.com/opensearch-project/security/issues/2193
     public void maxTwoTriesTest() throws Exception {
-        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 2, 100_000);
+        HeapBasedRateTracker<String> tracker = new HeapBasedRateTracker<>(100, 2, 100_000, timeProvider);
 
         assertFalse(tracker.track("a"));
         assertTrue(tracker.track("a"));
 
         assertFalse(tracker.track("b"));
-        Thread.sleep(50);
+        currentTime.addAndGet(50);
         assertTrue(tracker.track("b"));
 
-        Thread.sleep(55);
+        currentTime.addAndGet(55);
         assertTrue(tracker.track("b"));
 
-        Thread.sleep(105);
+        currentTime.addAndGet(105);
         assertFalse(tracker.track("b"));
         assertTrue(tracker.track("b"));
 

From b905999f81093fc96db8371df5f96badabb9ff38 Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Thu, 11 Jan 2024 11:56:34 -0600
Subject: [PATCH 022/143] Add logging for test LdapServer actions (#3933)

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../amazon/dlic/auth/ldap/srv/LdapServer.java | 40 ++++++++++++-------
 src/test/resources/log4j2-test.properties     |  6 +++
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/src/test/java/com/amazon/dlic/auth/ldap/srv/LdapServer.java b/src/test/java/com/amazon/dlic/auth/ldap/srv/LdapServer.java
index 36bb37494d..64cc1f8ab0 100644
--- a/src/test/java/com/amazon/dlic/auth/ldap/srv/LdapServer.java
+++ b/src/test/java/com/amazon/dlic/auth/ldap/srv/LdapServer.java
@@ -23,9 +23,12 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.ReentrantLock;
+import java.util.logging.Handler;
+import java.util.logging.LogRecord;
 
 import com.google.common.io.CharStreams;
 import org.apache.commons.lang3.exception.ExceptionUtils;
+import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -153,9 +156,8 @@ private synchronized int configureAndStartServer(String... ldifFiles) throws Exc
         config.setEnforceAttributeSyntaxCompliance(false);
         config.setEnforceSingleStructuralObjectClass(false);
 
-        // config.setLDAPDebugLogHandler(DEBUG_HANDLER);
-        // config.setAccessLogHandler(DEBUG_HANDLER);
-        // config.addAdditionalBindCredentials(configuration.getBindDn(), configuration.getPassword());
+        config.setLDAPDebugLogHandler(new ServerLogger());
+        config.setAccessLogHandler(new ServerLogger());
 
         server = new InMemoryDirectoryServer(config);
 
@@ -214,25 +216,33 @@ private int loadLdifFiles(String... ldifFiles) throws Exception {
         return ldifLoadCount;
     }
 
-    /* private static class DebugHandler extends Handler {
-        private final static Logger LOG = LogManager.getLogger(DebugHandler.class);
+    private static class ServerLogger extends Handler {
+        final Logger logger = LogManager.getLogger(ServerLogger.class);
 
         @Override
-        public void publish(LogRecord logRecord) {
-           //LOG.debug(ToStringBuilder.reflectionToString(logRecord, ToStringStyle.MULTI_LINE_STYLE));
+        public void publish(final LogRecord logRecord) {
+            logger.log(toLog4jLevel(logRecord.getLevel()), logRecord.getMessage(), logRecord.getThrown());
         }
 
         @Override
-        public void flush() {
-
-        }
+        public void flush() {}
 
         @Override
-        public void close() throws SecurityException {
-
+        public void close() throws SecurityException {}
+
+        private Level toLog4jLevel(java.util.logging.Level javaLevel) {
+            switch (javaLevel.getName()) {
+                case "SEVERE":
+                    return Level.ERROR;
+                case "WARNING":
+                    return Level.WARN;
+                case "INFO":
+                    return Level.INFO;
+                case "CONFIG":
+                    return Level.DEBUG;
+                default:
+                    return Level.TRACE;
+            }
         }
     }
-
-    private static final DebugHandler DEBUG_HANDLER = new DebugHandler();
-    */
 }
diff --git a/src/test/resources/log4j2-test.properties b/src/test/resources/log4j2-test.properties
index 3d22ca3765..866b68325c 100644
--- a/src/test/resources/log4j2-test.properties
+++ b/src/test/resources/log4j2-test.properties
@@ -17,6 +17,12 @@ rootLogger.level = warn
 rootLogger.appenderRef.console.ref = console
 rootLogger.appenderRef.file.ref = LOGFILE
 
+# For troubleshooting com.amazon.dlic.auth.ldap.* test cases
+logger.ldapServerLogger.name = com.amazon.dlic.auth.ldap.srv.LdapServer.ServerLogger
+logger.ldapServerLogger.level = info
+logger.ldapAuthBackend.name = com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend
+logger.ldapAuthBackend.level = debug
+
 #logger.resolver.name = org.opensearch.security.resolver
 #logger.resolver.level = trace
 

From d734b2e2a5e5b6b33782380a1abc1fb41f862114 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Jan 2024 08:36:57 -0500
Subject: [PATCH 023/143] Bump com.diffplug.spotless from 6.23.3 to 6.24.0
 (#3946)

Bumps com.diffplug.spotless from 6.23.3 to 6.24.0.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.diffplug.spotless&package-manager=gradle&previous-version=6.23.3&new-version=6.24.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 89fce7faf9..ea810c1e17 100644
--- a/build.gradle
+++ b/build.gradle
@@ -62,7 +62,7 @@ plugins {
     id 'idea'
     id 'jacoco'
     id 'maven-publish'
-    id 'com.diffplug.spotless' version '6.23.3'
+    id 'com.diffplug.spotless' version '6.24.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.6.0"
     id "org.gradle.test-retry" version "1.5.8"

From 7273936149609c843e52ea831e67feda574e84fb Mon Sep 17 00:00:00 2001
From: Subhobrata Dey <sbcd90@gmail.com>
Date: Tue, 16 Jan 2024 14:13:18 -0800
Subject: [PATCH 024/143] Update security analytics roles to include custom log
 type cluster permissions (#3951)

Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
---
 config/roles.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/roles.yml b/config/roles.yml
index ee9a61f1d5..ccd1759355 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -346,6 +346,7 @@ security_analytics_read_access:
     - 'cluster:admin/opensearch/securityanalytics/detector/get'
     - 'cluster:admin/opensearch/securityanalytics/detector/search'
     - 'cluster:admin/opensearch/securityanalytics/findings/get'
+    - 'cluster:admin/opensearch/securityanalytics/logtype/search'
     - 'cluster:admin/opensearch/securityanalytics/mapping/get'
     - 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
     - 'cluster:admin/opensearch/securityanalytics/rule/get'
@@ -359,6 +360,7 @@ security_analytics_full_access:
     - 'cluster:admin/opensearch/securityanalytics/correlations/*'
     - 'cluster:admin/opensearch/securityanalytics/detector/*'
     - 'cluster:admin/opensearch/securityanalytics/findings/*'
+    - 'cluster:admin/opensearch/securityanalytics/logtype/*'
     - 'cluster:admin/opensearch/securityanalytics/mapping/*'
     - 'cluster:admin/opensearch/securityanalytics/rule/*'
   index_permissions:

From 6047d6626ec8adfb5d770d3955be5ffbcb0c907b Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Wed, 17 Jan 2024 11:42:41 -0600
Subject: [PATCH 025/143] Protect config object from concurrent modification
 issues (#3945)

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../impl/SecurityDynamicConfiguration.java    | 77 ++++++++++++-------
 1 file changed, 51 insertions(+), 26 deletions(-)

diff --git a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
index 938ee23c1e..bba44b5e28 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
@@ -30,6 +30,7 @@
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -56,6 +57,8 @@ public class SecurityDynamicConfiguration<T> implements ToXContent {
 
     @JsonIgnore
     private final Map<String, T> centries = new HashMap<>();
+    @JsonIgnore
+    private final Object modificationLock = new Object();
     private long seqNo = -1;
     private long primaryTerm = -1;
     private CType ctype;
@@ -158,23 +161,33 @@ void setCEntries(String key, T value) {
 
     @JsonAnyGetter
     public Map<String, T> getCEntries() {
-        return centries;
+        synchronized (modificationLock) {
+            return new HashMap<>(centries);
+        }
     }
 
     @JsonIgnore
     public void removeHidden() {
-        for (Entry<String, T> entry : new HashMap<String, T>(centries).entrySet()) {
-            if (entry.getValue() instanceof Hideable && ((Hideable) entry.getValue()).isHidden()) {
-                centries.remove(entry.getKey());
+        synchronized (modificationLock) {
+            final Iterator<Entry<String, T>> iterator = centries.entrySet().iterator();
+            while (iterator.hasNext()) {
+                final var entry = iterator.next();
+                if (entry.getValue() instanceof Hideable && ((Hideable) entry.getValue()).isHidden()) {
+                    iterator.remove();
+                }
             }
         }
     }
 
     @JsonIgnore
     public void removeStatic() {
-        for (Entry<String, T> entry : new HashMap<String, T>(centries).entrySet()) {
-            if (entry.getValue() instanceof StaticDefinable && ((StaticDefinable) entry.getValue()).isStatic()) {
-                centries.remove(entry.getKey());
+        synchronized (modificationLock) {
+            final Iterator<Entry<String, T>> iterator = centries.entrySet().iterator();
+            while (iterator.hasNext()) {
+                final var entry = iterator.next();
+                if (entry.getValue() instanceof StaticDefinable && ((StaticDefinable) entry.getValue()).isStatic()) {
+                    iterator.remove();
+                }
             }
         }
     }
@@ -189,20 +202,26 @@ public void clearHashes() {
     }
 
     public void removeOthers(String key) {
-        T tmp = this.centries.get(key);
-        this.centries.clear();
-        this.centries.put(key, tmp);
+        synchronized (modificationLock) {
+            T tmp = this.centries.get(key);
+            this.centries.clear();
+            this.centries.put(key, tmp);
+        }
     }
 
     @JsonIgnore
     public T putCEntry(String key, T value) {
-        return centries.put(key, value);
+        synchronized (modificationLock) {
+            return centries.put(key, value);
+        }
     }
 
     @JsonIgnore
     @SuppressWarnings("unchecked")
     public void putCObject(String key, Object value) {
-        centries.put(key, (T) value);
+        synchronized (modificationLock) {
+            centries.put(key, (T) value);
+        }
     }
 
     @JsonIgnore
@@ -286,36 +305,42 @@ public SecurityDynamicConfiguration<T> deepClone() {
 
     @JsonIgnore
     public void remove(String key) {
-        centries.remove(key);
+        synchronized (modificationLock) {
+            centries.remove(key);
+        }
     }
 
     @JsonIgnore
     public void remove(List<String> keySet) {
-        keySet.stream().forEach(this::remove);
+        synchronized (modificationLock) {
+            keySet.stream().forEach(centries::remove);
+        }
     }
 
     @SuppressWarnings({ "rawtypes", "unchecked" })
     public boolean add(SecurityDynamicConfiguration other) {
-        if (other.ctype == null || !other.ctype.equals(this.ctype)) {
-            return false;
-        }
+        synchronized (modificationLock) {
+            if (other.ctype == null || !other.ctype.equals(this.ctype)) {
+                return false;
+            }
 
-        if (other.getImplementingClass() == null || !other.getImplementingClass().equals(this.getImplementingClass())) {
-            return false;
-        }
+            if (other.getImplementingClass() == null || !other.getImplementingClass().equals(this.getImplementingClass())) {
+                return false;
+            }
 
-        if (other.version != this.version) {
-            return false;
-        }
+            if (other.version != this.version) {
+                return false;
+            }
 
-        this.centries.putAll(other.centries);
-        return true;
+            this.centries.putAll(other.centries);
+            return true;
+        }
     }
 
     @JsonIgnore
     @SuppressWarnings({ "rawtypes" })
     public boolean containsAny(SecurityDynamicConfiguration other) {
-        return !Collections.disjoint(this.centries.keySet(), other.centries.keySet());
+        return !Collections.disjoint(this.getCEntries().keySet(), other.getCEntries().keySet());
     }
 
     public boolean isHidden(String resourceName) {

From 09051f47b7a42741c5aaa0789497bb43b156648e Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Wed, 17 Jan 2024 11:43:50 -0600
Subject: [PATCH 026/143] Add test coverage for ComplianceConfig (#3952)

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../security/compliance/ComplianceConfig.java | 37 +++++--
 .../compliance/ComplianceConfigTest.java      | 96 +++++++++++++++++++
 .../config/AuditConfigSerializeTest.java      |  1 +
 3 files changed, 128 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
index edc5248781..b149f2604a 100644
--- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
+++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
@@ -30,8 +30,10 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
+import java.util.function.Supplier;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.cache.CacheBuilder;
@@ -73,11 +75,11 @@
 @JsonInclude(JsonInclude.Include.NON_NULL)
 public class ComplianceConfig {
 
+    public static Set<String> FIELDS = DefaultObjectMapper.getFields(ComplianceConfig.class);
     private static final Logger log = LogManager.getLogger(ComplianceConfig.class);
     public static final ComplianceConfig DEFAULT = ComplianceConfig.from(Settings.EMPTY);
     private static final int CACHE_SIZE = 1000;
     private static final String INTERNAL_OPENSEARCH = "internal_opensearch";
-    public static Set<String> FIELDS = DefaultObjectMapper.getFields(ComplianceConfig.class);
 
     private final boolean logExternalConfig;
     private final boolean logInternalConfig;
@@ -104,6 +106,7 @@ public class ComplianceConfig {
     private final DateTimeFormatter auditLogPattern;
     private final String auditLogIndex;
     private final boolean enabled;
+    private final Supplier<DateTime> dateProvider;
 
     private ComplianceConfig(
         final boolean enabled,
@@ -118,7 +121,8 @@ private ComplianceConfig(
         final Set<String> ignoredComplianceUsersForWrite,
         final String securityIndex,
         final String destinationType,
-        final String destinationIndex
+        final String destinationIndex,
+        final Supplier<DateTime> dateProvider
     ) {
         this.enabled = enabled;
         this.logExternalConfig = logExternalConfig;
@@ -148,6 +152,11 @@ private ComplianceConfig(
             try {
                 auditLogPattern = DateTimeFormat.forPattern(destinationIndex); // throws IllegalArgumentException if no pattern
             } catch (IllegalArgumentException e) {
+                log.warn(
+                    "Unable to translate {} as a DateTimeFormat, will instead treat this as a static audit log index name. Error: {}",
+                    destinationIndex,
+                    e.getMessage()
+                );
                 // no pattern
                 auditLogIndex = destinationIndex;
             } catch (Exception e) {
@@ -163,6 +172,8 @@ public WildcardMatcher load(String index) throws Exception {
                 return WildcardMatcher.from(getFieldsForIndex(index));
             }
         });
+
+        this.dateProvider = Optional.ofNullable(dateProvider).orElse(() -> DateTime.now(DateTimeZone.UTC));
     }
 
     @VisibleForTesting
@@ -177,6 +188,7 @@ public ComplianceConfig(
         final boolean logDiffsForWrite,
         final List<String> watchedWriteIndicesPatterns,
         final Set<String> ignoredComplianceUsersForWrite,
+        final Supplier<DateTime> dateProvider,
         Settings settings
     ) {
         this(
@@ -195,7 +207,8 @@ public ComplianceConfig(
             settings.get(
                 ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX,
                 "'security-auditlog-'YYYY.MM.dd"
-            )
+            ),
+            dateProvider
         );
     }
 
@@ -253,6 +266,7 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje
             logDiffsForWrite,
             watchedWriteIndicesPatterns,
             ignoredComplianceUsersForWrite,
+            null,
             settings
         );
     }
@@ -263,6 +277,16 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje
      * @return compliance configuration
      */
     public static ComplianceConfig from(Settings settings) {
+        return ComplianceConfig.from(settings, null);
+    }
+
+    /**
+     * Create compliance configuration from Settings defined in opensearch.yml
+     * @param settings settings
+     * @param dateProvider how the current date/time is evalated for audit logs that rollover
+     * @return compliance configuration
+     */
+    public static ComplianceConfig from(Settings settings, Supplier<DateTime> dateProvider) {
         final boolean logExternalConfig = settings.getAsBoolean(
             ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED,
             false
@@ -326,6 +350,7 @@ public static ComplianceConfig from(Settings settings) {
             logDiffsForWrite,
             watchedWriteIndices,
             ignoredComplianceUsersForWrite,
+            dateProvider,
             settings
         );
     }
@@ -469,7 +494,7 @@ private String getExpandedIndexName(DateTimeFormatter indexPattern, String index
         if (indexPattern == null) {
             return index;
         }
-        return indexPattern.print(DateTime.now(DateTimeZone.UTC));
+        return indexPattern.print(dateProvider.get());
     }
 
     /**
@@ -507,7 +532,7 @@ public boolean writeHistoryEnabledForIndex(String index) {
      * @return true/false
      */
     public boolean readHistoryEnabledForIndex(String index) {
-        if (!this.isEnabled()) {
+        if (index == null || !this.isEnabled()) {
             return false;
         }
         // if security index (internal index) check if internal config logging is enabled
@@ -529,7 +554,7 @@ public boolean readHistoryEnabledForIndex(String index) {
      * @return true/false
      */
     public boolean readHistoryEnabledForField(String index, String field) {
-        if (!this.isEnabled()) {
+        if (index == null || !this.isEnabled()) {
             return false;
         }
         // if security index (internal index) check if internal config logging is enabled
diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java
index 467475212b..302d26bb00 100644
--- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java
@@ -12,8 +12,12 @@
 package org.opensearch.security.auditlog.compliance;
 
 import java.util.Collections;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Consumer;
 
 import com.google.common.collect.ImmutableSet;
+import org.apache.logging.log4j.Logger;
 import org.junit.Test;
 
 import org.opensearch.common.settings.Settings;
@@ -21,10 +25,22 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 
+import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.mockito.Mockito;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.isNull;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 public class ComplianceConfigTest {
 
@@ -136,4 +152,84 @@ public void testEmpty() {
         assertSame(WildcardMatcher.NONE, complianceConfig.getIgnoredComplianceUsersForReadMatcher());
         assertSame(WildcardMatcher.NONE, complianceConfig.getIgnoredComplianceUsersForWriteMatcher());
     }
+
+    @Test
+    public void testLogState() {
+        // arrange
+        final var logger = Mockito.mock(Logger.class);
+        final ComplianceConfig complianceConfig = ComplianceConfig.from(Settings.EMPTY);
+        // act
+        complianceConfig.log(logger);
+        // assert: don't validate content, but ensure message's logged is generally consistant
+        verify(logger, times(6)).info(anyString(), anyString());
+        verify(logger, times(1)).info(anyString(), isNull(String.class));
+        verify(logger, times(1)).info(anyString(), any(Map.class));
+        verify(logger, times(3)).info(anyString(), any(WildcardMatcher.class));
+        verifyNoMoreInteractions(logger);
+    }
+
+    @Test
+    public void testReadWriteHistoryEnabledForIndex_rollingIndex() {
+        // arrange
+        final var date = new AtomicReference<DateTime>();
+        final Consumer<Integer> setYear = (year) -> { date.set(new DateTime(year, 1, 1, 1, 2, DateTimeZone.UTC)); };
+        final ComplianceConfig complianceConfig = ComplianceConfig.from(
+            Settings.builder()
+                .put(
+                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX,
+                    "'audit-log-index'-YYYY-MM-dd"
+                )
+                .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch")
+                .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*")
+                .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*")
+                .build(),
+            date::get
+        );
+
+        // act: Don't log for null indices
+        assertThat(complianceConfig.readHistoryEnabledForIndex(null), equalTo(false));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex(null), equalTo(false));
+        // act: Don't log for the security indices
+        assertThat(complianceConfig.readHistoryEnabledForIndex(complianceConfig.getSecurityIndex()), equalTo(false));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex(complianceConfig.getSecurityIndex()), equalTo(false));
+
+        // act: Don't log for the current audit log
+        setYear.accept(1337);
+        assertThat(complianceConfig.readHistoryEnabledForIndex("audit-log-index-1337-01-01"), equalTo(false));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex("audit-log-index-1337-01-01"), equalTo(false));
+
+        // act: Log for current audit log when it does not match the date
+        setYear.accept(2048);
+        // See https://github.com/opensearch-project/security/issues/3950
+        // assertThat(complianceConfig.readHistoryEnabledForIndex("audit-log-index-1337-01-01"), equalTo(true));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex("audit-log-index-1337-01-01"), equalTo(true));
+
+        // act: Log for any matching index
+        assertThat(complianceConfig.readHistoryEnabledForIndex("my-data"), equalTo(true));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex("my-data"), equalTo(true));
+    }
+
+    @Test
+    public void testReadWriteHistoryEnabledForIndex_staticIndex() {
+        // arrange
+        final ComplianceConfig complianceConfig = ComplianceConfig.from(
+            Settings.builder()
+                .put(
+                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX,
+                    "audit-log-index"
+                )
+                .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch")
+                .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*")
+                .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*")
+                .build()
+        );
+
+        // act: Don't log for the static audit log
+        assertThat(complianceConfig.readHistoryEnabledForIndex(complianceConfig.getAuditLogIndex()), equalTo(false));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex(complianceConfig.getAuditLogIndex()), equalTo(false));
+
+        // act: Log for any matching index
+        assertThat(complianceConfig.readHistoryEnabledForIndex("my-data"), equalTo(true));
+        assertThat(complianceConfig.writeHistoryEnabledForIndex("my-data"), equalTo(true));
+    }
 }
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index b0b93afc54..04cea3dc05 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -214,6 +214,7 @@ public void testSerialize() throws IOException {
             false,
             Collections.singletonList("test-write-watch-index"),
             Collections.singleton("test-user-2"),
+            null,
             Settings.EMPTY
         );
         final AuditConfig auditConfig = new AuditConfig(true, audit, compliance);

From 037bc20b212fae282e4eefc379ff6631f49db6cf Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Thu, 18 Jan 2024 10:10:34 -0500
Subject: [PATCH 027/143] Improve code coverage for SSLNettyTransport class
 (#3953)

### Description
[Describe what this change achieves]
This change increases code coverage for the SecuritySSLNettyTransport
class. In the middle of 12/23, a few unit tests were added to give
coverage to different parts of the class. This change builds on these
existing changes.

### Issues Resolved
Box three of https://github.com/opensearch-project/security/issues/3137

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../transport/SecuritySSLNettyTransport.java  |  15 +-
 .../SecuritySSLNettyTransportTests.java       | 132 ++++++++++++++----
 2 files changed, 120 insertions(+), 27 deletions(-)

diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
index 242c7c56ed..5be3424528 100644
--- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
+++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
@@ -39,6 +39,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.ExceptionsHelper;
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.network.NetworkService;
@@ -103,6 +104,11 @@ public SecuritySSLNettyTransport(
         this.SSLConfig = SSLConfig;
     }
 
+    // This allows for testing log messages
+    Logger getLogger() {
+        return logger;
+    }
+
     @Override
     public void onException(TcpChannel channel, Exception e) {
 
@@ -113,8 +119,11 @@ public void onException(TcpChannel channel, Exception e) {
         }
 
         errorHandler.logError(cause, false);
-        logger.error("Exception during establishing a SSL connection: " + cause, cause);
+        getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
 
+        if (channel == null || !channel.isOpen()) {
+            throw new OpenSearchSecurityException("The provided TCP channel is invalid.", e);
+        }
         super.onException(channel, e);
     }
 
@@ -156,7 +165,7 @@ public final void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) th
             }
 
             errorHandler.logError(cause, false);
-            logger.error("Exception during establishing a SSL connection: " + cause, cause);
+            getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
 
             super.exceptionCaught(ctx, cause);
         }
@@ -291,7 +300,7 @@ public final void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) th
             }
 
             errorHandler.logError(cause, false);
-            logger.error("Exception during establishing a SSL connection: " + cause, cause);
+            getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
 
             super.exceptionCaught(ctx, cause);
         }
diff --git a/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java b/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java
index 27705988d8..32e0f48fac 100644
--- a/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java
+++ b/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java
@@ -11,10 +11,14 @@
 
 package org.opensearch.security.ssl.transport;
 
-import org.junit.Assert;
+import java.util.Collections;
+
+import org.apache.logging.log4j.Logger;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.network.NetworkService;
@@ -28,15 +32,27 @@
 import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport.SSLServerChannelInitializer;
 import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.transport.FakeTcpChannel;
 import org.opensearch.transport.SharedGroupFactory;
+import org.opensearch.transport.TcpChannel;
 
 import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.DecoderException;
 import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.Assert.assertThrows;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 public class SecuritySSLNettyTransportTests {
 
@@ -45,16 +61,12 @@ public class SecuritySSLNettyTransportTests {
     @Mock
     private ThreadPool threadPool;
     @Mock
-    private NetworkService networkService;
-    @Mock
     private PageCacheRecycler pageCacheRecycler;
     @Mock
     private NamedWriteableRegistry namedWriteableRegistry;
     @Mock
     private CircuitBreakerService circuitBreakerService;
     @Mock
-    private SharedGroupFactory sharedGroupFactory;
-    @Mock
     private Tracer trace;
     @Mock
     private SecurityKeyStore ossks;
@@ -63,55 +75,127 @@ public class SecuritySSLNettyTransportTests {
     @Mock
     private DiscoveryNode discoveryNode;
 
+    // This initializes all the above mocks
+    @Rule
+    public MockitoRule rule = MockitoJUnit.rule();
+
+    private NetworkService networkService;
+    private SharedGroupFactory sharedGroupFactory;
+    private Logger mockLogger;
     private SSLConfig sslConfig;
     private SecuritySSLNettyTransport securitySSLNettyTransport;
+    Throwable testCause = new Throwable("Test Cause");
 
     @Before
     public void setup() {
 
-        sslConfig = new SSLConfig(Settings.EMPTY);
+        networkService = new NetworkService(Collections.emptyList());
+        sharedGroupFactory = new SharedGroupFactory(Settings.EMPTY);
 
-        securitySSLNettyTransport = new SecuritySSLNettyTransport(
-            Settings.EMPTY,
-            version,
-            threadPool,
-            networkService,
-            pageCacheRecycler,
-            namedWriteableRegistry,
-            circuitBreakerService,
-            ossks,
-            sslExceptionHandler,
-            sharedGroupFactory,
-            sslConfig,
-            trace
+        sslConfig = new SSLConfig(Settings.EMPTY);
+        mockLogger = mock(Logger.class);
+
+        securitySSLNettyTransport = spy(
+            new SecuritySSLNettyTransport(
+                Settings.EMPTY,
+                version,
+                threadPool,
+                networkService,
+                pageCacheRecycler,
+                namedWriteableRegistry,
+                circuitBreakerService,
+                ossks,
+                sslExceptionHandler,
+                sharedGroupFactory,
+                sslConfig,
+                trace
+            )
         );
     }
 
     @Test
     public void OnException_withNullChannelShouldThrowException() {
 
-        NullPointerException exception = new NullPointerException("Test Exception");
+        OpenSearchSecurityException exception = new OpenSearchSecurityException("The provided TCP channel is invalid");
+        assertThrows(OpenSearchSecurityException.class, () -> securitySSLNettyTransport.onException(null, exception));
+    }
+
+    @Test
+    public void OnException_withClosedChannelShouldThrowException() {
+
+        TcpChannel channel = new FakeTcpChannel();
+        channel.close();
+        OpenSearchSecurityException exception = new OpenSearchSecurityException("The provided TCP channel is invalid");
+        assertThrows(OpenSearchSecurityException.class, () -> securitySSLNettyTransport.onException(channel, exception));
+    }
+
+    @Test
+    public void OnException_withNullExceptionShouldSucceed() {
+
+        TcpChannel channel = new FakeTcpChannel();
+        securitySSLNettyTransport.onException(channel, null);
+        verify(securitySSLNettyTransport, times(1)).onException(channel, null);
+        channel.close();
+    }
 
-        Assert.assertThrows(NullPointerException.class, () -> securitySSLNettyTransport.onException(null, exception));
+    @Test
+    public void OnException_withDecoderExceptionShouldGetCause() {
 
+        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
+        DecoderException exception = new DecoderException("Test Exception", testCause);
+        TcpChannel channel = new FakeTcpChannel();
+        securitySSLNettyTransport.onException(channel, exception);
+        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
     }
 
     @Test
     public void getServerChannelInitializer_shouldReturnValidServerChannel() {
 
         ChannelHandler channelHandler = securitySSLNettyTransport.getServerChannelInitializer("test-server-channel");
-
         assertThat(channelHandler, is(notNullValue()));
         assertThat(channelHandler, is(instanceOf(SSLServerChannelInitializer.class)));
     }
 
     @Test
     public void getClientChannelInitializer_shouldReturnValidClientChannel() {
-
         ChannelHandler channelHandler = securitySSLNettyTransport.getClientChannelInitializer(discoveryNode);
-
         assertThat(channelHandler, is(notNullValue()));
         assertThat(channelHandler, is(instanceOf(SSLClientChannelInitializer.class)));
     }
 
+    @Test
+    public void exceptionWithServerChannelHandlerContext_nonNullDecoderExceptionShouldGetCause() throws Exception {
+        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
+        Throwable exception = new DecoderException("Test Exception", testCause);
+        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
+        securitySSLNettyTransport.getServerChannelInitializer(discoveryNode.getName()).exceptionCaught(ctx, exception);
+        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
+    }
+
+    @Test
+    public void exceptionWithServerChannelHandlerContext_nonNullCauseOnlyShouldNotGetCause() throws Exception {
+        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
+        Throwable exception = new OpenSearchSecurityException("Test Exception", testCause);
+        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
+        securitySSLNettyTransport.getServerChannelInitializer(discoveryNode.getName()).exceptionCaught(ctx, exception);
+        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception, exception);
+    }
+
+    @Test
+    public void exceptionWithClientChannelHandlerContext_nonNullDecoderExceptionShouldGetCause() throws Exception {
+        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
+        Throwable exception = new DecoderException("Test Exception", testCause);
+        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
+        securitySSLNettyTransport.getClientChannelInitializer(discoveryNode).exceptionCaught(ctx, exception);
+        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
+    }
+
+    @Test
+    public void exceptionWithClientChannelHandlerContext_nonNullCauseOnlyShouldNotGetCause() throws Exception {
+        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
+        Throwable exception = new OpenSearchSecurityException("Test Exception", testCause);
+        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
+        securitySSLNettyTransport.getClientChannelInitializer(discoveryNode).exceptionCaught(ctx, exception);
+        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception, exception);
+    }
 }

From 9eeeb848b51db30e04d3eeb3b4c6de44cf013154 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Thu, 18 Jan 2024 12:21:45 -0500
Subject: [PATCH 028/143] Remove Third-party.txt file (#3907)

### Description
The Security plugin is one of only two plugins (alongside the SQL
plugin) which has its own THIRD-PARTY.txt file. This file is not
automatically generated and serves no obvious use. This changes follows
the suggestions on the linked issue (below) and removes the file.

I requested a legal review for this change just in case and will update
this PR with a comment once I have confirmation it is fine to merge.

### Issues Resolved
- resolves https://github.com/opensearch-project/security/issues/1833


### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 THIRD-PARTY.txt | 71 -------------------------------------------------
 1 file changed, 71 deletions(-)
 delete mode 100644 THIRD-PARTY.txt

diff --git a/THIRD-PARTY.txt b/THIRD-PARTY.txt
deleted file mode 100644
index d8a027321b..0000000000
--- a/THIRD-PARTY.txt
+++ /dev/null
@@ -1,71 +0,0 @@
-
-Lists of 69 third-party dependencies.
-     (The Apache Software License, Version 2.0) HPPC Collections (com.carrotsearch:hppc:0.7.1 - http://labs.carrotsearch.com/hppc.html/hppc)
-     (The Apache Software License, Version 2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.8.10 - https://github.com/FasterXML/jackson-core)
-     (The Apache Software License, Version 2.0) Jackson dataformat: CBOR (com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.8.10 - http://github.com/FasterXML/jackson-dataformats-binary)
-     (The Apache Software License, Version 2.0) Jackson dataformat: Smile (com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.8.10 - http://github.com/FasterXML/jackson-dataformats-binary)
-     (The Apache Software License, Version 2.0) Jackson-dataformat-YAML (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.10 - https://github.com/FasterXML/jackson)
-     (The Apache Software License, Version 2.0) OpenDistro Security SSL (com.amazon.opendistroforelasticsearch:opendistro-elasticsearch-security-ssl:0.0.8.0 - https://github.com/opendistro-for-elasticsearch/security-ssl)
-     (Apache License 2.0) compiler (com.github.spullara.mustache.java:compiler:0.9.3 - http://github.com/spullara/mustache.java)
-     (The Apache Software License, Version 2.0) FindBugs-jsr305 (com.google.code.findbugs:jsr305:1.3.9 - http://findbugs.sourceforge.net/)
-     (Apache 2.0) error-prone annotations (com.google.errorprone:error_prone_annotations:2.0.18 - http://nexus.sonatype.org/oss-repository-hosting.html/error_prone_parent/error_prone_annotations)
-     (The Apache Software License, Version 2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:23.0 - https://github.com/google/guava/guava)
-     (The Apache Software License, Version 2.0) J2ObjC Annotations (com.google.j2objc:j2objc-annotations:1.1 - https://github.com/google/j2objc/)
-     (The Apache Software License, Version 2.0) T-Digest (com.tdunning:t-digest:3.0 - https://github.com/tdunning/t-digest)
-     (Lesser General Public License (LGPL)) JTS Topology Suite (com.vividsolutions:jts:1.13 - http://sourceforge.net/projects/jts-topo-suite)
-     (Apache License, Version 2.0) Apache Commons CLI (commons-cli:commons-cli:1.3.1 - http://commons.apache.org/proper/commons-cli/)
-     (Apache License, Version 2.0) Apache Commons Codec (commons-codec:commons-codec:1.10 - http://commons.apache.org/proper/commons-codec/)
-     (Apache License, Version 2.0) Apache Commons IO (commons-io:commons-io:2.6 - http://commons.apache.org/proper/commons-io/)
-     (The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.3 - http://commons.apache.org/proper/commons-logging/)
-     (Apache License, Version 2.0) Netty/Buffer (io.netty:netty-buffer:4.1.16.Final - http://netty.io/netty-buffer/)
-     (Apache License, Version 2.0) Netty/Codec (io.netty:netty-codec:4.1.16.Final - http://netty.io/netty-codec/)
-     (Apache License, Version 2.0) Netty/Codec/HTTP (io.netty:netty-codec-http:4.1.16.Final - http://netty.io/netty-codec-http/)
-     (Apache License, Version 2.0) Netty/Common (io.netty:netty-common:4.1.16.Final - http://netty.io/netty-common/)
-     (Apache License, Version 2.0) Netty/Handler (io.netty:netty-handler:4.1.16.Final - http://netty.io/netty-handler/)
-     (Apache License, Version 2.0) Netty/Resolver (io.netty:netty-resolver:4.1.16.Final - http://netty.io/netty-resolver/)
-     (Apache License, Version 2.0) Netty/TomcatNative [OpenSSL - Dynamic] (io.netty:netty-tcnative:2.0.7.Final - https://github.com/netty/netty-tcnative/netty-tcnative/)
-     (Apache License, Version 2.0) Netty/Transport (io.netty:netty-transport:4.1.16.Final - http://netty.io/netty-transport/)
-     (Apache 2) Joda-Time (joda-time:joda-time:2.9.9 - http://www.joda.org/joda-time/)
-     (Eclipse Public License 1.0) JUnit (junit:junit:4.12 - http://junit.org)
-     (The MIT License) JOpt Simple (net.sf.jopt-simple:jopt-simple:5.0.2 - http://pholser.github.io/jopt-simple)
-     (Apache License, Version 2.0) Apache HttpAsyncClient (org.apache.httpcomponents:httpasyncclient:4.1.2 - http://hc.apache.org/httpcomponents-asyncclient)
-     (Apache License, Version 2.0) Apache HttpClient (org.apache.httpcomponents:httpclient:4.5.2 - http://hc.apache.org/httpcomponents-client)
-     (Apache License, Version 2.0) Apache HttpCore (org.apache.httpcomponents:httpcore:4.4.5 - http://hc.apache.org/httpcomponents-core-ga)
-     (Apache License, Version 2.0) Apache HttpCore NIO (org.apache.httpcomponents:httpcore-nio:4.4.5 - http://hc.apache.org/httpcomponents-core-ga)
-     (Apache License, Version 2.0) Apache Log4j API (org.apache.logging.log4j:log4j-api:2.9.1 - https://logging.apache.org/log4j/2.x/log4j-api/)
-     (Apache License, Version 2.0) Apache Log4j Core (org.apache.logging.log4j:log4j-core:2.9.1 - https://logging.apache.org/log4j/2.x/log4j-core/)
-     (Apache 2) Lucene Common Analyzers (org.apache.lucene:lucene-analyzers-common:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-analyzers-common)
-     (Apache 2) Lucene Memory (org.apache.lucene:lucene-backward-codecs:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-backward-codecs)
-     (Apache 2) Lucene Core (org.apache.lucene:lucene-core:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-core)
-     (Apache 2) Lucene Grouping (org.apache.lucene:lucene-grouping:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-grouping)
-     (Apache 2) Lucene Highlighter (org.apache.lucene:lucene-highlighter:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-highlighter)
-     (Apache 2) Lucene Join (org.apache.lucene:lucene-join:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-join)
-     (Apache 2) Lucene Memory (org.apache.lucene:lucene-memory:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-memory)
-     (Apache 2) Lucene Miscellaneous (org.apache.lucene:lucene-misc:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-misc)
-     (Apache 2) Lucene Queries (org.apache.lucene:lucene-queries:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-queries)
-     (Apache 2) Lucene QueryParsers (org.apache.lucene:lucene-queryparser:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-queryparser)
-     (Apache 2) Lucene Sandbox (org.apache.lucene:lucene-sandbox:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-sandbox)
-     (Apache 2) Lucene Spatial (org.apache.lucene:lucene-spatial:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-spatial)
-     (Apache 2) Lucene Spatial Extras (org.apache.lucene:lucene-spatial-extras:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-spatial-extras)
-     (Apache 2) Lucene Spatial 3D (org.apache.lucene:lucene-spatial3d:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-spatial3d)
-     (Apache 2) Lucene Suggest (org.apache.lucene:lucene-suggest:7.2.1 - http://lucene.apache.org/lucene-parent/lucene-suggest)
-     (Apache Software License, Version 1.1) (Bouncy Castle Licence) Bouncy Castle OpenPGP API (org.bouncycastle:bcpg-jdk15on:1.59 - http://www.bouncycastle.org/java.html)
-     (Bouncy Castle Licence) Bouncy Castle Provider (org.bouncycastle:bcprov-jdk15on:1.59 - http://www.bouncycastle.org/java.html)
-     (MIT license) Animal Sniffer Annotations (org.codehaus.mojo:animal-sniffer-annotations:1.14 - http://mojo.codehaus.org/animal-sniffer/animal-sniffer-annotations)
-     (The Apache Software License, Version 2.0) server (org.elasticsearch:elasticsearch:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) cli (org.elasticsearch:elasticsearch-cli:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) elasticsearch-core (org.elasticsearch:elasticsearch-core:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) java native access (net.java.dev.jna:jna:5.5.0 - https://github.com/java-native-access/jna)
-     (The Apache Software License, Version 2.0) Elasticsearch SecureSM (org.elasticsearch:securesm:1.2 - http://nexus.sonatype.org/oss-repository-hosting.html/securesm)
-     (The Apache Software License, Version 2.0) rest (org.elasticsearch.client:elasticsearch-rest-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) aggs-matrix-stats (org.elasticsearch.plugin:aggs-matrix-stats-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) lang-mustache (org.elasticsearch.plugin:lang-mustache-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) parent-join (org.elasticsearch.plugin:parent-join-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) percolator (org.elasticsearch.plugin:percolator-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) reindex (org.elasticsearch.plugin:reindex-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (The Apache Software License, Version 2.0) transport-netty4 (org.elasticsearch.plugin:transport-netty4-client:6.2.0 - https://github.com/elastic/elasticsearch)
-     (New BSD License) Hamcrest All (org.hamcrest:hamcrest-all:1.3 - https://github.com/hamcrest/JavaHamcrest/hamcrest-all)
-     (New BSD License) Hamcrest Core (org.hamcrest:hamcrest-core:1.3 - https://github.com/hamcrest/JavaHamcrest/hamcrest-core)
-     (Public Domain, per Creative Commons CC0) HdrHistogram (org.hdrhistogram:HdrHistogram:2.1.9 - http://hdrhistogram.github.io/HdrHistogram/)
-     (The Apache Software License, Version 2.0) Spatial4J (org.locationtech.spatial4j:spatial4j:0.6 - http://www.locationtech.org/projects/locationtech.spatial4j)
-     (Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:1.17 - http://www.snakeyaml.org)

From 15f5b7b8514c5ef6ba4771e4c182086cf5c21362 Mon Sep 17 00:00:00 2001
From: Prabhas Kurapati <66924475+prabhask5@users.noreply.github.com>
Date: Fri, 19 Jan 2024 06:48:41 -0800
Subject: [PATCH 029/143] Validate 409s occur when multiple config updates
 happen simultaneously (#3909)

### Description
Added new TenantAsyncActionTest.java file to put api unit tests for the
/api/tenants api call- additionally wrote new unit test to test for
parallel PUT /tenant/{name} calls, that they successfully return a 409
call and retry the call.

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)
Test fix

* Why these changes are required?
There was no test that checked for the behavior mentioned in the linked
ticket, so previously we didn't know if the issue still existed or not
(it apparently was fixed before), to make sure this doesn't happen again
for this particular case, I decided to write a concrete test for it.

* What is the old behavior before changes and new behavior after
changes?
Test was added, there's no behavior change?

### Issues Resolved
- #1402 - added unit test to cover bug in this issue

### Testing
Added new tenant action unit test to test parallel tenant api calls.

### Check List
- [x] New functionality includes testing
- [x] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Prabhas Kurapati <prabhask@berkeley.edu>
---
 .../security/SecurityConfigurationTests.java  | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
index 6b04737d18..3889fa2a3c 100644
--- a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
@@ -13,8 +13,13 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.http.HttpStatus;
 import org.awaitility.Awaitility;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
@@ -24,6 +29,7 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.client.Client;
+import org.opensearch.test.framework.AsyncActions;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.TestSecurityConfig.User;
 import org.opensearch.test.framework.certificate.TestCertificates;
@@ -33,6 +39,8 @@
 import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.anyOf;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST;
@@ -229,4 +237,39 @@ public void shouldUseSecurityAdminTool() throws Exception {
                 .until(() -> client.get("_plugins/_security/api/rolesmapping/readall").getStatusCode(), equalTo(200));
         }
     }
+
+    @Test
+    public void testParallelTenantPutRequests() throws Exception {
+        final String TENANT_ENDPOINT = "_plugins/_security/api/tenants/tenant1";
+        final String TENANT_BODY = "{\"description\":\"create new tenant\"}";
+        final String TENANT_BODY_TWO = "{\"description\":\"update tenant\"}";
+
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+
+            final CountDownLatch countDownLatch = new CountDownLatch(1);
+            final List<CompletableFuture<TestRestClient.HttpResponse>> conflictingRequests = AsyncActions.generate(() -> {
+                countDownLatch.await();
+                return client.putJson(TENANT_ENDPOINT, TENANT_BODY);
+            }, 4, 4);
+
+            // Make sure all requests start at the same time
+            countDownLatch.countDown();
+
+            AtomicInteger numCreatedResponses = new AtomicInteger();
+            AsyncActions.getAll(conflictingRequests, 1, TimeUnit.SECONDS).forEach((response) -> {
+                assertThat(response.getStatusCode(), anyOf(equalTo(HttpStatus.SC_CREATED), equalTo(HttpStatus.SC_CONFLICT)));
+                if (response.getStatusCode() == HttpStatus.SC_CREATED) numCreatedResponses.getAndIncrement();
+            });
+            assertThat(numCreatedResponses.get(), equalTo(1)); // should only be one 201
+
+            TestRestClient.HttpResponse getResponse = client.get(TENANT_ENDPOINT); // make sure the one 201 works
+            assertThat(getResponse.getBody(), containsString("create new tenant"));
+
+            TestRestClient.HttpResponse updateResponse = client.putJson(TENANT_ENDPOINT, TENANT_BODY_TWO);
+            assertThat(updateResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
+
+            getResponse = client.get(TENANT_ENDPOINT); // make sure update works
+            assertThat(getResponse.getBody(), containsString("update tenant"));
+        }
+    }
 }

From 881ed584e1497894d0f5dc99faf1d19ab7df9f37 Mon Sep 17 00:00:00 2001
From: Prabhas Kurapati <66924475+prabhask5@users.noreply.github.com>
Date: Fri, 19 Jan 2024 14:09:05 -0800
Subject: [PATCH 030/143] [Enhancement-3191] `transport_enabled` setting on an
 auth domain and authorizer may be unnecessary after transport client removal 
 (#3939)

Signed-off-by: Prabhas Kurapati <prabhask@berkeley.edu>
---
 .../security/http/LdapAuthenticationTest.java |  1 -
 .../http/LdapTlsAuthenticationTest.java       |  1 -
 .../test/framework/AuthzDomain.java           |  8 --
 .../securityconf/DynamicConfigModelV6.java    | 20 +---
 .../securityconf/DynamicConfigModelV7.java    | 20 +---
 .../securityconf/impl/v6/ConfigV6.java        | 57 +++++++++--
 .../securityconf/impl/v7/ConfigV7.java        | 58 +++++++++--
 .../security/setting/DeprecatedSettings.java  | 15 +++
 .../setting/DeprecatedSettingsTest.java       | 97 +++++++++++++++++++
 .../resources/restapi/invalid_config.json     |  6 --
 .../resources/restapi/security_config.json    |  6 --
 .../resources/restapi/securityconfig.json     |  7 --
 .../restapi/securityconfig_nondefault.json    |  8 --
 13 files changed, 213 insertions(+), 91 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
index dbb1724a55..b4a3717287 100644
--- a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
@@ -109,7 +109,6 @@ public class LdapAuthenticationTest {
         .rolesMapping(new RolesMapping(ALL_ACCESS).backendRoles(CN_GROUP_ADMIN))
         .authz(
             new AuthzDomain("ldap_roles").httpEnabled(true)
-                .transportEnabled(true)
                 .authorizationBackend(
                     new AuthorizationBackend("ldap").config(
                         () -> new LdapAuthorizationConfigBuilder().hosts(List.of("localhost:" + embeddedLDAPServer.getLdapNonTlsPort()))
diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
index bac79ffd12..32265f4b81 100644
--- a/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
@@ -156,7 +156,6 @@ public class LdapTlsAuthenticationTest {
         )
         .authz(
             new AuthzDomain("ldap_roles").httpEnabled(true)
-                .transportEnabled(true)
                 .authorizationBackend(
                     new AuthorizationBackend("ldap").config(
                         () -> new LdapAuthorizationConfigBuilder().hosts(List.of("localhost:" + embeddedLDAPServer.getLdapTlsPort()))
diff --git a/src/integrationTest/java/org/opensearch/test/framework/AuthzDomain.java b/src/integrationTest/java/org/opensearch/test/framework/AuthzDomain.java
index 5ccf1f9ee0..d56344d5d2 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/AuthzDomain.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/AuthzDomain.java
@@ -25,8 +25,6 @@ public class AuthzDomain implements ToXContentObject {
 
     private boolean httpEnabled;
 
-    private boolean transportEnabled;
-
     private AuthorizationBackend authorizationBackend;
 
     public AuthzDomain(String id) {
@@ -52,17 +50,11 @@ public AuthzDomain authorizationBackend(AuthorizationBackend authorizationBacken
         return this;
     }
 
-    public AuthzDomain transportEnabled(boolean transportEnabled) {
-        this.transportEnabled = transportEnabled;
-        return this;
-    }
-
     @Override
     public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
         xContentBuilder.startObject();
         xContentBuilder.field("description", description);
         xContentBuilder.field("http_enabled", httpEnabled);
-        xContentBuilder.field("transport_enabled", transportEnabled);
         xContentBuilder.field("authorization_backend", authorizationBackend);
         xContentBuilder.endObject();
         return xContentBuilder;
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
index e5308aa574..b652893bdd 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
@@ -68,8 +68,6 @@ public class DynamicConfigModelV6 extends DynamicConfigModel {
     private final Path configPath;
     private SortedSet<AuthDomain> restAuthDomains;
     private Set<AuthorizationBackend> restAuthorizers;
-    private SortedSet<AuthDomain> transportAuthDomains;
-    private Set<AuthorizationBackend> transportAuthorizers;
     private List<Destroyable> destroyableComponents;
     private final InternalAuthenticationBackend iab;
 
@@ -216,8 +214,6 @@ private void buildAAA() {
 
         final SortedSet<AuthDomain> restAuthDomains0 = new TreeSet<>();
         final Set<AuthorizationBackend> restAuthorizers0 = new HashSet<>();
-        final SortedSet<AuthDomain> transportAuthDomains0 = new TreeSet<>();
-        final Set<AuthorizationBackend> transportAuthorizers0 = new HashSet<>();
         final List<Destroyable> destroyableComponents0 = new LinkedList<>();
         final List<AuthFailureListener> ipAuthFailureListeners0 = new ArrayList<>();
         final Multimap<String, AuthFailureListener> authBackendFailureListeners0 = ArrayListMultimap.create();
@@ -229,9 +225,8 @@ private void buildAAA() {
         for (final Entry<String, AuthzDomain> ad : authzDyn.getDomains().entrySet()) {
             final boolean enabled = ad.getValue().enabled;
             final boolean httpEnabled = enabled && ad.getValue().http_enabled;
-            final boolean transportEnabled = enabled && ad.getValue().transport_enabled;
 
-            if (httpEnabled || transportEnabled) {
+            if (httpEnabled) {
                 try {
 
                     final String authzBackendClazz = ad.getValue().authorization_backend.type;
@@ -264,10 +259,6 @@ private void buildAAA() {
                         restAuthorizers0.add(authorizationBackend);
                     }
 
-                    if (transportEnabled) {
-                        transportAuthorizers0.add(authorizationBackend);
-                    }
-
                     if (authorizationBackend instanceof Destroyable) {
                         destroyableComponents0.add((Destroyable) authorizationBackend);
                     }
@@ -282,9 +273,8 @@ private void buildAAA() {
         for (final Entry<String, AuthcDomain> ad : authcDyn.getDomains().entrySet()) {
             final boolean enabled = ad.getValue().enabled;
             final boolean httpEnabled = enabled && ad.getValue().http_enabled;
-            final boolean transportEnabled = enabled && ad.getValue().transport_enabled;
 
-            if (httpEnabled || transportEnabled) {
+            if (httpEnabled) {
                 try {
                     AuthenticationBackend authenticationBackend;
                     final String authBackendClazz = ad.getValue().authentication_backend.type;
@@ -343,10 +333,6 @@ private void buildAAA() {
                         restAuthDomains0.add(_ad);
                     }
 
-                    if (transportEnabled) {
-                        transportAuthDomains0.add(_ad);
-                    }
-
                     if (httpAuthenticator instanceof Destroyable) {
                         destroyableComponents0.add((Destroyable) httpAuthenticator);
                     }
@@ -365,9 +351,7 @@ private void buildAAA() {
         List<Destroyable> originalDestroyableComponents = destroyableComponents;
 
         restAuthDomains = Collections.unmodifiableSortedSet(restAuthDomains0);
-        transportAuthDomains = Collections.unmodifiableSortedSet(transportAuthDomains0);
         restAuthorizers = Collections.unmodifiableSet(restAuthorizers0);
-        transportAuthorizers = Collections.unmodifiableSet(transportAuthorizers0);
 
         destroyableComponents = Collections.unmodifiableList(destroyableComponents0);
 
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
index 0de83f2e2e..91bb59db64 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
@@ -76,8 +76,6 @@ public class DynamicConfigModelV7 extends DynamicConfigModel {
     private final Path configPath;
     private SortedSet<AuthDomain> restAuthDomains;
     private Set<AuthorizationBackend> restAuthorizers;
-    private SortedSet<AuthDomain> transportAuthDomains;
-    private Set<AuthorizationBackend> transportAuthorizers;
     private List<Destroyable> destroyableComponents;
     private final InternalAuthenticationBackend iab;
 
@@ -234,8 +232,6 @@ private void buildAAA() {
 
         final SortedSet<AuthDomain> restAuthDomains0 = new TreeSet<>();
         final Set<AuthorizationBackend> restAuthorizers0 = new HashSet<>();
-        final SortedSet<AuthDomain> transportAuthDomains0 = new TreeSet<>();
-        final Set<AuthorizationBackend> transportAuthorizers0 = new HashSet<>();
         final List<Destroyable> destroyableComponents0 = new LinkedList<>();
         final List<AuthFailureListener> ipAuthFailureListeners0 = new ArrayList<>();
         final Multimap<String, AuthFailureListener> authBackendFailureListeners0 = ArrayListMultimap.create();
@@ -246,9 +242,8 @@ private void buildAAA() {
 
         for (final Entry<String, AuthzDomain> ad : authzDyn.getDomains().entrySet()) {
             final boolean httpEnabled = ad.getValue().http_enabled;
-            final boolean transportEnabled = ad.getValue().transport_enabled;
 
-            if (httpEnabled || transportEnabled) {
+            if (httpEnabled) {
                 try {
 
                     final String authzBackendClazz = ad.getValue().authorization_backend.type;
@@ -281,10 +276,6 @@ private void buildAAA() {
                         restAuthorizers0.add(authorizationBackend);
                     }
 
-                    if (transportEnabled) {
-                        transportAuthorizers0.add(authorizationBackend);
-                    }
-
                     if (authorizationBackend instanceof Destroyable) {
                         destroyableComponents0.add((Destroyable) authorizationBackend);
                     }
@@ -298,9 +289,8 @@ private void buildAAA() {
 
         for (final Entry<String, AuthcDomain> ad : authcDyn.getDomains().entrySet()) {
             final boolean httpEnabled = ad.getValue().http_enabled;
-            final boolean transportEnabled = ad.getValue().transport_enabled;
 
-            if (httpEnabled || transportEnabled) {
+            if (httpEnabled) {
                 try {
                     AuthenticationBackend authenticationBackend;
                     final String authBackendClazz = ad.getValue().authentication_backend.type;
@@ -359,10 +349,6 @@ private void buildAAA() {
                         restAuthDomains0.add(_ad);
                     }
 
-                    if (transportEnabled) {
-                        transportAuthDomains0.add(_ad);
-                    }
-
                     if (httpAuthenticator instanceof Destroyable) {
                         destroyableComponents0.add((Destroyable) httpAuthenticator);
                     }
@@ -398,9 +384,7 @@ private void buildAAA() {
         List<Destroyable> originalDestroyableComponents = destroyableComponents;
 
         restAuthDomains = Collections.unmodifiableSortedSet(restAuthDomains0);
-        transportAuthDomains = Collections.unmodifiableSortedSet(transportAuthDomains0);
         restAuthorizers = Collections.unmodifiableSet(restAuthorizers0);
-        transportAuthorizers = Collections.unmodifiableSet(transportAuthorizers0);
 
         destroyableComponents = Collections.unmodifiableList(destroyableComponents0);
 
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java b/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
index 0c95e56bd1..c5b954675b 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
@@ -38,9 +38,12 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException;
 
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
+import org.opensearch.security.setting.DeprecatedSettings;
 
 public class ConfigV6 {
 
@@ -224,8 +227,6 @@ public static class AuthcDomain {
         @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean http_enabled = true;
         @JsonInclude(JsonInclude.Include.NON_NULL)
-        public boolean transport_enabled = true;
-        @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean enabled = true;
         public int order = 0;
         public HttpAuthenticator http_authenticator = new HttpAuthenticator();
@@ -235,8 +236,6 @@ public static class AuthcDomain {
         public String toString() {
             return "AuthcDomain [http_enabled="
                 + http_enabled
-                + ", transport_enabled="
-                + transport_enabled
                 + ", enabled="
                 + enabled
                 + ", order="
@@ -248,6 +247,31 @@ public String toString() {
                 + "]";
         }
 
+        @JsonAnySetter
+        public void unknownPropertiesHandler(String name, Object value) throws JsonMappingException {
+            switch (name) {
+                case "transport_enabled":
+                    DeprecatedSettings.logCustomDeprecationMessage(
+                        String.format(
+                            "In AuthcDomain, using http_authenticator=%s, authentication_backend=%s",
+                            http_authenticator,
+                            authentication_backend
+                        ),
+                        name
+                    );
+                    break;
+                default:
+                    throw new UnrecognizedPropertyException(
+                        null,
+                        "Unrecognized field " + name + " present in the input data for AuthcDomain config",
+                        null,
+                        AuthcDomain.class,
+                        name,
+                        null
+                    );
+            }
+        }
+
     }
 
     public static class HttpAuthenticator {
@@ -337,8 +361,6 @@ public static class AuthzDomain {
         @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean http_enabled = true;
         @JsonInclude(JsonInclude.Include.NON_NULL)
-        public boolean transport_enabled = true;
-        @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean enabled = true;
         public AuthzBackend authorization_backend = new AuthzBackend();
 
@@ -346,8 +368,6 @@ public static class AuthzDomain {
         public String toString() {
             return "AuthzDomain [http_enabled="
                 + http_enabled
-                + ", transport_enabled="
-                + transport_enabled
                 + ", enabled="
                 + enabled
                 + ", authorization_backend="
@@ -355,6 +375,27 @@ public String toString() {
                 + "]";
         }
 
+        @JsonAnySetter
+        public void unknownPropertiesHandler(String name, Object value) throws JsonMappingException {
+            switch (name) {
+                case "transport_enabled":
+                    DeprecatedSettings.logCustomDeprecationMessage(
+                        String.format("In AuthzDomain, using authorization_backend=%s", authorization_backend),
+                        name
+                    );
+                    break;
+                default:
+                    throw new UnrecognizedPropertyException(
+                        null,
+                        "Unrecognized field " + name + " present in the input data for AuthzDomain config",
+                        null,
+                        AuthzDomain.class,
+                        name,
+                        null
+                    );
+            }
+        }
+
     }
 
     public static class OnBehalfOfSettings {
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java b/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
index faeb5d2432..4028719379 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
@@ -39,10 +39,13 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException;
 
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6;
+import org.opensearch.security.setting.DeprecatedSettings;
 
 public class ConfigV7 {
 
@@ -293,7 +296,6 @@ public static class AuthcDomain {
         @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean http_enabled = true;
         @JsonInclude(JsonInclude.Include.NON_NULL)
-        public boolean transport_enabled = true;
         // public boolean enabled= true;
         public int order = 0;
         public HttpAuthenticator http_authenticator = new HttpAuthenticator();
@@ -307,10 +309,8 @@ public AuthcDomain() {
         public AuthcDomain(ConfigV6.AuthcDomain v6) {
             super();
             http_enabled = v6.http_enabled && v6.enabled;
-            transport_enabled = v6.transport_enabled && v6.enabled;
             // if(v6.enabled)vv {
             // http_enabled = true;
-            // transport_enabled = true;
             // }
             order = v6.order;
             http_authenticator = new HttpAuthenticator(v6.http_authenticator);
@@ -322,8 +322,6 @@ public AuthcDomain(ConfigV6.AuthcDomain v6) {
         public String toString() {
             return "AuthcDomain [http_enabled="
                 + http_enabled
-                + ", transport_enabled="
-                + transport_enabled
                 + ", order="
                 + order
                 + ", http_authenticator="
@@ -335,6 +333,31 @@ public String toString() {
                 + "]";
         }
 
+        @JsonAnySetter
+        public void unknownPropertiesHandler(String name, Object value) throws JsonMappingException {
+            switch (name) {
+                case "transport_enabled":
+                    DeprecatedSettings.logCustomDeprecationMessage(
+                        String.format(
+                            "In AuthcDomain, using http_authenticator=%s, authentication_backend=%s",
+                            http_authenticator,
+                            authentication_backend
+                        ),
+                        name
+                    );
+                    break;
+                default:
+                    throw new UnrecognizedPropertyException(
+                        null,
+                        "Unrecognized field " + name + " present in the input data for AuthcDomain config",
+                        null,
+                        AuthcDomain.class,
+                        name,
+                        null
+                    );
+            }
+        }
+
     }
 
     public static class HttpAuthenticator {
@@ -451,8 +474,6 @@ public String toString() {
     public static class AuthzDomain {
         @JsonInclude(JsonInclude.Include.NON_NULL)
         public boolean http_enabled = true;
-        @JsonInclude(JsonInclude.Include.NON_NULL)
-        public boolean transport_enabled = true;
         public AuthzBackend authorization_backend = new AuthzBackend();
         public String description;
 
@@ -462,7 +483,6 @@ public AuthzDomain() {
 
         public AuthzDomain(ConfigV6.AuthzDomain v6) {
             http_enabled = v6.http_enabled && v6.enabled;
-            transport_enabled = v6.transport_enabled && v6.enabled;
             authorization_backend = new AuthzBackend(v6.authorization_backend);
             description = "Migrated from v6";
         }
@@ -471,8 +491,6 @@ public AuthzDomain(ConfigV6.AuthzDomain v6) {
         public String toString() {
             return "AuthzDomain [http_enabled="
                 + http_enabled
-                + ", transport_enabled="
-                + transport_enabled
                 + ", authorization_backend="
                 + authorization_backend
                 + ", description="
@@ -480,6 +498,26 @@ public String toString() {
                 + "]";
         }
 
+        @JsonAnySetter
+        public void unknownPropertiesHandler(String name, Object value) throws JsonMappingException {
+            switch (name) {
+                case "transport_enabled":
+                    DeprecatedSettings.logCustomDeprecationMessage(
+                        String.format("In AuthzDomain, using authorization_backend=%s", authorization_backend),
+                        name
+                    );
+                    break;
+                default:
+                    throw new UnrecognizedPropertyException(
+                        null,
+                        "Unrecognized field " + name + " present in the input data for AuthzDomain config",
+                        null,
+                        AuthzDomain.class,
+                        name,
+                        null
+                    );
+            }
+        }
     }
 
     public static class OnBehalfOfSettings {
diff --git a/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java b/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java
index b415dc7c7f..91eb96abdd 100644
--- a/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java
+++ b/src/main/java/org/opensearch/security/setting/DeprecatedSettings.java
@@ -5,6 +5,7 @@
 
 package org.opensearch.security.setting;
 
+import org.opensearch.Version;
 import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.settings.Settings;
 
@@ -28,4 +29,18 @@ public static void checkForDeprecatedSetting(final Settings settings, final Stri
             );
         }
     }
+
+    /**
+     * Logs that a specific setting is deprecated, including a specific supplemental message parameter containing information that details where this setting can be removed from. Should be used in cases where a setting is not supported by the codebase and processing it would introduce errors on setup.
+     */
+    public static void logCustomDeprecationMessage(final String deprecationLocationInformation, final String deprecatedSettingKey) {
+        DEPRECATION_LOGGER.deprecate(
+            deprecatedSettingKey,
+            "In OpenSearch "
+                + Version.CURRENT
+                + " the setting '{}' is deprecated, it should be removed from the relevant config file using the following location information: "
+                + deprecationLocationInformation,
+            deprecatedSettingKey
+        );
+    }
 }
diff --git a/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java b/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java
index a0f9558228..3fa8e45816 100644
--- a/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java
+++ b/src/test/java/org/opensearch/security/setting/DeprecatedSettingsTest.java
@@ -5,17 +5,22 @@
 
 package org.opensearch.security.setting;
 
+import com.fasterxml.jackson.databind.JsonMappingException;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import org.opensearch.Version;
 import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.support.ConfigHelper;
 
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
 import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -61,4 +66,96 @@ public void testCheckForDeprecatedSettingFoundLegacy() {
 
         verify(logger).deprecate(eq("legacyKey"), anyString(), any(), any());
     }
+
+    @Test
+    public void testForTransportEnabledDeprecationMessageOnYamlLoad() throws Exception {
+        ConfigHelper.fromYamlString(
+            "---\n"
+                + "_meta:\n"
+                + "  type: \"config\"\n"
+                + "  config_version: 2\n"
+                + "config:\n"
+                + "  dynamic:\n"
+                + "    authc:\n"
+                + "      authentication_domain_kerb:\n"
+                + "        http_enabled: false\n"
+                + "        transport_enabled: false\n"
+                + "        order: 3\n"
+                + "        http_authenticator:\n"
+                + "          challenge: true\n"
+                + "          type: \"kerberos\"\n"
+                + "          config: {}\n"
+                + "        authentication_backend:\n"
+                + "          type: \"noop\"\n"
+                + "          config: {}\n"
+                + "        description: \"Migrated from v6\"\n"
+                + "    authz:\n"
+                + "      roles_from_xxx:\n"
+                + "        http_enabled: false\n"
+                + "        transport_enabled: false\n"
+                + "        authorization_backend:\n"
+                + "          type: \"xxx\"\n"
+                + "          config: {}\n"
+                + "        description: \"Migrated from v6\"",
+            CType.CONFIG,
+            DEFAULT_CONFIG_VERSION,
+            0,
+            0
+        );
+        verify(logger).deprecate(
+            "transport_enabled",
+            "In OpenSearch "
+                + Version.CURRENT
+                + " the setting '{}' is deprecated, it should be removed from the relevant config file using the following location information: In AuthcDomain, using http_authenticator=HttpAuthenticator [challenge=true, type=null, config={}], authentication_backend=AuthcBackend [type=org.opensearch.security.auth.internal.InternalAuthenticationBackend, config={}]",
+            "transport_enabled"
+        );
+        verify(logger).deprecate(
+            "transport_enabled",
+            "In OpenSearch "
+                + Version.CURRENT
+                + " the setting '{}' is deprecated, it should be removed from the relevant config file using the following location information: In AuthzDomain, using authorization_backend=AuthzBackend [type=noop, config={}]",
+            "transport_enabled"
+        );
+    }
+
+    @Test
+    public void testForExceptionOnUnknownAuthcAuthzSettingsOnYamlLoad() throws Exception {
+        try {
+            ConfigHelper.fromYamlString(
+                "---\n"
+                    + "_meta:\n"
+                    + "  type: \"config\"\n"
+                    + "  config_version: 2\n"
+                    + "config:\n"
+                    + "  dynamic:\n"
+                    + "    authc:\n"
+                    + "      authentication_domain_kerb:\n"
+                    + "        http_enabled: false\n"
+                    + "        unknown_property: false\n"
+                    + "        order: 3\n"
+                    + "        http_authenticator:\n"
+                    + "          challenge: true\n"
+                    + "          type: \"kerberos\"\n"
+                    + "          config: {}\n"
+                    + "        authentication_backend:\n"
+                    + "          type: \"noop\"\n"
+                    + "          config: {}\n"
+                    + "        description: \"Migrated from v6\"\n"
+                    + "    authz:\n"
+                    + "      roles_from_xxx:\n"
+                    + "        http_enabled: false\n"
+                    + "        unknown_property: false\n"
+                    + "        authorization_backend:\n"
+                    + "          type: \"xxx\"\n"
+                    + "          config: {}\n"
+                    + "        description: \"Migrated from v6\"",
+                CType.CONFIG,
+                DEFAULT_CONFIG_VERSION,
+                0,
+                0
+            );
+        } catch (JsonMappingException e) {
+            verifyNoInteractions(logger);
+        }
+    }
 }
diff --git a/src/test/resources/restapi/invalid_config.json b/src/test/resources/restapi/invalid_config.json
index 7bbbf2201f..1d43e1edab 100644
--- a/src/test/resources/restapi/invalid_config.json
+++ b/src/test/resources/restapi/invalid_config.json
@@ -23,7 +23,6 @@
     "authc":{
       "authentication_domain_kerb":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":3,
         "http_authenticator":{
           "challenge":true,
@@ -42,7 +41,6 @@
       },
       "authentication_domain_clientcert":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":1,
         "http_authenticator":{
           "challenge":true,
@@ -61,7 +59,6 @@
       },
       "authentication_domain_proxy":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":2,
         "http_authenticator":{
           "challenge":true,
@@ -81,7 +78,6 @@
       },
       "authentication_domain_basic_internal":{
         "http_enabled":true,
-        "transport_enabled":true,
         "order":0,
         "http_authenticator":{
           "challenge":true,
@@ -102,7 +98,6 @@
     "authz":{
       "roles_from_xxx":{
         "http_enabled":false,
-        "transport_enabled":false,
         "authorization_backend":{
           "type":"xxx",
           "config":{
@@ -113,7 +108,6 @@
       },
       "roles_from_myldap":{
         "http_enabled":false,
-        "transport_enabled":false,
         "authorization_backend":{
           "type":"ldap",
           "config":{
diff --git a/src/test/resources/restapi/security_config.json b/src/test/resources/restapi/security_config.json
index e5c09050cc..30b8611e5a 100644
--- a/src/test/resources/restapi/security_config.json
+++ b/src/test/resources/restapi/security_config.json
@@ -23,7 +23,6 @@
           "authc":{
              "authentication_domain_kerb":{
                 "http_enabled":false,
-                "transport_enabled":false,
                 "order":3,
                 "http_authenticator":{
                    "challenge":true,
@@ -42,7 +41,6 @@
              },
              "authentication_domain_clientcert":{
                 "http_enabled":false,
-                "transport_enabled":false,
                 "order":1,
                 "http_authenticator":{
                    "challenge":true,
@@ -61,7 +59,6 @@
              },
              "authentication_domain_proxy":{
                 "http_enabled":false,
-                "transport_enabled":false,
                 "order":2,
                 "http_authenticator":{
                    "challenge":true,
@@ -81,7 +78,6 @@
              },
              "authentication_domain_basic_internal":{
                 "http_enabled":true,
-                "transport_enabled":true,
                 "order":0,
                 "http_authenticator":{
                    "challenge":true,
@@ -102,7 +98,6 @@
           "authz":{
              "roles_from_xxx":{
                 "http_enabled":false,
-                "transport_enabled":false,
                 "authorization_backend":{
                    "type":"xxx",
                    "config":{
@@ -113,7 +108,6 @@
              },
              "roles_from_myldap":{
                 "http_enabled":false,
-                "transport_enabled":false,
                 "authorization_backend":{
                    "type":"ldap",
                    "config":{
diff --git a/src/test/resources/restapi/securityconfig.json b/src/test/resources/restapi/securityconfig.json
index 4e4b1bba63..a577cb2a30 100644
--- a/src/test/resources/restapi/securityconfig.json
+++ b/src/test/resources/restapi/securityconfig.json
@@ -23,7 +23,6 @@
     "authc":{
       "authentication_domain_saml": {
         "http_enabled" : true,
-        "transport_enabled" : false,
         "order" : 5,
         "http_authenticator" : {
           "challenge" : true,
@@ -44,7 +43,6 @@
       },
       "authentication_domain_kerb":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":3,
         "http_authenticator":{
           "challenge":true,
@@ -63,7 +61,6 @@
       },
       "authentication_domain_clientcert":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":1,
         "http_authenticator":{
           "challenge":true,
@@ -82,7 +79,6 @@
       },
       "authentication_domain_proxy":{
         "http_enabled":false,
-        "transport_enabled":false,
         "order":2,
         "http_authenticator":{
           "challenge":true,
@@ -102,7 +98,6 @@
       },
       "authentication_domain_basic_internal":{
         "http_enabled":true,
-        "transport_enabled":true,
         "order":0,
         "http_authenticator":{
           "challenge":true,
@@ -123,7 +118,6 @@
     "authz":{
       "roles_from_xxx":{
         "http_enabled":false,
-        "transport_enabled":false,
         "authorization_backend":{
           "type":"xxx",
           "config":{
@@ -134,7 +128,6 @@
       },
       "roles_from_myldap":{
         "http_enabled":false,
-        "transport_enabled":false,
         "authorization_backend":{
           "type":"ldap",
           "config":{
diff --git a/src/test/resources/restapi/securityconfig_nondefault.json b/src/test/resources/restapi/securityconfig_nondefault.json
index a5660c6496..2482e99674 100644
--- a/src/test/resources/restapi/securityconfig_nondefault.json
+++ b/src/test/resources/restapi/securityconfig_nondefault.json
@@ -22,7 +22,6 @@
     "authc" : {
       "jwt_auth_domain" : {
         "http_enabled" : true,
-        "transport_enabled" : true,
         "order" : 0,
         "http_authenticator" : {
           "challenge" : false,
@@ -40,7 +39,6 @@
       },
       "ldap" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "order" : 5,
         "http_authenticator" : {
           "challenge" : false,
@@ -65,7 +63,6 @@
       },
       "basic_internal_auth_domain" : {
         "http_enabled" : true,
-        "transport_enabled" : true,
         "order" : 4,
         "http_authenticator" : {
           "challenge" : true,
@@ -80,7 +77,6 @@
       },
       "proxy_auth_domain" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "order" : 3,
         "http_authenticator" : {
           "challenge" : false,
@@ -98,7 +94,6 @@
       },
       "clientcert_auth_domain" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "order" : 2,
         "http_authenticator" : {
           "challenge" : false,
@@ -115,7 +110,6 @@
       },
       "kerberos_auth_domain" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "order" : 6,
         "http_authenticator" : {
           "challenge" : true,
@@ -134,7 +128,6 @@
     "authz" : {
       "roles_from_another_ldap" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "authorization_backend" : {
           "type" : "ldap",
           "config" : { }
@@ -143,7 +136,6 @@
       },
       "roles_from_myldap" : {
         "http_enabled" : false,
-        "transport_enabled" : false,
         "authorization_backend" : {
           "type" : "ldap",
           "config" : {

From 31242741c0daff2857fc0ee0b82f08bd515ce196 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Jan 2024 08:20:35 -0500
Subject: [PATCH 031/143] Bump com.fasterxml.woodstox:woodstox-core from 6.5.1
 to 6.6.0 (#3967)

Bumps
[com.fasterxml.woodstox:woodstox-core](https://github.com/FasterXML/woodstox)
from 6.5.1 to 6.6.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/FasterXML/woodstox/commit/dd590bbabe1060c3837559d1d5d237b0c60c2e29"><code>dd590bb</code></a>
[maven-release-plugin] prepare release woodstox-core-6.6.0</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/c3ffe8825eaa8e019bb03c7ba00ceb0a50c3f9a3"><code>c3ffe88</code></a>
...</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/57d0c4b2d2c0958847fd8025ad67d97f653a1d2d"><code>57d0c4b</code></a>
Update branch to 6.6.1-SNAPSHOT</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/6ba21f85ba9151f171cb5adc395c7790c2e10eb6"><code>6ba21f8</code></a>
Re-sync version to branch 6.6</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/8daa6694010643e75eb8229eb534bea4964c8728"><code>8daa669</code></a>
Update Maven version for Maven wrapper</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/acad270020f9709a0bc3a3f5f2658e2a1dd9bf3f"><code>acad270</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/36f48bfa59e00915e691a47b7018aaacbfef5c1d"><code>36f48bf</code></a>
[maven-release-plugin] prepare release woodstox-core-6.6.0</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/8bad94c1edec42db01d931187fcde68fd0ecadeb"><code>8bad94c</code></a>
Prepare for 6.6.0 release</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/172371fd6b54ff40ec0f5b987540d3bae268274b"><code>172371f</code></a>
Add support to optionally allow surrogate pair entities (<a
href="https://redirect.github.com/FasterXML/woodstox/issues/165">#165</a>)
(<a
href="https://redirect.github.com/FasterXML/woodstox/issues/174">#174</a>)</li>
<li><a
href="https://github.com/FasterXML/woodstox/commit/37232fc33856db81448ae5b3e113056472f4217b"><code>37232fc</code></a>
Test renaming (newer naming convention)</li>
<li>Additional commits viewable in <a
href="https://github.com/FasterXML/woodstox/compare/woodstox-core-6.5.1...woodstox-core-6.6.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.fasterxml.woodstox:woodstox-core&package-manager=gradle&previous-version=6.5.1&new-version=6.6.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index ea810c1e17..6c14a25084 100644
--- a/build.gradle
+++ b/build.gradle
@@ -649,7 +649,7 @@ dependencies {
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.2'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
-    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1'
+    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.6.0'
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"

From 843071be10a9e41b86d76636f5fc948f3ffa5a4b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Jan 2024 08:20:59 -0500
Subject: [PATCH 032/143] Bump io.dropwizard.metrics:metrics-core from 4.2.23
 to 4.2.24 (#3968)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[io.dropwizard.metrics:metrics-core](https://github.com/dropwizard/metrics)
from 4.2.23 to 4.2.24.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dropwizard/metrics/releases">io.dropwizard.metrics:metrics-core's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.24</h2>
<h2>What's Changed</h2>
<ul>
<li>Update dependency org.apache.httpcomponents.client5:httpclient5 to
v5.3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3804">dropwizard/metrics#3804</a></li>
<li>Update actions/stale action to v9 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3807">dropwizard/metrics#3807</a></li>
<li>Update github/codeql-action digest to c0d1daa (release/4.2.x) -
autoclosed by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3806">dropwizard/metrics#3806</a></li>
<li>Update dependency org.glassfish.jersey:jersey-bom to v3.1.5
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3818">dropwizard/metrics#3818</a></li>
<li>Update github/codeql-action digest to 305f654 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3817">dropwizard/metrics#3817</a></li>
<li>Use shared Renovate configuration by <a
href="https://github.com/joschi"><code>@​joschi</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3823">dropwizard/metrics#3823</a></li>
<li>Update dependency org.apache.maven.plugins:maven-surefire-plugin to
v3.2.3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3824">dropwizard/metrics#3824</a></li>
<li>Update github/codeql-action action to v3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3827">dropwizard/metrics#3827</a></li>
<li>Remove dependency on Hamcrest by <a
href="https://github.com/joschi"><code>@​joschi</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3851">dropwizard/metrics#3851</a></li>
<li>Update dependency org.checkerframework:checker-qual to v3.42.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3853">dropwizard/metrics#3853</a></li>
<li>Update dependency org.apache.maven.plugins:maven-compiler-plugin to
v3.12.0 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3856">dropwizard/metrics#3856</a></li>
<li>Update dependency org.eclipse.jetty:jetty-bom to v11.0.19
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3859">dropwizard/metrics#3859</a></li>
<li>Update dependency org.eclipse.jetty:jetty-bom to v10.0.19
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3858">dropwizard/metrics#3858</a></li>
<li>Update jetty12.version to v12.0.5 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3860">dropwizard/metrics#3860</a></li>
<li>Update dependency net.bytebuddy:byte-buddy to v1.14.11
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3864">dropwizard/metrics#3864</a></li>
<li>Update dependency org.apache.maven.plugins:maven-compiler-plugin to
v3.12.1 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3873">dropwizard/metrics#3873</a></li>
<li>Update dependency com.google.errorprone:error_prone_core to v2.24.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3868">dropwizard/metrics#3868</a></li>
<li>Update github/codeql-action digest to 012739e (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3867">dropwizard/metrics#3867</a></li>
<li>Update log4j2 monorepo to v2.22.1 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3878">dropwizard/metrics#3878</a></li>
<li>Update slf4j.version to v2.0.10 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3880">dropwizard/metrics#3880</a></li>
<li>Update dependency org.assertj:assertj-core to v3.25.0
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3882">dropwizard/metrics#3882</a></li>
<li>Update dependency org.assertj:assertj-core to v3.25.1
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3884">dropwizard/metrics#3884</a></li>
<li>Update dependency org.jdbi:jdbi3-core to v3.43.0 (release/4.2.x) by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3886">dropwizard/metrics#3886</a></li>
<li>Update dependency com.google.errorprone:error_prone_core to v2.24.1
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3888">dropwizard/metrics#3888</a></li>
<li>Update github/codeql-action digest to e5f05b8 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3890">dropwizard/metrics#3890</a></li>
<li>Update slf4j.version to v2.0.11 (release/4.2.x) (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3892">dropwizard/metrics#3892</a></li>
<li>Update dependency org.apache.maven.plugins:maven-surefire-plugin to
v3.2.5 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3894">dropwizard/metrics#3894</a></li>
<li>Update actions/cache action to v3.3.3 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3898">dropwizard/metrics#3898</a></li>
<li>Update dependency org.mockito:mockito-core to v5.9.0 (release/4.2.x)
by <a href="https://github.com/renovate"><code>@​renovate</code></a> in
<a
href="https://redirect.github.com/dropwizard/metrics/pull/3902">dropwizard/metrics#3902</a></li>
<li>Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.11
(release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3904">dropwizard/metrics#3904</a></li>
<li>Update actions/cache action to v4 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3908">dropwizard/metrics#3908</a></li>
<li>Update github/codeql-action digest to 0b21cf2 (release/4.2.x) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3907">dropwizard/metrics#3907</a></li>
<li>Fix IndexOutOfBoundsException in Jetty 9, 10, 11, 12
InstrumentedHandler by <a
href="https://github.com/joschi"><code>@​joschi</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3912">dropwizard/metrics#3912</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/dropwizard/metrics/compare/v4.2.23...v4.2.24">https://github.com/dropwizard/metrics/compare/v4.2.23...v4.2.24</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dropwizard/metrics/commit/eab9d99167f4a03a944e83b7bc8b3e56887de34a"><code>eab9d99</code></a>
[maven-release-plugin] prepare release v4.2.24</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/7a7f124dc16d1d91ae26f29f305a19cf2f466daa"><code>7a7f124</code></a>
Fix IndexOutOfBoundsException in Jetty 9, 10, 11, 12 InstrumentedHandler
(<a
href="https://redirect.github.com/dropwizard/metrics/issues/3912">#3912</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/a9647799b71b1ba240736d08b09233727099adac"><code>a964779</code></a>
Update github/codeql-action digest to 0b21cf2 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3907">#3907</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/3d2d6503a20da21a20765001f758d888d55b187d"><code>3d2d650</code></a>
Update actions/cache action to v4 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3908">#3908</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/5819379734b19d12a65bdf358680c52dc4194933"><code>5819379</code></a>
Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.11</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/4ad325ea3b93b55dab5131756a3b5e8b443302dd"><code>4ad325e</code></a>
Update dependency org.mockito:mockito-core to v5.9.0 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3902">#3902</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/8d85504f5fd6e963e31fae72d74828c76927c448"><code>8d85504</code></a>
Update actions/cache action to v3.3.3</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/b47611a048d1fa88813f0db4ac241005c65de2d8"><code>b47611a</code></a>
Update dependency org.apache.maven.plugins:maven-surefire-plugin to
v3.2.5</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/c65101987ceb5b16f960a1004b614c69cb59f865"><code>c651019</code></a>
Update slf4j.version to v2.0.11</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/eec8f6c06200914653640934d52c23cd5be3e577"><code>eec8f6c</code></a>
Update github/codeql-action digest to e5f05b8 (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3890">#3890</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/dropwizard/metrics/compare/v4.2.23...v4.2.24">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.dropwizard.metrics:metrics-core&package-manager=gradle&previous-version=4.2.23&new-version=4.2.24)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 6c14a25084..67b9b60a9c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -643,7 +643,7 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.23'
+    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.24'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'

From 35229fbe5c570918f6a6f92f25621b88a611277e Mon Sep 17 00:00:00 2001
From: Xun Zhang <xunzh@amazon.com>
Date: Tue, 23 Jan 2024 07:09:39 -0800
Subject: [PATCH 033/143] Adds new ml-commons system indices to the list
 (#3973)

### Description
Adds renamed ml-commons systems indices to the list of existing system
indices. This change is required so that security plugin correctly
recognizes the new indices as system indices.

* Category - Maintenance

Signed-off-by: Xun Zhang <xunzh@amazon.com>
---
 .../security/tools/democonfig/SecuritySettingsConfigurer.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index 9c51fbe1d4..a68c93f03f 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -55,6 +55,8 @@ public class SecuritySettingsConfigurer {
         ".plugins-ml-task",
         ".plugins-ml-conversation-meta",
         ".plugins-ml-conversation-interactions",
+        ".plugins-ml-memory-meta",
+        ".plugins-ml-memory-message",
         ".opendistro-alerting-config",
         ".opendistro-alerting-alert*",
         ".opendistro-anomaly-results*",

From dadd03fcd7a856df895bb2299761fc7783dfe62b Mon Sep 17 00:00:00 2001
From: "Daniel (dB.) Doubrovkine" <dblock@amazon.com>
Date: Tue, 23 Jan 2024 12:00:30 -0500
Subject: [PATCH 034/143] Fix: remove unnecessary trailing slashes in APIs.
 (#3976)

### Description

Coming from
https://github.com/opensearch-project/opensearch-api-specification/pull/179
which flags a couple of false positives because of mismatched trailing
slash.

### Check List
- [x] New functionality includes testing
- [x] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: dblock <dblock@amazon.com>
---
 .../security/dlic/rest/api/ActionGroupsApiAction.java       | 6 +++---
 .../opensearch/security/dlic/rest/api/AuditApiAction.java   | 4 ++--
 .../security/dlic/rest/api/InternalUsersApiAction.java      | 6 +++---
 .../opensearch/security/dlic/rest/api/NodesDnApiAction.java | 4 ++--
 .../opensearch/security/dlic/rest/api/RolesApiAction.java   | 4 ++--
 .../security/dlic/rest/api/RolesMappingApiAction.java       | 4 ++--
 .../security/dlic/rest/api/SecuritySSLCertsApiAction.java   | 2 +-
 .../opensearch/security/dlic/rest/api/TenantsApiAction.java | 4 ++--
 8 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java
index 172d4a537b..3032054e64 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiAction.java
@@ -46,16 +46,16 @@ public class ActionGroupsApiAction extends AbstractApiAction {
             // legacy mapping for backwards compatibility
             // TODO: remove in next version
             new Route(Method.GET, "/actiongroup/{name}"),
-            new Route(Method.GET, "/actiongroup/"),
+            new Route(Method.GET, "/actiongroup"),
             new Route(Method.DELETE, "/actiongroup/{name}"),
             new Route(Method.PUT, "/actiongroup/{name}"),
 
             // corrected mapping, introduced in OpenSearch Security
             new Route(Method.GET, "/actiongroups/{name}"),
-            new Route(Method.GET, "/actiongroups/"),
+            new Route(Method.GET, "/actiongroups"),
             new Route(Method.DELETE, "/actiongroups/{name}"),
             new Route(Method.PUT, "/actiongroups/{name}"),
-            new Route(Method.PATCH, "/actiongroups/"),
+            new Route(Method.PATCH, "/actiongroups"),
             new Route(Method.PATCH, "/actiongroups/{name}")
 
         )
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java
index 47bc1f184e..997bd85bdd 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java
@@ -123,9 +123,9 @@
 public class AuditApiAction extends AbstractApiAction {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
-            new Route(RestRequest.Method.GET, "/audit/"),
+            new Route(RestRequest.Method.GET, "/audit"),
             new Route(RestRequest.Method.PUT, "/audit/config"),
-            new Route(RestRequest.Method.PATCH, "/audit/")
+            new Route(RestRequest.Method.PATCH, "/audit")
         )
     );
 
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
index 70994504bf..3cbcc18bd9 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
@@ -64,18 +64,18 @@ protected void consumeParameters(final RestRequest request) {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
             new Route(Method.GET, "/user/{name}"),
-            new Route(Method.GET, "/user/"),
+            new Route(Method.GET, "/user"),
             new Route(Method.POST, "/user/{name}/authtoken"),
             new Route(Method.DELETE, "/user/{name}"),
             new Route(Method.PUT, "/user/{name}"),
 
             // corrected mapping, introduced in OpenSearch Security
             new Route(Method.GET, "/internalusers/{name}"),
-            new Route(Method.GET, "/internalusers/"),
+            new Route(Method.GET, "/internalusers"),
             new Route(Method.POST, "/internalusers/{name}/authtoken"),
             new Route(Method.DELETE, "/internalusers/{name}"),
             new Route(Method.PUT, "/internalusers/{name}"),
-            new Route(Method.PATCH, "/internalusers/"),
+            new Route(Method.PATCH, "/internalusers"),
             new Route(Method.PATCH, "/internalusers/{name}")
         )
     );
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java
index 05c533b1d9..ff44867bd2 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java
@@ -62,10 +62,10 @@ public class NodesDnApiAction extends AbstractApiAction {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
             new Route(Method.GET, "/nodesdn/{name}"),
-            new Route(Method.GET, "/nodesdn/"),
+            new Route(Method.GET, "/nodesdn"),
             new Route(Method.DELETE, "/nodesdn/{name}"),
             new Route(Method.PUT, "/nodesdn/{name}"),
-            new Route(Method.PATCH, "/nodesdn/"),
+            new Route(Method.PATCH, "/nodesdn"),
             new Route(Method.PATCH, "/nodesdn/{name}")
         )
     );
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
index 9af04d17ec..50fac9b80c 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
@@ -45,11 +45,11 @@ public class RolesApiAction extends AbstractApiAction {
 
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
-            new Route(Method.GET, "/roles/"),
+            new Route(Method.GET, "/roles"),
             new Route(Method.GET, "/roles/{name}"),
             new Route(Method.DELETE, "/roles/{name}"),
             new Route(Method.PUT, "/roles/{name}"),
-            new Route(Method.PATCH, "/roles/"),
+            new Route(Method.PATCH, "/roles"),
             new Route(Method.PATCH, "/roles/{name}")
         )
     );
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
index 230ce0e1a1..b980a1e4ba 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
@@ -38,11 +38,11 @@ public class RolesMappingApiAction extends AbstractApiAction {
 
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
-            new Route(Method.GET, "/rolesmapping/"),
+            new Route(Method.GET, "/rolesmapping"),
             new Route(Method.GET, "/rolesmapping/{name}"),
             new Route(Method.DELETE, "/rolesmapping/{name}"),
             new Route(Method.PUT, "/rolesmapping/{name}"),
-            new Route(Method.PATCH, "/rolesmapping/"),
+            new Route(Method.PATCH, "/rolesmapping"),
             new Route(Method.PATCH, "/rolesmapping/{name}")
         )
     );
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
index 48e1c9b704..e60070288e 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecuritySSLCertsApiAction.java
@@ -50,7 +50,7 @@
  */
 public class SecuritySSLCertsApiAction extends AbstractApiAction {
     private static final List<Route> ROUTES = addRoutesPrefix(
-        ImmutableList.of(new Route(Method.GET, "/ssl/certs"), new Route(Method.PUT, "/ssl/{certType}/reloadcerts/"))
+        ImmutableList.of(new Route(Method.GET, "/ssl/certs"), new Route(Method.PUT, "/ssl/{certType}/reloadcerts"))
     );
 
     private final SecurityKeyStore securityKeyStore;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java
index 28fd6dcdcb..e16d31ba6f 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/TenantsApiAction.java
@@ -50,10 +50,10 @@ public class TenantsApiAction extends AbstractApiAction {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(
             new Route(Method.GET, "/tenants/{name}"),
-            new Route(Method.GET, "/tenants/"),
+            new Route(Method.GET, "/tenants"),
             new Route(Method.DELETE, "/tenants/{name}"),
             new Route(Method.PUT, "/tenants/{name}"),
-            new Route(Method.PATCH, "/tenants/"),
+            new Route(Method.PATCH, "/tenants"),
             new Route(Method.PATCH, "/tenants/{name}")
         )
     );

From d44113808659ddc8e57f8fd3f67ba343cc4f462f Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Fri, 26 Jan 2024 11:43:35 -0500
Subject: [PATCH 035/143] Bump spotless (6.24.0 -> 6.25.0) to bump eclipse
 resources (3.18 -> 3.19)  (#3992)

### Description
This PR bumps spotless to bump the transient dependency on
org.eclipse.platform:org.eclipse.core.resources@3.18.100 ->
org.eclipse.platform:org.eclipse.core.resources@3.19.100. In turn this
should stop scanners from reporting the project as vulnerable to:
https://nvd.nist.gov/vuln/detail/CVE-2023-4218.

I was not able to easily move just the Eclipse dependency because it
seems that the package causing the flagging
org.eclipse.platform:org.eclipse.core.resources@3.18.100 does not have a
straight path forward to the recommended versions listed on the CVE.
However,
https://security.snyk.io/package/maven/org.eclipse.platform:org.eclipse.core.resources/3.19.100
reports that this version should remove the issue while
https://security.snyk.io/package/maven/org.eclipse.platform:org.eclipse.core.resources/3.18.100
will cause the flag.

One note: We should not actually be concerned about this issue as it is
related to Eclipse IDE behavior and nothing to do with the type of
dependency on the Eclipse packages like we have.

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 67b9b60a9c..db7af24910 100644
--- a/build.gradle
+++ b/build.gradle
@@ -62,7 +62,7 @@ plugins {
     id 'idea'
     id 'jacoco'
     id 'maven-publish'
-    id 'com.diffplug.spotless' version '6.24.0'
+    id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.6.0"
     id "org.gradle.test-retry" version "1.5.8"

From af7c7e4c6fe64b9719dad09acf2eec907afb31cc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Jan 2024 14:32:56 +0100
Subject: [PATCH 036/143] Bump io.dropwizard.metrics:metrics-core from 4.2.24
 to 4.2.25 (#3996)

Bumps
[io.dropwizard.metrics:metrics-core](https://github.com/dropwizard/metrics)
from 4.2.24 to 4.2.25.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dropwizard/metrics/commit/7c2ffc504d94639bc585de2e86017d632c4f9f3f"><code>7c2ffc5</code></a>
[maven-release-plugin] prepare release v4.2.25</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/b116e89eae610808de21114f9dad8a60b42cbfc9"><code>b116e89</code></a>
Jakarta HealthCheckServlet object mapper and status indicator (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3924">#3924</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/5255717cd23a0593c2040e45070f250f460b070d"><code>5255717</code></a>
Update dependency org.assertj:assertj-core to v3.25.2</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/0aada3fc03b8a5f91ce87d10234c444c1c2a804c"><code>0aada3f</code></a>
Update dependency org.apache.httpcomponents.client5:httpclient5 to
v5.3.1</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/29ce821ec9485674f64db566a091cecb34599e9f"><code>29ce821</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/dropwizard/metrics/compare/v4.2.24...v4.2.25">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.dropwizard.metrics:metrics-core&package-manager=gradle&previous-version=4.2.24&new-version=4.2.25)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index db7af24910..6659bc8470 100644
--- a/build.gradle
+++ b/build.gradle
@@ -643,7 +643,7 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.24'
+    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.25'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'

From 4525c958972cbee29e047a8623263c1413c31654 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Jan 2024 14:33:34 +0100
Subject: [PATCH 037/143] Bump jjwt_version from 0.12.3 to 0.12.4 (#3995)

Bumps `jjwt_version` from 0.12.3 to 0.12.4.
Updates `io.jsonwebtoken:jjwt-api` from 0.12.3 to 0.12.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/releases">io.jsonwebtoken:jjwt-api's
releases</a>.</em></p>
<blockquote>
<h2>0.12.4</h2>
<p>This is patch release completes <a
href="https://github.com/jwtk/jjwt/issues?q=milestone%3A0.12.4+is%3Aissue">10
issues</a>, with two especially noteworthy changes, and a number of
other smaller bug fixes and enhancements.</p>
<ol>
<li>The default Jackson deserializer will now reject duplicate JSON
members by default in an attempt to be a little more strict at rejecting
potentially malicious or malformed JSON. This is a default and can be
overridden with a custom <code>ObjectMapper</code> if desired.</li>
<li>Password-based JWE encryption key algorithms
(<code>PBES2_HS256_A128KW</code>, <code>PBES2_HS384_A192KW</code> and
<code>PBES2_HS512_A256KW</code>) now enforce an upper bound (maximum)
number of iterations allowed during decryption to mitigate against
potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen
from Sichuan University and Zhongguancun Lab for their work on
this!</li>
</ol>
<p>A number of other issues fixed: thread-safe
<code>ServiceLoader</code> usage for dynamic JSON processor lookup,
Android enhancements for JSON <code>Reader</code> APIs, fixed Elliptic
Curve field element padding, and more. Please read the <a
href="https://github.com/jwtk/jjwt/blob/0.12.4/CHANGELOG.md">0.12.4
CHANGELOG</a> for full details of all of these changes, and as always,
project documentation is in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.4/README.md">0.12.4
README</a>.</p>
<p>Please allow 30 minutes from the time this announcement is published
for the release to be available in Maven Central.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md">io.jsonwebtoken:jjwt-api's
changelog</a>.</em></p>
<blockquote>
<h3>0.12.4</h3>
<p>This patch release includes various changes listed below.</p>
<h4>Jackson Default Parsing Behavior</h4>
<p>This release makes two behavioral changes to JJWT's default Jackson
<code>ObjectMapper</code> parsing settings:</p>
<ol>
<li>
<p>In the interest of having stronger standards to reject potentially
malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default
<code>ObjectMapper </code>is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains
duplicate JSON member names.</p>
<p>For example, now the following JSON, if parsed, would fail (be
rejected) by default:</p>
<pre lang="json"><code>{
  &quot;hello&quot;: &quot;world&quot;,
  &quot;thisWillFail&quot;: 42,
  &quot;thisWillFail&quot;: &quot;test&quot;
}
</code></pre>
<p>Technically, the JWT RFCs <em>do allow</em> duplicate named fields as
long as the last parsed member is the one used
(see <a
href="https://datatracker.ietf.org/doc/html/rfc7515#section-4">JWS RFC
7515, Section 4</a>), so this is allowed.
However, because JWTs often reflect security concepts, it's usually
better to be defensive and reject these
unexpected scenarios by default. The RFC later supports this
position/preference in
<a
href="https://datatracker.ietf.org/doc/html/rfc7515#section-10.12">Section
10.12</a>:</p>
<pre><code>Ambiguous and potentially exploitable situations
could arise if the JSON parser used does not enforce the uniqueness
of member names or returns an unpredictable value for duplicate
member names.
</code></pre>
<p>Finally, this is just a default, and the RFC does indeed allow
duplicate member names if the last value is used,
so applications that require duplicates to be allowed can simply
configure their own <code>ObjectMapper</code> and use
that with JJWT instead of assuming this (new) JJWT default. See
[Issue <a
href="https://redirect.github.com/jwtk/jjwt/issues/877">#877</a>](<a
href="https://redirect.github.com/jwtk/jjwt/issues/877">jwtk/jjwt#877</a>)
for more.</p>
</li>
<li>
<p>If using JJWT's support to use Jackson to parse
<a href="https://github.com/jwtk/jjwt#json-jackson-custom-types">Custom
Claim Types</a> (for example, a Claim that should be
unmarshalled into a POJO), and the JSON for that POJO contained a member
that is not represented in the specified
class, Jackson would fail parsing by default. Because POJOs and JSON
data models can sometimes be out of sync
due to different class versions, the default behavior has been changed
to ignore these unknown JSON members instead
of failing (i.e. the <code>ObjectMapper</code>'s
<code>DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES</code> is now
set to <code>false</code>)
by default.</p>
<p>Again, if you prefer the stricter behavior of rejecting JSON with
extra or unknown properties, you can configure
<code>true</code> on your own <code>ObjectMapper</code> instance and use
that instance with the <code>Jwts.parser()</code> builder.</p>
</li>
</ol>
<h4>Additional Changes</h4>
<p>This release also:</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jwtk/jjwt/commit/bf4168cdceb85435b17d912a2087960ae597d37f"><code>bf4168c</code></a>
[maven-release-plugin] prepare release 0.12.4</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/5c6dec061ff99ef7122a33960ada95e496a37087"><code>5c6dec0</code></a>
- Adding 0.12.4 release version references</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/dd10b12b53b5bb26299c5435aa9d193e71b6b918"><code>dd10b12</code></a>
Added JWK Set documentation to README.mdJwkset doc (<a
href="https://redirect.github.com/jwtk/jjwt/issues/912">#912</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/6335381c978ce83c9c15bd3c349f32d1bed72d4f"><code>6335381</code></a>
PBES2 decryption maximum iterations (<a
href="https://redirect.github.com/jwtk/jjwt/issues/911">#911</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/2884eb79529ec8b56ecdd7c9f7e7fbea5dfc4806"><code>2884eb7</code></a>
- Updating to GitHub latest actions/checkout and actions/setup-java
script ve...</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/628bd6f4e8b885be2f9cfbd8cbf0767ce616003a"><code>628bd6f</code></a>
Secret JWK <code>k</code> values larger than HMAC-SHA minimums (<a
href="https://redirect.github.com/jwtk/jjwt/issues/909">#909</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/b12dabf100bbe8749d9bce49628d70b9f73af729"><code>b12dabf</code></a>
Fix small typos (<a
href="https://redirect.github.com/jwtk/jjwt/issues/908">#908</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/26f5dc3dbbb6070735498e4ea497f174b0a3850f"><code>26f5dc3</code></a>
Updating changelog with more information/clarity for the 0.12.4 release
(<a
href="https://redirect.github.com/jwtk/jjwt/issues/907">#907</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/f61cfa875d1bfd9164c16069ab62bf7b74fcc831"><code>f61cfa8</code></a>
Test case change to reflect accurate assertion for Elliptic Curve 'd'
values ...</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/fd619e0a4229e01cbd3ab1bd0a7a4f6cab21d784"><code>fd619e0</code></a>
disable FAIL_ON_UNKNOWN_PROPERTIES deserialization feature of Jackson by
defa...</li>
<li>Additional commits viewable in <a
href="https://github.com/jwtk/jjwt/compare/0.12.3...0.12.4">compare
view</a></li>
</ul>
</details>
<br />

Updates `io.jsonwebtoken:jjwt-impl` from 0.12.3 to 0.12.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/releases">io.jsonwebtoken:jjwt-impl's
releases</a>.</em></p>
<blockquote>
<h2>0.12.4</h2>
<p>This is patch release completes <a
href="https://github.com/jwtk/jjwt/issues?q=milestone%3A0.12.4+is%3Aissue">10
issues</a>, with two especially noteworthy changes, and a number of
other smaller bug fixes and enhancements.</p>
<ol>
<li>The default Jackson deserializer will now reject duplicate JSON
members by default in an attempt to be a little more strict at rejecting
potentially malicious or malformed JSON. This is a default and can be
overridden with a custom <code>ObjectMapper</code> if desired.</li>
<li>Password-based JWE encryption key algorithms
(<code>PBES2_HS256_A128KW</code>, <code>PBES2_HS384_A192KW</code> and
<code>PBES2_HS512_A256KW</code>) now enforce an upper bound (maximum)
number of iterations allowed during decryption to mitigate against
potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen
from Sichuan University and Zhongguancun Lab for their work on
this!</li>
</ol>
<p>A number of other issues fixed: thread-safe
<code>ServiceLoader</code> usage for dynamic JSON processor lookup,
Android enhancements for JSON <code>Reader</code> APIs, fixed Elliptic
Curve field element padding, and more. Please read the <a
href="https://github.com/jwtk/jjwt/blob/0.12.4/CHANGELOG.md">0.12.4
CHANGELOG</a> for full details of all of these changes, and as always,
project documentation is in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.4/README.md">0.12.4
README</a>.</p>
<p>Please allow 30 minutes from the time this announcement is published
for the release to be available in Maven Central.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md">io.jsonwebtoken:jjwt-impl's
changelog</a>.</em></p>
<blockquote>
<h3>0.12.4</h3>
<p>This patch release includes various changes listed below.</p>
<h4>Jackson Default Parsing Behavior</h4>
<p>This release makes two behavioral changes to JJWT's default Jackson
<code>ObjectMapper</code> parsing settings:</p>
<ol>
<li>
<p>In the interest of having stronger standards to reject potentially
malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default
<code>ObjectMapper </code>is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains
duplicate JSON member names.</p>
<p>For example, now the following JSON, if parsed, would fail (be
rejected) by default:</p>
<pre lang="json"><code>{
  &quot;hello&quot;: &quot;world&quot;,
  &quot;thisWillFail&quot;: 42,
  &quot;thisWillFail&quot;: &quot;test&quot;
}
</code></pre>
<p>Technically, the JWT RFCs <em>do allow</em> duplicate named fields as
long as the last parsed member is the one used
(see <a
href="https://datatracker.ietf.org/doc/html/rfc7515#section-4">JWS RFC
7515, Section 4</a>), so this is allowed.
However, because JWTs often reflect security concepts, it's usually
better to be defensive and reject these
unexpected scenarios by default. The RFC later supports this
position/preference in
<a
href="https://datatracker.ietf.org/doc/html/rfc7515#section-10.12">Section
10.12</a>:</p>
<pre><code>Ambiguous and potentially exploitable situations
could arise if the JSON parser used does not enforce the uniqueness
of member names or returns an unpredictable value for duplicate
member names.
</code></pre>
<p>Finally, this is just a default, and the RFC does indeed allow
duplicate member names if the last value is used,
so applications that require duplicates to be allowed can simply
configure their own <code>ObjectMapper</code> and use
that with JJWT instead of assuming this (new) JJWT default. See
[Issue <a
href="https://redirect.github.com/jwtk/jjwt/issues/877">#877</a>](<a
href="https://redirect.github.com/jwtk/jjwt/issues/877">jwtk/jjwt#877</a>)
for more.</p>
</li>
<li>
<p>If using JJWT's support to use Jackson to parse
<a href="https://github.com/jwtk/jjwt#json-jackson-custom-types">Custom
Claim Types</a> (for example, a Claim that should be
unmarshalled into a POJO), and the JSON for that POJO contained a member
that is not represented in the specified
class, Jackson would fail parsing by default. Because POJOs and JSON
data models can sometimes be out of sync
due to different class versions, the default behavior has been changed
to ignore these unknown JSON members instead
of failing (i.e. the <code>ObjectMapper</code>'s
<code>DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES</code> is now
set to <code>false</code>)
by default.</p>
<p>Again, if you prefer the stricter behavior of rejecting JSON with
extra or unknown properties, you can configure
<code>true</code> on your own <code>ObjectMapper</code> instance and use
that instance with the <code>Jwts.parser()</code> builder.</p>
</li>
</ol>
<h4>Additional Changes</h4>
<p>This release also:</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jwtk/jjwt/commit/bf4168cdceb85435b17d912a2087960ae597d37f"><code>bf4168c</code></a>
[maven-release-plugin] prepare release 0.12.4</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/5c6dec061ff99ef7122a33960ada95e496a37087"><code>5c6dec0</code></a>
- Adding 0.12.4 release version references</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/dd10b12b53b5bb26299c5435aa9d193e71b6b918"><code>dd10b12</code></a>
Added JWK Set documentation to README.mdJwkset doc (<a
href="https://redirect.github.com/jwtk/jjwt/issues/912">#912</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/6335381c978ce83c9c15bd3c349f32d1bed72d4f"><code>6335381</code></a>
PBES2 decryption maximum iterations (<a
href="https://redirect.github.com/jwtk/jjwt/issues/911">#911</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/2884eb79529ec8b56ecdd7c9f7e7fbea5dfc4806"><code>2884eb7</code></a>
- Updating to GitHub latest actions/checkout and actions/setup-java
script ve...</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/628bd6f4e8b885be2f9cfbd8cbf0767ce616003a"><code>628bd6f</code></a>
Secret JWK <code>k</code> values larger than HMAC-SHA minimums (<a
href="https://redirect.github.com/jwtk/jjwt/issues/909">#909</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/b12dabf100bbe8749d9bce49628d70b9f73af729"><code>b12dabf</code></a>
Fix small typos (<a
href="https://redirect.github.com/jwtk/jjwt/issues/908">#908</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/26f5dc3dbbb6070735498e4ea497f174b0a3850f"><code>26f5dc3</code></a>
Updating changelog with more information/clarity for the 0.12.4 release
(<a
href="https://redirect.github.com/jwtk/jjwt/issues/907">#907</a>)</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/f61cfa875d1bfd9164c16069ab62bf7b74fcc831"><code>f61cfa8</code></a>
Test case change to reflect accurate assertion for Elliptic Curve 'd'
values ...</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/fd619e0a4229e01cbd3ab1bd0a7a4f6cab21d784"><code>fd619e0</code></a>
disable FAIL_ON_UNKNOWN_PROPERTIES deserialization feature of Jackson by
defa...</li>
<li>Additional commits viewable in <a
href="https://github.com/jwtk/jjwt/compare/0.12.3...0.12.4">compare
view</a></li>
</ul>
</details>
<br />

Updates `io.jsonwebtoken:jjwt-jackson` from 0.12.3 to 0.12.4


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 6659bc8470..e0ae931d5a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,7 +29,7 @@ buildscript {
         apache_cxf_version = '4.0.3'
         open_saml_version = '4.3.0'
         one_login_java_saml = '2.9.0'
-        jjwt_version = '0.12.3'
+        jjwt_version = '0.12.4'
         guava_version = '32.1.3-jre'
         jaxb_version = '2.3.9'
         spring_version = '5.3.31'

From 157d137bd85696d55c6c78ba72124656d4cb5d5c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Jan 2024 09:04:22 -0500
Subject: [PATCH 038/143] Bump gradle/gradle-build-action from 2 to 3 (#3994)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[gradle/gradle-build-action](https://github.com/gradle/gradle-build-action)
from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gradle/gradle-build-action/releases">gradle/gradle-build-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0-rc.1</h2>
<p>First release candidate of
<code>gradle/gradle-build-action@v3.0.0</code>.
This release candidate will the first release available under the
<code>v3</code> version tag.</p>
<blockquote>
<p>[!IMPORTANT]
As of <code>v3</code> this action has been superceded by
<code>gradle/actions/setup-gradle</code>.
Any workflow that uses <code>gradle/gradle-build-action@v3</code> will
transparently delegate to
<code>gradle/actions/setup-gradle@v3</code>.</p>
<p>Users are encouraged to update their workflows, replacing:</p>
<pre><code>uses: gradle/gradle-build-action@v3
</code></pre>
<p>with</p>
<pre><code>uses: gradle/actions/setup-gradle@v3
</code></pre>
<p>See the <a
href="https://github.com/gradle/actions/tree/main/setup-gradle">setup-gradle
documentation</a> for up-to-date documentation for
<code>gradle/actons/setup-gradle</code>.</p>
</blockquote>
<h2>Changes from <code>gradle-build-action@v2</code></h2>
<p>This release brings some useful and much requested features,
including:</p>
<ul>
<li>save and restore the Gradle configuration-cache data</li>
<li>add the Job summary content as a PR comment</li>
<li>easily publish Build Scans® to the free <a
href="https://scans.gradle.com">Gradle Build Scan service</a></li>
<li>compatibility with Node 20</li>
</ul>
<p>The only major breaking change from
<code>gradle-build-action@v2.12.0</code> is the update to require a Node
20 runtime environment.
Aside from that change, this release should generally serve as a drop-in
replacement for <code>gradle-build-action@v2</code>.</p>
<h3>Changelog</h3>
<ul>
<li>[NEW] - Run with NodeJs 20.x (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/946">gradle/gradle-build-action#946</a>)</li>
<li>[NEW] - Support for save &amp; restore of configuration-cache data
(<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/966">gradle/gradle-build-action#966</a>)</li>
<li>[NEW] - Support for automatic adding PR comment with Job Summary
content (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1020">gradle/gradle-build-action#1020</a>)</li>
<li>[NEW] - Make it easy to publish a Build Scan® to <a
href="https://scans.gradle.com">https://scans.gradle.com</a> (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1044">gradle/gradle-build-action#1044</a>)</li>
<li>[NEW] - Added <code>dependency-graph-continue-on-failure</code>
input, which can be set to <code>false</code> to force the Job to fail
when dependency graph submission fails (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1036">gradle/gradle-build-action#1036</a>).
Failure modes include:
<ul>
<li>Fail build step if version of Gradle being executed is not supported
for dependency-graph generation (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1034">gradle/gradle-build-action#1034</a>)</li>
<li>Fail job if permissions are insufficient to submit dependency graph
via Dependency Submission API (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/997">gradle/gradle-build-action#997</a>)</li>
</ul>
</li>
<li>[NEW] - Add <code>dependency-graph: clear</code> option to clear any
dependency-graph previously submitted by the job</li>
<li>[FIX] Allow cache entries to be reused by jobs with the same ID in
different workflows (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1017">gradle/gradle-build-action#1017</a>)
<ul>
<li>Workflow name remains part of the cache key, but cache entries
generated by the same job id in a different workflow may be
restored</li>
</ul>
</li>
<li>[FIX] Register pre-installed JDKs in Maven toolchains.xml file (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1024">gradle/gradle-build-action#1024</a>)
<ul>
<li>This allows pre-installed JDKs to be auto-detected by Gradle
Toolchain support on Windows</li>
</ul>
</li>
<li>[FIX] - Update the Gradle Enterprise injection configuration for
product rename to Develocity (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/995">gradle/gradle-build-action#995</a>)</li>
<li>[FIX] - Avoid submitting an empty dependency graph when state is
loaded from configuration-cache</li>
<li>[DEPRECATION] - Deprecation of the arguments parameter (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/996">gradle/gradle-build-action#996</a>)</li>
<li>[BREAKING CHANGE] - Remove the <code>gradle-executable</code> input
parameter. Use a separate workflow Step to execute a Gradle from a
custom location.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/4a8703fa348fe99fdb9d2ac233732f7dccea5437"><code>4a8703f</code></a>
Delegate to 'setup-gradle@v3.0.0-rc.1'</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/4a39eedb8c843f5dbd9abebfd404ae6e947328dc"><code>4a39eed</code></a>
Mention setup-gradle in README</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/272883a7ba6334b53c9c43b570853bc46021955b"><code>272883a</code></a>
Remove all action sources: these have been migrated to
'gradle/actions'</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/2a8bfcf2313611da65fd8cb2d81f50d99cb74ca0"><code>2a8bfcf</code></a>
Delegate action implementation to gradle/actions/setup-gradle</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/e1ada08a9a43fad9770411d5dd099f25ece2569d"><code>e1ada08</code></a>
Bump the github-actions group with 1 update (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1047">#1047</a>)</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/a8e3e5e2b4235aa45b6683dd85088aa7e737de34"><code>a8e3e5e</code></a>
Apply dependency version updates</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/2be01ca1c632ae5a688f391acd726cf89c392794"><code>2be01ca</code></a>
Build outputs</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/a00827eebb1e3036a35b5705ca9fc36a0f0ff33d"><code>a00827e</code></a>
Bump the npm-dependencies group with 7 updates</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/ad80850e980287e8a0b25382843366a43d8694dd"><code>ad80850</code></a>
Bump the github-actions group with 2 updates</li>
<li><a
href="https://github.com/gradle/gradle-build-action/commit/bd6d0a74d4407cffbe7946377ff9dd004fae9570"><code>bd6d0a7</code></a>
Configure explicit java version for config-cache test</li>
<li>Additional commits viewable in <a
href="https://github.com/gradle/gradle-build-action/compare/v2...v3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=gradle/gradle-build-action&package-manager=github_actions&previous-version=2&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml             | 8 ++++----
 .github/workflows/code-hygiene.yml   | 6 +++---
 .github/workflows/plugin_install.yml | 4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f64a0408b..acd9b9de27 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -54,7 +54,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Build and Test
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@v3
       with:
         cache-disabled: true
         arguments: |
@@ -112,7 +112,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Build and Test
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@v3
       with:
         cache-disabled: true
         arguments: |
@@ -147,7 +147,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Build and Test
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/gradle-build-action@v3
       with:
         cache-disabled: true
         arguments: |
@@ -165,7 +165,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Build BWC tests
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: |
diff --git a/.github/workflows/code-hygiene.yml b/.github/workflows/code-hygiene.yml
index e6afd8fede..2f8820709a 100644
--- a/.github/workflows/code-hygiene.yml
+++ b/.github/workflows/code-hygiene.yml
@@ -24,7 +24,7 @@ jobs:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 17
 
-      - uses: gradle/gradle-build-action@v2
+      - uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: spotlessCheck
@@ -40,7 +40,7 @@ jobs:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 11
 
-      - uses: gradle/gradle-build-action@v2
+      - uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: checkstyleMain checkstyleTest checkstyleIntegrationTest
@@ -56,7 +56,7 @@ jobs:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 11
 
-      - uses: gradle/gradle-build-action@v2
+      - uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: spotbugsMain
diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml
index c051e2f6a3..b88cfb166f 100644
--- a/.github/workflows/plugin_install.yml
+++ b/.github/workflows/plugin_install.yml
@@ -29,7 +29,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Assemble target plugin
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: assemble
@@ -63,7 +63,7 @@ jobs:
           admin-password: ${{ steps.random-password.outputs.generated_name }}
 
       - name: Run sanity tests
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/gradle-build-action@v3
         with:
           cache-disabled: true
           arguments: integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=${{ steps.random-password.outputs.generated_name }} -i

From c06365ca94c9a1d15e85b578a1ae48168bf0bca7 Mon Sep 17 00:00:00 2001
From: Prabhas Kurapati <66924475+prabhask5@users.noreply.github.com>
Date: Mon, 29 Jan 2024 06:54:56 -0800
Subject: [PATCH 039/143] [BUG-2556] Add new DLS filtering test (#3908)

Signed-off-by: Prabhas Kurapati <prabhask@berkeley.edu>
---
 .../security/DlsIntegrationTests.java         | 205 +++++++++++++++++-
 1 file changed, 204 insertions(+), 1 deletion(-)

diff --git a/src/integrationTest/java/org/opensearch/security/DlsIntegrationTests.java b/src/integrationTest/java/org/opensearch/security/DlsIntegrationTests.java
index aa7202cddf..3e3ac61502 100644
--- a/src/integrationTest/java/org/opensearch/security/DlsIntegrationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/DlsIntegrationTests.java
@@ -10,12 +10,15 @@
 package org.opensearch.security;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.function.BiFunction;
+import java.util.stream.Collectors;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.commons.lang3.tuple.Pair;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
 import org.junit.Test;
@@ -36,6 +39,7 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
 import static org.opensearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions.Type.ADD;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.client.RequestOptions.DEFAULT;
@@ -57,6 +61,7 @@
 import static org.opensearch.test.framework.matcher.SearchResponseMatchers.isSuccessfulSearchResponse;
 import static org.opensearch.test.framework.matcher.SearchResponseMatchers.numberOfTotalHitsIsEqualTo;
 import static org.opensearch.test.framework.matcher.SearchResponseMatchers.searchHitContainsFieldWithValue;
+import static org.opensearch.test.framework.matcher.SearchResponseMatchers.searchHitsContainDocumentsInAnyOrder;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
@@ -82,6 +87,7 @@ public class DlsIntegrationTests {
     static final String FIRST_INDEX_ALIAS_FILTERED_BY_TWINS_ARTIST = FIRST_INDEX_NAME.concat("-filtered-by-twins-artist");
     static final String FIRST_INDEX_ALIAS_FILTERED_BY_FIRST_ARTIST = FIRST_INDEX_NAME.concat("-filtered-by-first-artist");
     static final String ALL_INDICES_ALIAS = "_all";
+    static final String UNION_TEST_INDEX_NAME = "my_index1";
 
     static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
 
@@ -158,6 +164,62 @@ public class DlsIntegrationTests {
                 .on("*")
         );
 
+    /**
+     * Test role 1 for DLS filtering with two (non)overlapping roles. This role imposes a filter where the user can only access documents where the sensitive field is false. This role is applied at a higher level for all index patterns.
+     */
+    static final TestSecurityConfig.Role ROLE_NON_SENSITIVE_ONLY = new TestSecurityConfig.Role("test_role_1").clusterPermissions(
+        "cluster_composite_ops_ro"
+    ).indexPermissions("read").dls("{\"match\":{\"sensitive\":false}}").on("*");
+
+    /**
+     * Test role 2 for DLS filtering with two overlapping roles. This role does not impose any filter, and combined with TEST_ROLE_ONE should yield a union that does not impose any filter. This role is applied at a lower level for index patterns my_index*.
+     */
+    static final TestSecurityConfig.Role ROLE_ALLOW_ALL = new TestSecurityConfig.Role("test_role_2").clusterPermissions(
+        "cluster_composite_ops_ro"
+    ).indexPermissions("read").dls("{\"match_all\": {}}").on("my_index*");
+
+    /**
+     * Test role 3 for DLS filtering with two nonoverlapping roles. This role imposes a filter where the user can only access documents where the genre field is History, and combined with TEST_ROLE_ONE should yield a union that allows the user to access every document except the one with genre Science and sensitive true. This role is applied at a lower level for index patterns my_index*.
+     */
+    static final TestSecurityConfig.Role ROLE_MATCH_HISTORY_GENRE_ONLY = new TestSecurityConfig.Role("test_role_3").clusterPermissions(
+        "cluster_composite_ops_ro"
+    ).indexPermissions("read").dls("{\"match\":{\"genre\":\"History\"}}").on("my_index*");
+
+    /**
+     * User with DLS permission to only be able to access documents with false sensitive property.
+     */
+    static final TestSecurityConfig.User USER_NON_SENSITIVE_ONLY = new TestSecurityConfig.User("test_role_1_user").roles(
+        ROLE_NON_SENSITIVE_ONLY
+    );
+
+    /**
+     * User with DLS permission to access all documents.
+     */
+    static final TestSecurityConfig.User USER_ALLOW_ALL = new TestSecurityConfig.User("test_role_2_user").roles(ROLE_ALLOW_ALL);
+
+    /**
+     * User with DLS permission to access documents with genre property matching History.
+     */
+    static final TestSecurityConfig.User USER_MATCH_HISTORY_GENRE_ONLY = new TestSecurityConfig.User("test_role_3_user").roles(
+        ROLE_MATCH_HISTORY_GENRE_ONLY
+    );
+
+    /**
+     * User with overlapping DLS permissions to access documents with false sensitive property and access all documents- should yield accessing all documents.
+     */
+    static final TestSecurityConfig.User USER_UNION_OF_OVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_ALLOW_ALL = new TestSecurityConfig.User(
+        "test_union_of_overlapping_roles_user"
+    ).roles(ROLE_NON_SENSITIVE_ONLY, ROLE_ALLOW_ALL);
+
+    /**
+     * User with non-overlapping DLS permissions to access documents with false sensitive property and genre property matching History.
+     */
+    static final TestSecurityConfig.User USER_UNION_OF_NONOVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_HISTORY_GENRE_ONLY =
+        new TestSecurityConfig.User("test_union_of_non_overlapping_roles_user").roles(
+            ROLE_NON_SENSITIVE_ONLY,
+            ROLE_MATCH_HISTORY_GENRE_ONLY
+        );
+
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
         .anonymousAuth(false)
@@ -172,7 +234,12 @@ public class DlsIntegrationTests {
             READ_WHERE_FIELD_ARTIST_MATCHES_ARTIST_STRING,
             READ_WHERE_STARS_LESS_THAN_THREE,
             READ_WHERE_FIELD_ARTIST_MATCHES_ARTIST_TWINS_OR_FIELD_STARS_GREATER_THAN_FIVE,
-            READ_WHERE_FIELD_ARTIST_MATCHES_ARTIST_TWINS_OR_MATCHES_ARTIST_FIRST
+            READ_WHERE_FIELD_ARTIST_MATCHES_ARTIST_TWINS_OR_MATCHES_ARTIST_FIRST,
+            USER_NON_SENSITIVE_ONLY,
+            USER_ALLOW_ALL,
+            USER_MATCH_HISTORY_GENRE_ONLY,
+            USER_UNION_OF_OVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_ALLOW_ALL,
+            USER_UNION_OF_NONOVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_HISTORY_GENRE_ONLY
         )
         .build();
 
@@ -218,6 +285,21 @@ public class DlsIntegrationTests {
         }
     };
 
+    static final TreeMap<String, Map<String, Serializable>> UNION_ROLE_TEST_DATA = new TreeMap<>() {
+        {
+            put("1", Map.of("genre", "History", "date", "01-01-2020", "sensitive", true));
+            put("2", Map.of("genre", "History", "date", "01-01-2020", "sensitive", true));
+            put("3", Map.of("genre", "History", "date", "01-01-2020", "sensitive", true));
+            put("4", Map.of("genre", "History", "date", "01-01-2020", "sensitive", true));
+            put("5", Map.of("genre", "History", "date", "01-01-2020", "sensitive", true));
+            put("6", Map.of("genre", "Math", "date", "01-01-2020", "sensitive", false));
+            put("7", Map.of("genre", "Math", "date", "01-01-2020", "sensitive", false));
+            put("8", Map.of("genre", "Math", "date", "01-01-2020", "sensitive", false));
+            put("9", Map.of("genre", "Math", "date", "01-01-2020", "sensitive", false));
+            put("10", Map.of("genre", "Science", "date", "01-01-2020", "sensitive", true));
+        }
+    };
+
     @BeforeClass
     public static void createTestData() {
         try (Client client = cluster.getInternalNodeClient()) {
@@ -275,6 +357,10 @@ public static void createTestData() {
                     )
                 )
                 .actionGet();
+
+            UNION_ROLE_TEST_DATA.forEach((index, document) -> {
+                client.prepareIndex(UNION_TEST_INDEX_NAME).setId(index).setRefreshPolicy(IMMEDIATE).setSource(document).get();
+            });
         }
     }
 
@@ -517,4 +603,121 @@ public void testAggregateAndComputeStarRatings() throws IOException {
             assertThat(((ParsedAvg) actualAggregation).getValue(), is(1.5));
         }
     }
+
+    @Test
+    public void testOverlappingRoleUnionSearchFiltering() throws Exception {
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(USER_NON_SENSITIVE_ONLY)) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 4);
+
+            assertThat(
+                searchResponse,
+                searchHitsContainDocumentsInAnyOrder(
+                    UNION_ROLE_TEST_DATA.entrySet()
+                        .stream()
+                        .filter(e -> e.getValue().get("sensitive").equals(false))
+                        .map(e -> Pair.of(UNION_TEST_INDEX_NAME, e.getKey()))
+                        .collect(Collectors.toList())
+                )
+            );
+        }
+
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(USER_ALLOW_ALL)) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 10);
+        }
+
+        try (
+            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(
+                USER_UNION_OF_OVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_ALLOW_ALL
+            )
+        ) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 10);
+
+            // shows that roles are additive and the overlapping role with less filtering is used
+            assertThat(
+                searchResponse,
+                searchHitsContainDocumentsInAnyOrder(
+                    UNION_ROLE_TEST_DATA.keySet().stream().map(id -> Pair.of(UNION_TEST_INDEX_NAME, id)).collect(Collectors.toList())
+                )
+            );
+        }
+    }
+
+    @Test
+    @SuppressWarnings("unchecked")
+    public void testNonOverlappingRoleUnionSearchFiltering() throws Exception {
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(USER_NON_SENSITIVE_ONLY)) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 4);
+
+            assertThat(
+                searchResponse,
+                searchHitsContainDocumentsInAnyOrder(
+                    UNION_ROLE_TEST_DATA.entrySet()
+                        .stream()
+                        .filter(e -> e.getValue().get("sensitive").equals(false))
+                        .map(e -> Pair.of(UNION_TEST_INDEX_NAME, e.getKey()))
+                        .collect(Collectors.toList())
+                )
+            );
+        }
+
+        try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(USER_MATCH_HISTORY_GENRE_ONLY)) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 5);
+
+            assertThat(
+                searchResponse,
+                searchHitsContainDocumentsInAnyOrder(
+                    UNION_ROLE_TEST_DATA.entrySet()
+                        .stream()
+                        .filter(e -> e.getValue().get("genre").equals("History"))
+                        .map(e -> Pair.of(UNION_TEST_INDEX_NAME, e.getKey()))
+                        .collect(Collectors.toList())
+                )
+            );
+        }
+
+        try (
+            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(
+                USER_UNION_OF_NONOVERLAPPING_ROLES_NON_SENSITIVE_ONLY_AND_HISTORY_GENRE_ONLY
+            )
+        ) {
+            SearchRequest searchRequest = new SearchRequest(UNION_TEST_INDEX_NAME);
+            SearchResponse searchResponse = restHighLevelClient.search(searchRequest, DEFAULT);
+
+            assertSearchResponseHitsEqualTo(searchResponse, 9);
+
+            assertThat(
+                searchResponse,
+                searchHitsContainDocumentsInAnyOrder(
+                    UNION_ROLE_TEST_DATA.keySet()
+                        .stream()
+                        .filter(id -> !id.equals("10"))
+                        .map(id -> Pair.of(UNION_TEST_INDEX_NAME, id))
+                        .collect(Collectors.toList())
+                )
+            );
+
+            // shows that the roles are additive, but excludes one document since the DLS filters for both roles do not account for this
+            assertThat(searchResponse, not(searchHitsContainDocumentsInAnyOrder(Pair.of(UNION_TEST_INDEX_NAME, "10"))));
+        }
+    }
+
+    private void assertSearchResponseHitsEqualTo(SearchResponse searchResponse, int hits) throws Exception {
+        assertThat(searchResponse, isSuccessfulSearchResponse());
+        assertThat(searchResponse, numberOfTotalHitsIsEqualTo(hits));
+    }
 }

From 9187da18b034ff37a454924d5e2b9223dae4dac8 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Thu, 1 Feb 2024 01:14:00 -0500
Subject: [PATCH 040/143] Add additional sendRequestDecorate cases (#3920)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/OpenSearchSecurityPlugin.java    |   4 +-
 .../transport/SecurityInterceptor.java        |  11 +-
 .../transport/SecurityInterceptorTests.java   | 270 ++++++++++++++----
 3 files changed, 231 insertions(+), 54 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 569380582b..53493e7f6c 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -251,6 +251,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile OpensearchDynamicSetting<Boolean> transportPassiveAuthSetting;
 
     public static boolean isActionTraceEnabled() {
+
         return actionTrace.isTraceEnabled();
     }
 
@@ -1108,7 +1109,8 @@ public Collection<Object> createComponents(
             cs,
             Objects.requireNonNull(sslExceptionHandler),
             Objects.requireNonNull(cih),
-            SSLConfig
+            SSLConfig,
+            OpenSearchSecurityPlugin::isActionTraceEnabled
         );
         components.add(principalExtractor);
 
diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
index fe1094c411..f791cd013a 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
@@ -31,6 +31,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import com.google.common.collect.Maps;
@@ -71,8 +72,6 @@
 import org.opensearch.transport.TransportRequestOptions;
 import org.opensearch.transport.TransportResponseHandler;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.isActionTraceEnabled;
-
 public class SecurityInterceptor {
 
     protected final Logger log = LogManager.getLogger(getClass());
@@ -86,6 +85,7 @@ public class SecurityInterceptor {
     private final SslExceptionHandler sslExceptionHandler;
     private final ClusterInfoHolder clusterInfoHolder;
     private final SSLConfig SSLConfig;
+    private final Supplier<Boolean> actionTraceEnabled;
 
     public SecurityInterceptor(
         final Settings settings,
@@ -97,7 +97,8 @@ public SecurityInterceptor(
         final ClusterService cs,
         final SslExceptionHandler sslExceptionHandler,
         final ClusterInfoHolder clusterInfoHolder,
-        final SSLConfig SSLConfig
+        final SSLConfig SSLConfig,
+        final Supplier<Boolean> actionTraceSupplier
     ) {
         this.backendRegistry = backendRegistry;
         this.auditLog = auditLog;
@@ -109,6 +110,7 @@ public SecurityInterceptor(
         this.sslExceptionHandler = sslExceptionHandler;
         this.clusterInfoHolder = clusterInfoHolder;
         this.SSLConfig = SSLConfig;
+        this.actionTraceEnabled = actionTraceSupplier;
     }
 
     public <T extends TransportRequest> SecurityRequestHandler<T> getHandler(String action, TransportRequestHandler<T> actualHandler) {
@@ -247,7 +249,7 @@ && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROL
                 useJDKSerialization
             );
 
-            if (isActionTraceEnabled()) {
+            if (actionTraceEnabled.get()) {
                 getThreadContext().putHeader(
                     "_opendistro_security_trace" + System.currentTimeMillis() + "#" + UUID.randomUUID().toString(),
                     Thread.currentThread().getName()
@@ -407,5 +409,4 @@ public String executor() {
             return innerHandler.executor();
         }
     }
-
 }
diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
index 903ad89eac..4b3636a000 100644
--- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
+++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
@@ -10,7 +10,10 @@
 
 // CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used for creating a mock
 import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -51,6 +54,9 @@
 
 import static java.util.Collections.emptySet;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThrows;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -82,12 +88,44 @@ public class SecurityInterceptorTests {
     @Mock
     private SSLConfig sslConfig;
 
-    private Settings settings;
+    @Mock
+    private TransportRequest request;
+
+    @Mock
+    private TransportRequestOptions options;
+
+    @SuppressWarnings("unchecked")
+    private TransportResponseHandler<TransportResponse> handler = mock(TransportResponseHandler.class);
 
+    private Settings settings;
     private ThreadPool threadPool;
+    private ClusterName clusterName = ClusterName.DEFAULT;
+    private MockTransport transport;
+    private TransportService transportService;
+    private OpenSearchSecurityPlugin.GuiceHolder guiceHolder;
+    private User user;
+    private String action = "testAction";
+    private Version remoteNodeVersion = Version.V_2_0_0;
+
+    private InetAddress localAddress;
+    private InetAddress remoteAddress;
+    private DiscoveryNode localNode;
+    private Connection connection1;
+    private DiscoveryNode otherNode;
+    private Connection connection2;
+    private DiscoveryNode remoteNode;
+    private Connection connection3;
+    private DiscoveryNode otherRemoteNode;
+    private Connection connection4;
+
+    private AsyncSender sender;
+    private AsyncSender serializedSender;
+    private AsyncSender nullSender;
 
     @Before
     public void setup() {
+
+        // Build mocked objects
         MockitoAnnotations.openMocks(this);
         settings = Settings.builder()
             .put("node.name", SecurityInterceptorTests.class.getSimpleName())
@@ -104,17 +142,15 @@ public void setup() {
             clusterService,
             sslExceptionHandler,
             clusterInfoHolder,
-            sslConfig
+            sslConfig,
+            () -> true
         );
-    }
 
-    private void testSendRequestDecorate(Version remoteNodeVersion) {
-        boolean useJDKSerialization = remoteNodeVersion.before(ConfigConstants.FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION);
-        ClusterName clusterName = ClusterName.DEFAULT;
+        clusterName = ClusterName.DEFAULT;
         when(clusterService.getClusterName()).thenReturn(clusterName);
 
-        MockTransport transport = new MockTransport();
-        TransportService transportService = transport.createTransportService(
+        transport = new MockTransport();
+        transportService = transport.createTransportService(
             Settings.EMPTY,
             threadPool,
             TransportService.NOOP_TRANSPORT_INTERCEPTOR,
@@ -125,7 +161,7 @@ private void testSendRequestDecorate(Version remoteNodeVersion) {
         );
 
         // CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used for creating a mock
-        OpenSearchSecurityPlugin.GuiceHolder guiceHolder = new OpenSearchSecurityPlugin.GuiceHolder(
+        guiceHolder = new OpenSearchSecurityPlugin.GuiceHolder(
             mock(RepositoriesService.class),
             transportService,
             mock(IndicesService.class),
@@ -134,30 +170,34 @@ private void testSendRequestDecorate(Version remoteNodeVersion) {
         );
         // CS-ENFORCE-SINGLE
 
-        User user = new User("John Doe");
-        threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
+        // Instantiate objects for tests
+        user = new User("John Doe");
 
-        String action = "testAction";
-        TransportRequest request = mock(TransportRequest.class);
-        TransportRequestOptions options = mock(TransportRequestOptions.class);
-        @SuppressWarnings("unchecked")
-        TransportResponseHandler<TransportResponse> handler = mock(TransportResponseHandler.class);
+        request = mock(TransportRequest.class);
+        options = mock(TransportRequestOptions.class);
 
-        InetAddress localAddress = null;
+        localAddress = null;
+        remoteAddress = null;
         try {
             localAddress = InetAddress.getByName("0.0.0.0");
+            remoteAddress = InetAddress.getByName("1.1.1.1");
         } catch (final UnknownHostException uhe) {
             throw new RuntimeException(uhe);
         }
 
-        DiscoveryNode localNode = new DiscoveryNode("local-node", new TransportAddress(localAddress, 1234), Version.CURRENT);
-        Connection connection1 = transportService.getConnection(localNode);
+        localNode = new DiscoveryNode("local-node1", new TransportAddress(localAddress, 1234), Version.CURRENT);
+        connection1 = transportService.getConnection(localNode);
 
-        DiscoveryNode otherNode = new DiscoveryNode("remote-node", new TransportAddress(localAddress, 4321), remoteNodeVersion);
-        Connection connection2 = transportService.getConnection(otherNode);
+        otherNode = new DiscoveryNode("local-node2", new TransportAddress(localAddress, 4321), Version.CURRENT);
+        connection2 = transportService.getConnection(otherNode);
 
-        // from thread context inside sendRequestDecorate
-        AsyncSender sender = new AsyncSender() {
+        remoteNode = new DiscoveryNode("remote-node", new TransportAddress(localAddress, 6789), remoteNodeVersion);
+        connection3 = transportService.getConnection(remoteNode);
+
+        otherRemoteNode = new DiscoveryNode("remote-node2", new TransportAddress(remoteAddress, 9876), remoteNodeVersion);
+        connection4 = transportService.getConnection(otherRemoteNode);
+
+        serializedSender = new AsyncSender() {
             @Override
             public <T extends TransportResponse> void sendRequest(
                 Connection connection,
@@ -166,19 +206,11 @@ public <T extends TransportResponse> void sendRequest(
                 TransportRequestOptions options,
                 TransportResponseHandler<T> handler
             ) {
-                User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-                assertEquals(transientUser, user);
+                String serializedUserHeader = threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);
+                assertEquals(serializedUserHeader, Base64Helper.serializeObject(user, true));
             }
         };
-        // isSameNodeRequest = true
-        securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler, localNode);
-
-        // from original context
-        User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-        assertEquals(transientUser, user);
-        assertEquals(threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER), null);
 
-        // checking thread context inside sendRequestDecorate
         sender = new AsyncSender() {
             @Override
             public <T extends TransportResponse> void sendRequest(
@@ -188,30 +220,172 @@ public <T extends TransportResponse> void sendRequest(
                 TransportRequestOptions options,
                 TransportResponseHandler<T> handler
             ) {
-                String serializedUserHeader = threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);
-                assertEquals(serializedUserHeader, Base64Helper.serializeObject(user, useJDKSerialization));
+                User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+                assertEquals(transientUser, user);
             }
         };
-        // isSameNodeRequest = false
-        securityInterceptor.sendRequestDecorate(sender, connection2, action, request, options, handler, localNode);
 
-        // from original context
-        User transientUser2 = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-        assertEquals(transientUser2, user);
-        assertEquals(threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER), null);
+        threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
+    }
+
+    /**
+     * A method to confirm the original thread context is maintained
+     * @param user The expected user to be in the transient header
+     */
+    final void verifyOriginalContext(User user) {
+
+        User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        assertEquals(transientUser, user);
+        assertNull(threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER));
+    }
+
+    @SuppressWarnings({ "rawtypes", "unchecked" })
+    final void completableRequestDecorate(
+        AsyncSender sender,
+        Connection connection,
+        String action,
+        TransportRequest request,
+        TransportRequestOptions options,
+        TransportResponseHandler handler,
+        DiscoveryNode localNode
+    ) {
+
+        ExecutorService singleThreadExecutor = Executors.newSingleThreadExecutor();
+
+        singleThreadExecutor.execute(() -> {
+            try {
+                securityInterceptor.sendRequestDecorate(sender, connection, action, request, options, handler, localNode);
+                verifyOriginalContext(user);
+            } finally {
+                singleThreadExecutor.shutdown();
+            }
+        });
     }
 
     @Test
-    public void testSendRequestDecorate() {
-        testSendRequestDecorate(Version.CURRENT);
+    public void testSendRequestDecorateLocalConnection() {
+
+        // local node request
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+        // this is also a local request
+        completableRequestDecorate(sender, connection2, action, request, options, handler, otherNode);
     }
 
-    /**
-     * Tests the scenario when remote node does not implement custom serialization protocol and uses JDK serialization
-     */
     @Test
-    public void testSendRequestDecorateWhenRemoteNodeUsesJDKSerde() {
-        testSendRequestDecorate(Version.V_2_0_0);
+    public void testSendRequestDecorateRemoteConnection() {
+
+        // this is a remote request
+        completableRequestDecorate(serializedSender, connection3, action, request, options, handler, localNode);
+        // this is a remote request where the transport address is different
+        completableRequestDecorate(serializedSender, connection4, action, request, options, handler, localNode);
+    }
+
+    @Test
+    public void testSendNoOriginNodeCausesSerialization() {
+
+        // this is a request where the local node is null; have to use the remote connection since the serialization will fail
+        completableRequestDecorate(serializedSender, connection3, action, request, options, handler, null);
+    }
+
+    @Test
+    public void testSendNoConnectionShouldThrowNPE() {
+
+        // The completable version swallows the NPE so have to call actual method
+        assertThrows(
+            java.lang.NullPointerException.class,
+            () -> securityInterceptor.sendRequestDecorate(serializedSender, null, action, request, options, handler, localNode)
+        );
     }
 
+    @Test
+    public void testNullOriginHeaderCausesNoSerialization() {
+
+        // Make the origin null should cause the ensureCorrectHeaders method to populate with Origin.LOCAL.toString()
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, null);
+        // This is a different way to get the same result which exercises the origin0 = null logic of ensureCorrectHeaders
+        securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+        verifyOriginalContext(user);
+    }
+
+    @Test
+    public void testNullRemoteAddressCausesNoSerialization() {
+
+        // Make the remote address null should cause the ensureCorrectHeaders to keep the TransportAddress as null ultimately causing local
+        // logic to occur
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, null);
+        // This is a different way to get the same result which exercises the origin0 = null logic of ensureCorrectHeaders
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+    }
+
+    @Test
+    public void testCustomRemoteAddressCausesSerialization() {
+
+        threadPool.getThreadContext()
+            .putHeader(
+                ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS,
+                String.valueOf(new TransportAddress(new InetSocketAddress("8.8.8.8", 80)))
+            );
+        completableRequestDecorate(serializedSender, connection3, action, request, options, handler, localNode);
+    }
+
+    @Test
+    public void testTraceHeaderIsRemoved() {
+
+        threadPool.getThreadContext().putTransient("_opendistro_security_trace", "fake trace value");
+        // this case is just for action trace logic validation
+        // local node request
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+        // even though we add the trace the restoring handler should remove it from the thread context
+        assertFalse(
+            threadPool.getThreadContext().getHeaders().keySet().stream().anyMatch(header -> header.startsWith("_opendistro_security_trace"))
+        );
+    }
+
+    @Test
+    public void testFakeHeaderIsIgnored() {
+
+        threadPool.getThreadContext().putHeader("FAKE_HEADER", "fake_value");
+        // this is a local request
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+        // this is a remote request
+        completableRequestDecorate(serializedSender, connection3, action, request, options, handler, localNode);
+    }
+
+    @Test
+    public void testNullHeaderIsIgnored() {
+
+        // Add a null header
+        threadPool.getThreadContext().putHeader(null, null);
+        threadPool.getThreadContext().putHeader(null, "null");
+        // this is a local request
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+        // this is a remote request
+        completableRequestDecorate(serializedSender, connection3, action, request, options, handler, localNode);
+    }
+
+    @Test
+    public void testFakeHeadersAreIgnored() {
+
+        threadPool.getThreadContext()
+            .putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "fake security config request header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER, "fake security origin header");
+        threadPool.getThreadContext()
+            .putHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER, "fake security remote address header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, "fake dls query header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, "fake fls fields header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, "fake masked field header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_DOC_ALLOWLIST_HEADER, "fake doc allowlist header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_FILTER_LEVEL_DLS_DONE, "fake filter level dls header");
+        threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_MODE_HEADER, "fake dls mode header");
+        threadPool.getThreadContext()
+            .putHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_FILTER_LEVEL_QUERY_HEADER, "fake dls filter header");
+        threadPool.getThreadContext()
+            .putHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER, "fake initial action header");
+        threadPool.getThreadContext().putHeader("_opendistro_security_source_field_context", "fake source field context value");
+        threadPool.getThreadContext()
+            .putHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION, "fake injected roles validation string");
+
+        // this is a local request
+        completableRequestDecorate(sender, connection1, action, request, options, handler, localNode);
+    }
 }

From ff3b77ce66388f81cee2564d54de6db8b5a7bf59 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:43:54 -0500
Subject: [PATCH 041/143] Bump jjwt_version from 0.12.4 to 0.12.5 (#4011)

Bumps `jjwt_version` from 0.12.4 to 0.12.5.
Updates `io.jsonwebtoken:jjwt-api` from 0.12.4 to 0.12.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/releases">io.jsonwebtoken:jjwt-api's
releases</a>.</em></p>
<blockquote>
<h2>0.12.5</h2>
<p>This release fixes issue <a
href="https://redirect.github.com/jwtk/jjwt/issues/916">#916</a> and
ensures that builders' <code>NestedCollection</code> changes are applied
to the collection immediately as mutation methods are called, no longer
requiring application developers to call <code>.and()</code> to 'commit'
or apply a change. For example, prior to this release, the following
code did not apply changes:</p>
<pre lang="java"><code>JwtBuilder builder = Jwts.builder();
builder.audience().add(&quot;an-audience&quot;); // no .and() call
builder.compact(); // would not keep 'an-audience'
</code></pre>
<p>Now this code works as expected and all other
<code>NestedCollection</code> instances like it apply changes
immediately (e.g. when calling
<code>.add(value)</code>).</p>
<p>However, standard fluent builder chains are still recommended for
readability when feasible, e.g.</p>
<pre lang="java"><code>Jwts.builder()
.audience().add(&quot;an-audience&quot;).and() // allows fluent chaining
    .subject(&quot;Joe&quot;)
    // etc...
    .compact()
</code></pre>
<p>These same notes are repeated in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.5/CHANGELOG.md">CHANGELOG</a>,
and as always, project documentation is in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.5/README.md">README</a>.</p>
<p>Please allow 30 minutes from the time this announcement is published
for the release to be available in Maven Central.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md">io.jsonwebtoken:jjwt-api's
changelog</a>.</em></p>
<blockquote>
<h3>0.12.5</h3>
<p>This patch release:</p>
<ul>
<li>
<p>Ensures that builders' <code>NestedCollection</code> changes are
applied to the collection immediately as mutation methods are called, no
longer
requiring application developers to call <code>.and()</code> to 'commit'
or apply a change. For example, prior to this release,
the following code did not apply changes:</p>
<pre lang="java"><code>JwtBuilder builder = Jwts.builder();
builder.audience().add(&quot;an-audience&quot;); // no .and() call
builder.compact(); // would not keep 'an-audience'
</code></pre>
<p>Now this code works as expected and all other
<code>NestedCollection</code> instances like it apply changes
immediately (e.g. when calling
<code>.add(value)</code>).</p>
<p>However, standard fluent builder chains are still recommended for
readability when feasible, e.g.</p>
<pre lang="java"><code>Jwts.builder()
.audience().add(&quot;an-audience&quot;).and() // allows fluent chaining
    .subject(&quot;Joe&quot;)
    // etc...
    .compact()
</code></pre>
<p>See <a href="https://redirect.github.com/jwtk/jjwt/issues/916">Issue
916</a>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jwtk/jjwt/commit/2399e2fdc5e20fad9d71d6bcbfd126cce6521638"><code>2399e2f</code></a>
[maven-release-plugin] prepare release 0.12.5</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/8d3de658357b351587df3790b3b1372944ad1f2f"><code>8d3de65</code></a>
Preparing for 0.12.5 release</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/a0a123e848fc25a7920bcbd84615f639c4cc098a"><code>a0a123e</code></a>
PR <a
href="https://redirect.github.com/jwtk/jjwt/issues/917">#917</a></li>
<li><a
href="https://github.com/jwtk/jjwt/commit/afcd88983252b249204d53830dd03884050b41af"><code>afcd889</code></a>
0.12.4 staging (<a
href="https://redirect.github.com/jwtk/jjwt/issues/913">#913</a>)</li>
<li>See full diff in <a
href="https://github.com/jwtk/jjwt/compare/0.12.4...0.12.5">compare
view</a></li>
</ul>
</details>
<br />

Updates `io.jsonwebtoken:jjwt-impl` from 0.12.4 to 0.12.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/releases">io.jsonwebtoken:jjwt-impl's
releases</a>.</em></p>
<blockquote>
<h2>0.12.5</h2>
<p>This release fixes issue <a
href="https://redirect.github.com/jwtk/jjwt/issues/916">#916</a> and
ensures that builders' <code>NestedCollection</code> changes are applied
to the collection immediately as mutation methods are called, no longer
requiring application developers to call <code>.and()</code> to 'commit'
or apply a change. For example, prior to this release, the following
code did not apply changes:</p>
<pre lang="java"><code>JwtBuilder builder = Jwts.builder();
builder.audience().add(&quot;an-audience&quot;); // no .and() call
builder.compact(); // would not keep 'an-audience'
</code></pre>
<p>Now this code works as expected and all other
<code>NestedCollection</code> instances like it apply changes
immediately (e.g. when calling
<code>.add(value)</code>).</p>
<p>However, standard fluent builder chains are still recommended for
readability when feasible, e.g.</p>
<pre lang="java"><code>Jwts.builder()
.audience().add(&quot;an-audience&quot;).and() // allows fluent chaining
    .subject(&quot;Joe&quot;)
    // etc...
    .compact()
</code></pre>
<p>These same notes are repeated in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.5/CHANGELOG.md">CHANGELOG</a>,
and as always, project documentation is in the <a
href="https://github.com/jwtk/jjwt/blob/0.12.5/README.md">README</a>.</p>
<p>Please allow 30 minutes from the time this announcement is published
for the release to be available in Maven Central.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md">io.jsonwebtoken:jjwt-impl's
changelog</a>.</em></p>
<blockquote>
<h3>0.12.5</h3>
<p>This patch release:</p>
<ul>
<li>
<p>Ensures that builders' <code>NestedCollection</code> changes are
applied to the collection immediately as mutation methods are called, no
longer
requiring application developers to call <code>.and()</code> to 'commit'
or apply a change. For example, prior to this release,
the following code did not apply changes:</p>
<pre lang="java"><code>JwtBuilder builder = Jwts.builder();
builder.audience().add(&quot;an-audience&quot;); // no .and() call
builder.compact(); // would not keep 'an-audience'
</code></pre>
<p>Now this code works as expected and all other
<code>NestedCollection</code> instances like it apply changes
immediately (e.g. when calling
<code>.add(value)</code>).</p>
<p>However, standard fluent builder chains are still recommended for
readability when feasible, e.g.</p>
<pre lang="java"><code>Jwts.builder()
.audience().add(&quot;an-audience&quot;).and() // allows fluent chaining
    .subject(&quot;Joe&quot;)
    // etc...
    .compact()
</code></pre>
<p>See <a href="https://redirect.github.com/jwtk/jjwt/issues/916">Issue
916</a>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jwtk/jjwt/commit/2399e2fdc5e20fad9d71d6bcbfd126cce6521638"><code>2399e2f</code></a>
[maven-release-plugin] prepare release 0.12.5</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/8d3de658357b351587df3790b3b1372944ad1f2f"><code>8d3de65</code></a>
Preparing for 0.12.5 release</li>
<li><a
href="https://github.com/jwtk/jjwt/commit/a0a123e848fc25a7920bcbd84615f639c4cc098a"><code>a0a123e</code></a>
PR <a
href="https://redirect.github.com/jwtk/jjwt/issues/917">#917</a></li>
<li><a
href="https://github.com/jwtk/jjwt/commit/afcd88983252b249204d53830dd03884050b41af"><code>afcd889</code></a>
0.12.4 staging (<a
href="https://redirect.github.com/jwtk/jjwt/issues/913">#913</a>)</li>
<li>See full diff in <a
href="https://github.com/jwtk/jjwt/compare/0.12.4...0.12.5">compare
view</a></li>
</ul>
</details>
<br />

Updates `io.jsonwebtoken:jjwt-jackson` from 0.12.4 to 0.12.5


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index e0ae931d5a..edfebfe04e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,7 +29,7 @@ buildscript {
         apache_cxf_version = '4.0.3'
         open_saml_version = '4.3.0'
         one_login_java_saml = '2.9.0'
-        jjwt_version = '0.12.4'
+        jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'
         jaxb_version = '2.3.9'
         spring_version = '5.3.31'

From 698af8800754b121e531d985fd91b9e48297a145 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:44:16 -0500
Subject: [PATCH 042/143] Bump org.apache.camel:camel-xmlsecurity from 3.22.0
 to 3.22.1 (#4012)

Bumps org.apache.camel:camel-xmlsecurity from 3.22.0 to 3.22.1.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.camel:camel-xmlsecurity&package-manager=gradle&previous-version=3.22.0&new-version=3.22.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index edfebfe04e..4b8b1c94be 100644
--- a/build.gradle
+++ b/build.gradle
@@ -614,7 +614,7 @@ dependencies {
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
     runtimeOnly 'org.ow2.asm:asm:9.6'
 
-    testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.0'
+    testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.0'

From 90e25ac756ccfa4c573005cbf8376431bcf0485d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:44:40 -0500
Subject: [PATCH 043/143] Bump com.netflix.nebula.ospackage from 11.6.0 to
 11.7.0 (#4013)

Bumps com.netflix.nebula.ospackage from 11.6.0 to 11.7.0.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.netflix.nebula.ospackage&package-manager=gradle&previous-version=11.6.0&new-version=11.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 4b8b1c94be..c27689b54a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,7 +64,7 @@ plugins {
     id 'maven-publish'
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.6.0"
+    id 'com.netflix.nebula.ospackage' version "11.7.0"
     id "org.gradle.test-retry" version "1.5.8"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"

From 5bd0dac648098040eb14b4e06b86e89fbae3dac1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:45:03 -0500
Subject: [PATCH 044/143] Bump org.junit.jupiter:junit-jupiter from 5.10.1 to
 5.10.2 (#4014)

Bumps
[org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit5)
from 5.10.1 to 5.10.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/junit-team/junit5/releases">org.junit.jupiter:junit-jupiter's
releases</a>.</em></p>
<blockquote>
<p>JUnit 5.10.2 = Platform 1.10.2 + Jupiter 5.10.2 + Vintage 5.10.2</p>
<p>See <a
href="http://junit.org/junit5/docs/5.10.2/release-notes/">Release
Notes</a>.</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/junit-team/junit5/compare/r5.10.1...r5.10.2">https://github.com/junit-team/junit5/compare/r5.10.1...r5.10.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/junit-team/junit5/commit/4c0dddad1b96d4a20e92a2cd583954643ac56ac0"><code>4c0ddda</code></a>
Release 5.10.2</li>
<li><a
href="https://github.com/junit-team/junit5/commit/463a14773d884f2bf31f073a87bef9d0938872db"><code>463a147</code></a>
Finalize release notes for 5.10.2</li>
<li><a
href="https://github.com/junit-team/junit5/commit/43c105a246c0130d08145335cb9986236e2a8465"><code>43c105a</code></a>
Revert &quot;Apply method predicate before searching type
hierarchy&quot;</li>
<li><a
href="https://github.com/junit-team/junit5/commit/63d464d1e10a62743fe4024436ef1e006a89df72"><code>63d464d</code></a>
Revert &quot;Harmonize application of method and field filters in search
algorithms&quot;</li>
<li><a
href="https://github.com/junit-team/junit5/commit/85ec2fccb32a51fbe6ff966e25726c94a67dd418"><code>85ec2fc</code></a>
Revert &quot;Apply field predicate before searching type
hierarchy&quot;</li>
<li><a
href="https://github.com/junit-team/junit5/commit/6209006a7693dbf6f680a5ac4541aba86c9da899"><code>6209006</code></a>
Update release notes</li>
<li><a
href="https://github.com/junit-team/junit5/commit/5ee499f0e0029dbd1120ecf889bd214e2082c589"><code>5ee499f</code></a>
Fix CI build</li>
<li><a
href="https://github.com/junit-team/junit5/commit/d919ba71ea4c3b1e60f2d21473ba31ff0f6857ab"><code>d919ba7</code></a>
Namespace user-specific build parameters</li>
<li><a
href="https://github.com/junit-team/junit5/commit/e26cd83ed307ef100399ced9985f04612931984b"><code>e26cd83</code></a>
Prepare release notes for 5.10.2</li>
<li><a
href="https://github.com/junit-team/junit5/commit/ec8d4282c60f480d3de264330b37e75b1b8d05d9"><code>ec8d428</code></a>
Include LauncherInterceptor in launcher module declaration</li>
<li>Additional commits viewable in <a
href="https://github.com/junit-team/junit5/compare/r5.10.1...r5.10.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.junit.jupiter:junit-jupiter&package-manager=gradle&previous-version=5.10.1&new-version=5.10.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index c27689b54a..d84475c794 100644
--- a/build.gradle
+++ b/build.gradle
@@ -685,8 +685,8 @@ dependencies {
     testImplementation 'commons-validator:commons-validator:1.8.0'
     testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.13'
     testImplementation "org.springframework:spring-beans:${spring_version}"
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.10.1'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.1'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.10.2'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.2'
     testImplementation('org.awaitility:awaitility:4.2.0') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }

From f75d0c9c426ce12e067228f302527b377aec7627 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Feb 2024 07:50:28 -0500
Subject: [PATCH 045/143] Bump release-drafter/release-drafter from 5 to 6
 (#4016)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[release-drafter/release-drafter](https://github.com/release-drafter/release-drafter)
from 5 to 6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/release-drafter/release-drafter/releases">release-drafter/release-drafter's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<h1>What's Changed</h1>
<ul>
<li>Update Node.js to 20 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1379">#1379</a>)
<a href="https://github.com/massongit"><code>@​massongit</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/release-drafter/release-drafter/compare/v5.25.0...v6.0.0">https://github.com/release-drafter/release-drafter/compare/v5.25.0...v6.0.0</a></p>
<h2>v6.0.0-beta.1</h2>
<p>Prerelease of v6, first release of the CLI, feel free to provide
feedback in the pull request: <a
href="https://redirect.github.com/release-drafter/release-drafter/pull/1204">release-drafter/release-drafter#1204</a></p>
<h2>v5.25.0</h2>
<h1>What's Changed</h1>
<h2>New</h2>
<ul>
<li>add prerelease increment behavior (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1303">#1303</a>)
<a href="https://github.com/neilime"><code>@​neilime</code></a></li>
<li>add latest input (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1348">#1348</a>)
<a href="https://github.com/o-mago"><code>@​o-mago</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/release-drafter/release-drafter/compare/v5.24.0...v5.25.0">https://github.com/release-drafter/release-drafter/compare/v5.24.0...v5.25.0</a></p>
<h2>v5.24.0</h2>
<h1>What's Changed</h1>
<h2>New</h2>
<ul>
<li>Add release version to github action output (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1300">#1300</a>)
<a
href="https://github.com/mehdihadeli"><code>@​mehdihadeli</code></a></li>
</ul>
<h2>Bug Fixes</h2>
<ul>
<li>fix(release): strip prefix before comparing version (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1255">#1255</a>)
<a href="https://github.com/neilime"><code>@​neilime</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/release-drafter/release-drafter/compare/v5.23.0...v5.24.0">https://github.com/release-drafter/release-drafter/compare/v5.23.0...v5.24.0</a></p>
<h2>v5.23.0</h2>
<h1>What's Changed</h1>
<h2>New</h2>
<ul>
<li>Add <code>include-pre-releases</code> configuration option (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1302">#1302</a>)
<a
href="https://github.com/robbinjanssen"><code>@​robbinjanssen</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/release-drafter/release-drafter/compare/v5.22.0...v5.23.0">https://github.com/release-drafter/release-drafter/compare/v5.22.0...v5.23.0</a></p>
<h2>v5.22.0</h2>
<h1>What's Changed</h1>
<h2>New</h2>
<ul>
<li>Only use last full release when drafting (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1240">#1240</a>)
<a href="https://github.com/ssbarnea"><code>@​ssbarnea</code></a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/release-drafter/release-drafter/commit/3f0f87098bd6b5c5b9a36d49c41d998ea58f9348"><code>3f0f870</code></a>
v6.0.0</li>
<li><a
href="https://github.com/release-drafter/release-drafter/commit/80296b4fbaeb08e43a2b957e188b283a20776b3b"><code>80296b4</code></a>
Update Node.js to 20 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1379">#1379</a>)</li>
<li>See full diff in <a
href="https://github.com/release-drafter/release-drafter/compare/v5...v6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=release-drafter/release-drafter&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release-drafter.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index bf6e5b0674..10e870d04f 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Drafts the next Release notes as Pull Requests are merged into "main"
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@v6
         with:
           config-name: release-notes-drafter-config.yml
         env:

From 6b9ded21b2b7af18f8bacbcf1b242ffe12960da1 Mon Sep 17 00:00:00 2001
From: Chenyang Ji <chenyang.yale@gmail.com>
Date: Mon, 5 Feb 2024 07:44:18 -0800
Subject: [PATCH 046/143] Admin role for Query insights plugin (#4006)

Signed-off-by: Chenyang Ji <cyji@amazon.com>
---
 config/roles.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/roles.yml b/config/roles.yml
index ccd1759355..8d1b1f88f6 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -399,3 +399,9 @@ flow_framework_read_access:
     - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
     - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
     - 'cluster:admin/opensearch/flow_framework/workflow_step/get'
+
+# Allows users to use all query insights APIs
+query_insights_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opensearch/insights/top_queries/*'

From 321604c59d97fc1275dc111fd59c1809ccf6158b Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 5 Feb 2024 12:21:24 -0500
Subject: [PATCH 047/143] Update TRIAGING.md with new time for triage meetings
 (#4023)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 TRIAGING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/TRIAGING.md b/TRIAGING.md
index 22e59afc2d..7f70501dae 100644
--- a/TRIAGING.md
+++ b/TRIAGING.md
@@ -12,7 +12,7 @@ Each meeting we seek to  address all new issues. However, should we run out of t
 
 ### How do I join the Backlog & Triage meeting?
 
-Meetings are hosted regularly at 3 PM Eastern Time (Noon Pacific Time) and can be joined via the links posted on the [Upcoming Events](https://opensearch.org/events) webpage.
+Meetings are hosted regularly at 11 AM Eastern Time (8AM Pacific Time) and can be joined via the links posted on the [OpenSearch Meetup Group](https://www.meetup.com/opensearch/events/) list of events. The event will be titled `Development Backlog & Triage Meeting - Security`.
 
 After joining the Zoom meeting, you can enable your video / voice to join the discussion.  If you do not have a webcam or microphone available, you can still join in via the text chat.
 

From a41b3f7f7ccbc4a78856e97c8b7254040b2f288e Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 8 Feb 2024 13:17:43 -0500
Subject: [PATCH 048/143] Redact sensitive configuration values when retrieving
 security configuration (#4024)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### Description

Redacts the field `password` when calling `GET
/_plugins/_security/api/securityconfig`.

Redacting the field through the API will also ensure that it doesn't get
displayed on OSD. **Note**: This value would only be displayed to users
with access to the security pages.


<img width="471" alt="Screenshot 2024-02-05 at 3 27 34 PM"
src="https://github.com/opensearch-project/security/assets/17432265/7cd93f70-9eb9-4ac2-859c-00a7bfb56718">


* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Enhancement

### Issues Resolved

- https://github.com/opensearch-project/security/issues/4004

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/http/LdapAuthenticationTest.java | 25 +++++++++-
 .../security/DefaultObjectMapper.java         | 48 +++++++++++++++++++
 .../dlic/rest/api/AbstractApiAction.java      | 15 +++++-
 .../impl/SecurityDynamicConfiguration.java    |  9 ++++
 4 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
index b4a3717287..7339808d8c 100644
--- a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
@@ -41,6 +41,7 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.security.http.CertificateAuthenticationTest.POINTER_BACKEND_ROLES;
 import static org.opensearch.security.http.DirectoryInformationTrees.CN_GROUP_ADMIN;
 import static org.opensearch.security.http.DirectoryInformationTrees.DN_CAPTAIN_SPOCK_PEOPLE_TEST_ORG;
@@ -55,6 +56,8 @@
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_KIRK;
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_SEARCH;
 import static org.opensearch.security.http.DirectoryInformationTrees.USER_SPOCK;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.BASIC_AUTH_DOMAIN_ORDER;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
@@ -83,7 +86,16 @@ public class LdapAuthenticationTest {
     public static LocalCluster cluster = new LocalCluster.Builder().testCertificates(TEST_CERTIFICATES)
         .clusterManager(ClusterManager.SINGLENODE)
         .anonymousAuth(false)
-        .nodeSettings(Map.of(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + "." + ADMIN_USER.getName(), List.of(USER_KIRK)))
+        .nodeSettings(
+            Map.of(
+                ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + "." + ADMIN_USER.getName(),
+                List.of(USER_KIRK),
+                SECURITY_RESTAPI_ROLES_ENABLED,
+                List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()),
+                SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST,
+                false
+            )
+        )
         .authc(
             new AuthcDomain("ldap", BASIC_AUTH_DOMAIN_ORDER + 1, true).httpAuthenticator(new HttpAuthenticator("basic").challenge(false))
                 .backend(
@@ -190,4 +202,15 @@ public void testShouldCreateScrollWithLdapUserAndImpersonateWithAdmin() {
             scrollResponse.assertStatusCode(200);
         }
     }
+
+    @Test
+    public void testShouldRedactPasswordWhenGettingSecurityConfig() {
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            TestRestClient.HttpResponse response = client.get("_plugins/_security/api/securityconfig");
+
+            response.assertStatusCode(200);
+            String redactedPassword = response.getTextFromJsonBody("/config/dynamic/authc/ldap/authentication_backend/config/password");
+            assertThat("******", equalTo(redactedPassword));
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
index 48aa09541a..2d18667c54 100644
--- a/src/main/java/org/opensearch/security/DefaultObjectMapper.java
+++ b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
@@ -35,6 +35,7 @@
 
 import com.google.common.collect.ImmutableSet;
 import com.fasterxml.jackson.annotation.JsonInclude.Include;
+import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
@@ -42,14 +43,40 @@
 import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.exc.InvalidFormatException;
 import com.fasterxml.jackson.databind.exc.MismatchedInputException;
 import com.fasterxml.jackson.databind.introspect.BeanPropertyDefinition;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 import com.fasterxml.jackson.databind.type.TypeFactory;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 
 import org.opensearch.SpecialPermission;
 
+class ConfigMapSerializer extends StdSerializer<Map<String, Object>> {
+    private static final Set<String> SENSITIVE_CONFIG_KEYS = Set.of("password");
+
+    @SuppressWarnings("unchecked")
+    public ConfigMapSerializer() {
+        // Pass Map<String, Object>.class to the superclass
+        super((Class<Map<String, Object>>) (Class<?>) Map.class);
+    }
+
+    @Override
+    public void serialize(Map<String, Object> value, JsonGenerator gen, SerializerProvider serializers) throws IOException {
+        gen.writeStartObject();
+        for (Map.Entry<String, Object> entry : value.entrySet()) {
+            if (SENSITIVE_CONFIG_KEYS.contains(entry.getKey())) {
+                gen.writeStringField(entry.getKey(), "******"); // Redact
+            } else {
+                gen.writeObjectField(entry.getKey(), entry.getValue());
+            }
+        }
+        gen.writeEndObject();
+    }
+}
+
 public class DefaultObjectMapper {
     public static final ObjectMapper objectMapper = new ObjectMapper();
     public final static ObjectMapper YAML_MAPPER = new ObjectMapper(new YAMLFactory());
@@ -180,6 +207,27 @@ public static String writeValueAsString(Object value, boolean omitDefaults) thro
 
     }
 
+    @SuppressWarnings("removal")
+    public static String writeValueAsStringAndRedactSensitive(Object value) throws JsonProcessingException {
+        final SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+
+        SimpleModule module = new SimpleModule();
+        module.addSerializer(new ConfigMapSerializer());
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.registerModule(module);
+
+        try {
+            return AccessController.doPrivileged((PrivilegedExceptionAction<String>) () -> mapper.writeValueAsString(value));
+        } catch (final PrivilegedActionException e) {
+            throw (JsonProcessingException) e.getCause();
+        }
+
+    }
+
     @SuppressWarnings("removal")
     public static <T> T readValue(String string, TypeReference<T> tr) throws IOException {
 
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
index 04148e8b99..ef8a00d700 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
@@ -372,7 +372,12 @@ protected final ValidationResult<SecurityDynamicConfiguration<?>> loadConfigurat
         boolean omitSensitiveData,
         final boolean logComplianceEvent
     ) {
-        final var configuration = load(cType, logComplianceEvent);
+        SecurityDynamicConfiguration<?> configuration;
+        if (omitSensitiveData) {
+            configuration = loadAndRedact(cType, logComplianceEvent);
+        } else {
+            configuration = load(cType, logComplianceEvent);
+        }
         if (configuration.getSeqNo() < 0) {
 
             return ValidationResult.error(
@@ -448,6 +453,14 @@ protected final SecurityDynamicConfiguration<?> load(final CType config, boolean
         return DynamicConfigFactory.addStatics(loaded);
     }
 
+    protected final SecurityDynamicConfiguration<?> loadAndRedact(final CType config, boolean logComplianceEvent) {
+        SecurityDynamicConfiguration<?> loaded = securityApiDependencies.configurationRepository()
+            .getConfigurationsFromIndex(List.of(config), logComplianceEvent)
+            .get(config)
+            .deepCloneWithRedaction();
+        return DynamicConfigFactory.addStatics(loaded);
+    }
+
     protected boolean ensureIndexExists() {
         return clusterService.state().metadata().hasConcreteIndex(securityApiDependencies.securityIndexName());
     }
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
index bba44b5e28..90508840e7 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
@@ -303,6 +303,15 @@ public SecurityDynamicConfiguration<T> deepClone() {
         }
     }
 
+    @JsonIgnore
+    public SecurityDynamicConfiguration<T> deepCloneWithRedaction() {
+        try {
+            return fromJson(DefaultObjectMapper.writeValueAsStringAndRedactSensitive(this), ctype, version, seqNo, primaryTerm);
+        } catch (Exception e) {
+            throw ExceptionsHelper.convertToOpenSearchException(e);
+        }
+    }
+
     @JsonIgnore
     public void remove(String key) {
         synchronized (modificationLock) {

From f5170e64142d66292bd9ab5f1ce588236296e40f Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 8 Feb 2024 23:47:43 -0500
Subject: [PATCH 049/143] Add release notes for 2.12.0.0 (#4030)

### Description

Add release notes for 2.12.0.0 release

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Documentation

### Issues Resolved

- https://github.com/opensearch-project/security/issues/3513

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 ...nsearch-security.release-notes-2.12.0.0.md | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 release-notes/opensearch-security.release-notes-2.12.0.0.md

diff --git a/release-notes/opensearch-security.release-notes-2.12.0.0.md b/release-notes/opensearch-security.release-notes-2.12.0.0.md
new file mode 100644
index 0000000000..be6ddbc125
--- /dev/null
+++ b/release-notes/opensearch-security.release-notes-2.12.0.0.md
@@ -0,0 +1,61 @@
+## 2024-02-20 Version 2.12.0.0
+
+Compatible with OpenSearch 2.12.0
+
+### Enhancements
+* Add additional sendRequestDecorate cases ([#4007](https://github.com/opensearch-project/security/pull/4007))
+* [BUG-2556] Add new DLS filtering test ([#4001](https://github.com/opensearch-project/security/pull/4001))
+* [Enhancement-3191] `transport_enabled` setting on an auth domain and authorizer may be unnecessary after transport client removal  ([#3966](https://github.com/opensearch-project/security/pull/3966))
+* Update roles.yml with new API for experimental alerting plugin feature [#4027](https://github.com/opensearch-project/security/pull/4027) ([#4029](https://github.com/opensearch-project/security/pull/4029))
+* Admin role for Query insights plugin ([#4022](https://github.com/opensearch-project/security/pull/4022))
+* Validate 409s occur when multiple config updates happen simultaneously ([#3962](https://github.com/opensearch-project/security/pull/3962))
+* Protect config object from concurrent modification issues ([#3956](https://github.com/opensearch-project/security/pull/3956))
+* Add test coverage for ComplianceConfig ([#3957](https://github.com/opensearch-project/security/pull/3957))
+* Update security analytics roles to include custom log type cluster permissions ([#3954](https://github.com/opensearch-project/security/pull/3954))
+* Add logging for test LdapServer actions ([#3942](https://github.com/opensearch-project/security/pull/3942))
+* HeapBasedRateTracker uses time provider to allow simluating of time in unit tests ([#3941](https://github.com/opensearch-project/security/pull/3941))
+* Add additional logging around `testShouldSearchAll` tests ([#3943](https://github.com/opensearch-project/security/pull/3943))
+* Add permission for get workflow step ([#3940](https://github.com/opensearch-project/security/pull/3940))
+* Add additional ignore_headers audit configuration setting ([#3926](https://github.com/opensearch-project/security/pull/3926))
+* Update to Gradle 8.5 ([#3919](https://github.com/opensearch-project/security/pull/3919)) ([#3923](https://github.com/opensearch-project/security/pull/3923))
+* Refactor SSL handler retrieval to use HttpChannel / TranportChannel APIs instead of typecasting ([#3917](https://github.com/opensearch-project/security/pull/3917)) ([#3922](https://github.com/opensearch-project/security/pull/3922))
+* Improve messaging on how to set initial admin password ([#3918](https://github.com/opensearch-project/security/pull/3918))
+* Re-enable disabled PIT integration tests ([#3914](https://github.com/opensearch-project/security/pull/3914))
+* Switched to more reliable OpenSearch Lucene snapshot location ([#3913](https://github.com/opensearch-project/security/pull/3913))
+* Add deprecation check for `jwt_header` setting ([#3896](https://github.com/opensearch-project/security/pull/3896))
+* Add render search template as a cluster permission ([#3689](https://github.com/opensearch-project/security/pull/3689)) ([#3872](https://github.com/opensearch-project/security/pull/3872))
+* Add flow framework system indices and roles ([#3851](https://github.com/opensearch-project/security/pull/3851)) ([#3880](https://github.com/opensearch-project/security/pull/3880))
+* Search operation test flakiness fix ([#3862](https://github.com/opensearch-project/security/pull/3862))
+* Extracts demo configuration setup into a java tool, adds support for Bundled JDK for this tool and updates DEVELOPER_GUIDE.md ([#3845](https://github.com/opensearch-project/security/pull/3845))
+* SAML permissions changes in DynamicConfigModelV7 ([#3853](https://github.com/opensearch-project/security/pull/3853))
+* Add do not fail on forbidden test cases around the stats API ([#3825](https://github.com/opensearch-project/security/pull/3825)) ([#3828](https://github.com/opensearch-project/security/pull/3828))
+
+### Bug Fixes
+* Fix Bug with Install demo configuration running in cluster mode with -y ([#3936](https://github.com/opensearch-project/security/pull/3936))
+* Allow TransportConfigUpdateAction when security config initialization has completed ([#3810](https://github.com/opensearch-project/security/pull/3810)) ([#3927](https://github.com/opensearch-project/security/pull/3927))
+* Fix the CI / report-coverage check by switching to corresponding actions/upload-artifact@v4 ([#3893](https://github.com/opensearch-project/security/pull/3893)) ([#3895](https://github.com/opensearch-project/security/pull/3895))
+
+### Maintenance
+* Bump org.apache.camel:camel-xmlsecurity from 3.22.0 to 3.22.1 ([#4018](https://github.com/opensearch-project/security/pull/4018))
+* Bump release-drafter/release-drafter from 5 to 6 ([#4021](https://github.com/opensearch-project/security/pull/4021))
+* Bump com.netflix.nebula.ospackage from 11.6.0 to 11.7.0 ([#4019](https://github.com/opensearch-project/security/pull/4019))
+* Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2 ([#4020](https://github.com/opensearch-project/security/pull/4020))
+* Bump jjwt_version from 0.12.4 to 0.12.5 ([#4017](https://github.com/opensearch-project/security/pull/4017))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.24 to 4.2.25 ([#3998](https://github.com/opensearch-project/security/pull/3998))
+* Bump gradle/gradle-build-action from 2 to 3 ([#4000](https://github.com/opensearch-project/security/pull/4000))
+* Bump jjwt_version from 0.12.3 to 0.12.4 ([#3999](https://github.com/opensearch-project/security/pull/3999))
+* Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19)  ([#3993](https://github.com/opensearch-project/security/pull/3993))
+* Fix: remove unnecessary trailing slashes in APIs. ([#3978](https://github.com/opensearch-project/security/pull/3978))
+* Adds new ml-commons system indices to the list ([#3974](https://github.com/opensearch-project/security/pull/3974))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.23 to 4.2.24 ([#3970](https://github.com/opensearch-project/security/pull/3970))
+* Bump com.fasterxml.woodstox:woodstox-core from 6.5.1 to 6.6.0 ([#3969](https://github.com/opensearch-project/security/pull/3969))
+* Bump com.diffplug.spotless from 6.23.3 to 6.24.0 ([#3947](https://github.com/opensearch-project/security/pull/3947))
+* Bump org.apache.camel:camel-xmlsecurity from 3.21.3 to 3.22.0 ([#3906](https://github.com/opensearch-project/security/pull/3906))
+* Bump com.google.errorprone:error_prone_annotations from 2.23.0 to 2.24.0 ([#3897](https://github.com/opensearch-project/security/pull/3897)) ([#3902](https://github.com/opensearch-project/security/pull/3902))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.22 to 4.2.23 ([#3900](https://github.com/opensearch-project/security/pull/3900))
+* Bump com.google.googlejavaformat:google-java-format from 1.18.1 to 1.19.1 ([#3901](https://github.com/opensearch-project/security/pull/3901))
+* Bump github/codeql-action from 2 to 3 ([#3859](https://github.com/opensearch-project/security/pull/3859)) ([#3867](https://github.com/opensearch-project/security/pull/3867))
+* Bump org.apache.camel:camel-xmlsecurity from 3.21.2 to 3.21.3 ([#3864](https://github.com/opensearch-project/security/pull/3864))
+* Bump org.checkerframework:checker-qual from 3.40.0 to 3.42.0 ([#3857](https://github.com/opensearch-project/security/pull/3857)) ([#3866](https://github.com/opensearch-project/security/pull/3866))
+* Bump com.flipkart.zjsonpatch:zjsonpatch from 0.4.14 to 0.4.16 ([#3865](https://github.com/opensearch-project/security/pull/3865))
+* Bump com.netflix.nebula.ospackage from 11.5.0 to 11.6.0 ([#3863](https://github.com/opensearch-project/security/pull/3863))

From ca4eedf245c85683b6622fa6a11fad2bfcac88a3 Mon Sep 17 00:00:00 2001
From: AWSHurneyt <hurneyt@amazon.com>
Date: Thu, 8 Feb 2024 21:07:40 -0800
Subject: [PATCH 050/143] v2.12 update roles.yml with new API for experimental
 alerting plugin feature (#4027)

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
---
 config/roles.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/roles.yml b/config/roles.yml
index 8d1b1f88f6..efa83ed02e 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -33,6 +33,7 @@ alerting_read_access:
     - 'cluster:admin/opendistro/alerting/monitor/get'
     - 'cluster:admin/opendistro/alerting/monitor/search'
     - 'cluster:admin/opensearch/alerting/findings/get'
+    - 'cluster:admin/opensearch/alerting/remote/indexes/get'
     - 'cluster:admin/opensearch/alerting/workflow/get'
     - 'cluster:admin/opensearch/alerting/workflow_alerts/get'
 

From f5c260ec9c8eb41a7cffaa2ee57458b27b161cfc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Feb 2024 06:49:07 -0600
Subject: [PATCH 051/143] Bump com.netflix.nebula.ospackage from 11.7.0 to
 11.8.0 (#4040)

Bumps com.netflix.nebula.ospackage from 11.7.0 to 11.8.0.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index d84475c794..8a31c3b874 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,7 +64,7 @@ plugins {
     id 'maven-publish'
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.7.0"
+    id 'com.netflix.nebula.ospackage' version "11.8.0"
     id "org.gradle.test-retry" version "1.5.8"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"

From 3d68394d1e424ce33f3c02e182252bb7a2800a4f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Feb 2024 07:53:45 -0500
Subject: [PATCH 052/143] Bump Wandalen/wretry.action from 1.3.0 to 1.4.4
 (#4038)

Bumps
[Wandalen/wretry.action](https://github.com/wandalen/wretry.action) from
1.3.0 to 1.4.4.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/62451a214c01d1b0136b4f87289d840b30d67b98"><code>62451a2</code></a>
version 1.4.4</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/b0dafbbe7afcdf834bcc9cea44c3ab36f3d6d998"><code>b0dafbb</code></a>
Update build file, add missed dependencies</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/50600a260214594b7300f5977d10b70fec5713b6"><code>50600a2</code></a>
version 1.4.3</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/2b81ed10c3cc2d3ef8835d2ef8f4680f7e0c43a3"><code>2b81ed1</code></a>
Update build file, add missed dependencies</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/e9055066d72d2369a461fe647b0cd888d0650401"><code>e905506</code></a>
version 1.4.2</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/560268f8f6a47848a743dee21f435c9ddbbfeaec"><code>560268f</code></a>
version 1.4.1</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/c04b3380d37a864a165edf448f052814ff31d09c"><code>c04b338</code></a>
Update readme.md</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/5d5a9bd4204a45a0a541d7f156fde98f57266582"><code>5d5a9bd</code></a>
version 1.4.0</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/7bef43bf04dbc821f1691c0401ea854516a66c60"><code>7bef43b</code></a>
Merge pull request <a
href="https://redirect.github.com/wandalen/wretry.action/issues/112">#112</a>
from dmvict/add_option</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/47ca1fc249e1815602642f9a28c016d8c02818eb"><code>47ca1fc</code></a>
Update readme.md</li>
<li>Additional commits viewable in <a
href="https://github.com/wandalen/wretry.action/compare/v1.3.0...v1.4.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Wandalen/wretry.action&package-manager=github_actions&previous-version=1.3.0&new-version=1.4.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index acd9b9de27..fbb4d6c266 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v1.3.0
+        uses: Wandalen/wretry.action@v1.4.4
         with:
           attempt_limit: 5
           attempt_delay: 2000

From 69bf786ec55aadeb39dc9396f5cd104147e2ffcf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Feb 2024 12:55:27 +0000
Subject: [PATCH 053/143] Bump commons-codec:commons-codec from 1.16.0 to
 1.16.1 (#4039)

Bumps
[commons-codec:commons-codec](https://github.com/apache/commons-codec)
from 1.16.0 to 1.16.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt">commons-codec:commons-codec's
changelog</a>.</em></p>
<blockquote>
<p>Apache Commons Codec 1.16.1
RELEASE NOTES</p>
<p>The Apache Commons Codec component contains encoder and decoders for
various formats such as Base16, Base32, Base64, digest, and Hexadecimal.
In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.</p>
<p>Feature and fix release. Requires a minimum of Java 8.</p>
<p>Changes in this version include:</p>
<p>New features:
o Add Maven property project.build.outputTimestamp for build
reproducibility. Thanks to Gary Gregory.</p>
<p>Fixed Bugs:
o CODEC-295:  Test clean ups. Thanks to Gary Gregory.
o [StepSecurity] ci: Harden GitHub Actions <a
href="https://redirect.github.com/apache/commons-codec/issues/187">#187</a>.
Thanks to step-security-bot, Gary Gregory.
o CODEC-295: Correct error in Base64 Javadoc <a
href="https://redirect.github.com/apache/commons-codec/issues/188">#188</a>.
Thanks to Evan Saulpaugh.
o CODEC-295: Add minimum Java version in changes.xml <a
href="https://redirect.github.com/apache/commons-codec/issues/186">#186</a>.
Thanks to Olivier Jaquemet, Gary Gregory.
o CODEC-310: Documentation update for the
org.apache.commons.codec.digest.* package <a
href="https://redirect.github.com/apache/commons-codec/issues/208">#208</a>.
Thanks to Yakov Shafranovich.
o Precompile regular expression in UnixCrypt.crypt(byte[], String).
Thanks to Gary Gregory.
o CODEC-315: Fix possible IndexOutOfBoundException in
PhoneticEngine.encode method <a
href="https://redirect.github.com/apache/commons-codec/issues/223">#223</a>.
Thanks to Arthur Chan, Gary Gregory.
o CODEC-313: Fix possible ArrayIndexOutOfBoundsException in
QuotedPrintableCodec.encodeQuotedPrintable() method <a
href="https://redirect.github.com/apache/commons-codec/issues/221">#221</a>.
Thanks to Arthur Chan, Gary Gregory.
o CODEC-312: Fix possible StringIndexOutOfBoundException in
MatchRatingApproachEncoder.encode() method <a
href="https://redirect.github.com/apache/commons-codec/issues/220">#220</a>.
Thanks to Arthur Chan, Gary Gregory.
o CODEC-311: Fix possible ArrayIndexOutOfBoundException in
RefinedSoundex.getMappingCode() <a
href="https://redirect.github.com/apache/commons-codec/issues/219">#219</a>.
Thanks to Arthur Chan, Gary Gregory.
o CODEC-314: Fix possible IndexOutOfBoundsException in
PercentCodec.insertAlwaysEncodeChars() method <a
href="https://redirect.github.com/apache/commons-codec/issues/222">#222</a>.
Thanks to Arthur Chan, Gary Gregory.
o Deprecate UnixCrypt 0-argument constructor. Thanks to Gary Gregory.
o Deprecate Md5Crypt 0-argument constructor. Thanks to Gary Gregory.
o Deprecate Crypt 0-argument constructor. Thanks to Gary Gregory.
o Deprecate StringUtils 0-argument constructor. Thanks to Gary Gregory.
o Deprecate Resources 0-argument constructor. Thanks to Gary Gregory.
o Deprecate Charsets 0-argument constructor. Thanks to Gary Gregory.
o Deprecate CharEncoding 0-argument constructor. Thanks to Gary Gregory.
o Add missing version for animal-sniffer-maven-plugin. Thanks to Gary
Gregory.</p>
<p>Changes:
o Bump commons-parent from 58 to 66. Thanks to Dependabot, Gary Gregory.
o Bump commons-lang3 from 3.12.0 to 3.14.0. Thanks to Gary Gregory.
o Bump commons-io from 2.13.0 to 2.15.1. Thanks to Gary Gregory.</p>
<p>For complete information on Apache Commons Codec, including
instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons Codec
website:</p>
<p><a
href="https://commons.apache.org/proper/commons-codec/">https://commons.apache.org/proper/commons-codec/</a></p>
<p>Download page: <a
href="https://commons.apache.org/proper/commons-codec/download_codec.cgi">https://commons.apache.org/proper/commons-codec/download_codec.cgi</a></p>
<hr />
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/apache/commons-codec/commit/e59fc76531141cb4a36f3031457b9d5f07e5e43f"><code>e59fc76</code></a>
Prepare release candidate</li>
<li><a
href="https://github.com/apache/commons-codec/commit/90c8023be911b42bab20b31b0e325174df0ee452"><code>90c8023</code></a>
Prepare for the next release candidate</li>
<li><a
href="https://github.com/apache/commons-codec/commit/05714adcf957e7a7644a71cd82de30145288ff38"><code>05714ad</code></a>
Prepare release candidate</li>
<li><a
href="https://github.com/apache/commons-codec/commit/060be1a1ca4b229ab348618ecae506a65543356f"><code>060be1a</code></a>
Add missing version for animal-sniffer-maven-plugin</li>
<li><a
href="https://github.com/apache/commons-codec/commit/0fd7b59fb1dbd67260429e1d75789fca92ab8a6f"><code>0fd7b59</code></a>
Remove variable assignment just before returning it</li>
<li><a
href="https://github.com/apache/commons-codec/commit/19649cdafdd780cbb7805f73e1e02c4d0fd549ff"><code>19649cd</code></a>
Add Maven property project.build.outputTimestamp for build</li>
<li><a
href="https://github.com/apache/commons-codec/commit/6d92b6acfc8db2bf04115ad0934934a59aa4219f"><code>6d92b6a</code></a>
Bump org.apache.commons:commons-parent from 65 to 66 <a
href="https://redirect.github.com/apache/commons-codec/issues/239">#239</a></li>
<li><a
href="https://github.com/apache/commons-codec/commit/a76c362b5a54227717e82c198165eac49297e571"><code>a76c362</code></a>
Bump org.apache.commons:commons-parent from 65 to 66 (<a
href="https://redirect.github.com/apache/commons-codec/issues/239">#239</a>)</li>
<li><a
href="https://github.com/apache/commons-codec/commit/0aee0c82e310e99eebbe7b0909464981054ecf36"><code>0aee0c8</code></a>
Add property project.build.outputTimestamp for build
reproducibility</li>
<li><a
href="https://github.com/apache/commons-codec/commit/d322ef089f97f570b0706417c2f9e2a3921e225c"><code>d322ef0</code></a>
Bump codecov/codecov-action from 3.1.5 to 4.0.1 (<a
href="https://redirect.github.com/apache/commons-codec/issues/238">#238</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/apache/commons-codec/compare/rel/commons-codec-1.16.0...rel/commons-codec-1.16.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=commons-codec:commons-codec&package-manager=gradle&previous-version=1.16.0&new-version=1.16.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8a31c3b874..d5d1dbae3d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -474,7 +474,7 @@ bundlePlugin {
 configurations {
     all {
         resolutionStrategy {
-            force 'commons-codec:commons-codec:1.16.0'
+            force 'commons-codec:commons-codec:1.16.1'
             force 'org.slf4j:slf4j-api:1.7.36'
             force 'org.scala-lang:scala-library:2.13.12'
             force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
@@ -607,7 +607,7 @@ dependencies {
 
     runtimeOnly 'com.sun.activation:jakarta.activation:1.2.2'
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
-    runtimeOnly 'commons-codec:commons-codec:1.16.0'
+    runtimeOnly 'commons-codec:commons-codec:1.16.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
     compileOnly 'com.google.errorprone:error_prone_annotations:2.24.1'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'

From 0bb31ca365050f201d2a261e66670c3dbc8d8f7c Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 12 Feb 2024 11:55:36 -0500
Subject: [PATCH 054/143] Add `exclude_roles` configuration parameter to LDAP
 authorization backend (#4025)

Signed-off-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Co-authored-by: Maciej Mierzwa <dev.maciej.mierzwa@gmail.com>
---
 .../backend/LDAPAuthorizationBackend.java     | 18 ++--
 .../dlic/auth/ldap/util/ConfigConstants.java  |  1 +
 .../dlic/auth/ldap/util/LdapHelper.java       |  1 -
 .../auth/ldap2/LDAPAuthorizationBackend2.java | 24 ++++--
 .../security/support/WildcardMatcher.java     |  8 +-
 .../dlic/auth/ldap/LdapBackendTest.java       | 86 +++++++++++++++++++
 .../ldap2/LdapBackendTestNewStyleConfig2.java | 12 +--
 .../org/opensearch/security/UtilTests.java    |  2 +
 8 files changed, 130 insertions(+), 22 deletions(-)

diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
index d8b33b2a7e..0ad0da54c6 100755
--- a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
+++ b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java
@@ -101,6 +101,7 @@ public class LDAPAuthorizationBackend implements AuthorizationBackend {
     protected static final Logger log = LogManager.getLogger(LDAPAuthorizationBackend.class);
     private final Settings settings;
     private final WildcardMatcher skipUsersMatcher;
+    private final WildcardMatcher excludeRolesMatcher;
     private final WildcardMatcher nestedRoleMatcher;
     private final Path configPath;
     private final List<Map.Entry<String, Settings>> roleBaseSettings;
@@ -112,6 +113,7 @@ public class LDAPAuthorizationBackend implements AuthorizationBackend {
     public LDAPAuthorizationBackend(final Settings settings, final Path configPath) {
         this.settings = settings;
         this.skipUsersMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_SKIP_USERS));
+        this.excludeRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES));
         this.nestedRoleMatcher = settings.getAsBoolean(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, false)
             ? WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_NESTEDROLEFILTER))
             : null;
@@ -962,10 +964,12 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
                 for (final LdapName roleLdapName : nestedReturn) {
                     final String role = getRoleFromEntry(connection, roleLdapName, roleName);
 
-                    if (!Strings.isNullOrEmpty(role)) {
-                        user.addRole(role);
+                    if (excludeRolesMatcher.test(role)) {
+                        if (isDebugEnabled) {
+                            log.debug("Role was excluded or empty, attribute: '{}' for entry: {}", roleName, roleLdapName);
+                        }
                     } else {
-                        log.warn("No or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        user.addRole(role);
                     }
                 }
 
@@ -974,10 +978,12 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
                 for (final LdapName roleLdapName : ldapRoles) {
                     final String role = getRoleFromEntry(connection, roleLdapName, roleName);
 
-                    if (!Strings.isNullOrEmpty(role)) {
-                        user.addRole(role);
+                    if (excludeRolesMatcher.test(role)) {
+                        if (isDebugEnabled) {
+                            log.debug("Role was excluded or empty, attribute: '{}' for entry: {}", roleName, roleLdapName);
+                        }
                     } else {
-                        log.warn("No or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        user.addRole(role);
                     }
                 }
 
diff --git a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java
index 4854f80332..d3c0b798da 100755
--- a/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java
+++ b/src/main/java/com/amazon/dlic/auth/ldap/util/ConfigConstants.java
@@ -29,6 +29,7 @@ public final class ConfigConstants {
     public static final String LDAP_AUTHZ_USERROLEATTRIBUTE = "userroleattribute";// multi-value
     public static final String LDAP_AUTHZ_USERROLENAME = "userrolename";// multi-value
     public static final String LDAP_AUTHZ_SKIP_USERS = "skip_users";
+    public static final String LDAP_AUTHZ_EXCLUDE_ROLES = "exclude_roles";
     public static final String LDAP_AUTHZ_ROLESEARCH_ENABLED = "rolesearch_enabled";
     public static final String LDAP_AUTHZ_NESTEDROLEFILTER = "nested_role_filter";
     public static final String LDAP_AUTHZ_MAX_NESTED_DEPTH = "max_nested_depth";
diff --git a/src/main/java/com/amazon/dlic/auth/ldap/util/LdapHelper.java b/src/main/java/com/amazon/dlic/auth/ldap/util/LdapHelper.java
index f2dffa62fd..bdb2e00754 100644
--- a/src/main/java/com/amazon/dlic/auth/ldap/util/LdapHelper.java
+++ b/src/main/java/com/amazon/dlic/auth/ldap/util/LdapHelper.java
@@ -122,7 +122,6 @@ private static Object escapeForwardSlash(Object input) {
         } else {
             return input;
         }
-
     }
 
 }
diff --git a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthorizationBackend2.java b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthorizationBackend2.java
index e05b2e1e64..8c1569bfb6 100755
--- a/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthorizationBackend2.java
+++ b/src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthorizationBackend2.java
@@ -69,6 +69,7 @@ public class LDAPAuthorizationBackend2 implements AuthorizationBackend, Destroya
     protected static final Logger log = LogManager.getLogger(LDAPAuthorizationBackend2.class);
     private final Settings settings;
     private final WildcardMatcher skipUsersMatcher;
+    private final WildcardMatcher excludeRolesMatcher;
     private final WildcardMatcher nestedRoleMatcher;
     private final List<Map.Entry<String, Settings>> roleBaseSettings;
     private ConnectionPool connectionPool;
@@ -80,6 +81,7 @@ public class LDAPAuthorizationBackend2 implements AuthorizationBackend, Destroya
     public LDAPAuthorizationBackend2(final Settings settings, final Path configPath) throws SSLConfigException {
         this.settings = settings;
         this.skipUsersMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_SKIP_USERS));
+        this.excludeRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES));
         this.nestedRoleMatcher = settings.getAsBoolean(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, false)
             ? WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_AUTHZ_NESTEDROLEFILTER))
             : null;
@@ -329,8 +331,10 @@ private void fillRoles0(final User user, final AuthCredentials optionalAuthCreds
                         for (final Iterator<LdapEntry> iterator = rolesResult.iterator(); iterator.hasNext();) {
                             LdapEntry searchResultEntry = iterator.next();
                             LdapName ldapName = new LdapName(searchResultEntry.getDn());
-                            ldapRoles.add(ldapName);
-                            resultRoleSearchBaseKeys.put(ldapName, roleSearchSettingsEntry);
+                            if (!excludeRolesMatcher.test(searchResultEntry.getDn())) {
+                                ldapRoles.add(ldapName);
+                                resultRoleSearchBaseKeys.put(ldapName, roleSearchSettingsEntry);
+                            }
                         }
                     }
                 }
@@ -376,10 +380,12 @@ private void fillRoles0(final User user, final AuthCredentials optionalAuthCreds
                 for (final LdapName roleLdapName : nestedReturn) {
                     final String role = getRoleFromEntry(connection, roleLdapName, roleName);
 
-                    if (!Strings.isNullOrEmpty(role)) {
-                        user.addRole(role);
+                    if (excludeRolesMatcher.test(role)) {
+                        if (isDebugEnabled) {
+                            log.debug("Role was excluded or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        }
                     } else {
-                        log.warn("No or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        user.addRole(role);
                     }
                 }
 
@@ -388,10 +394,12 @@ private void fillRoles0(final User user, final AuthCredentials optionalAuthCreds
                 for (final LdapName roleLdapName : ldapRoles) {
                     final String role = getRoleFromEntry(connection, roleLdapName, roleName);
 
-                    if (!Strings.isNullOrEmpty(role)) {
-                        user.addRole(role);
+                    if (excludeRolesMatcher.test(role)) {
+                        if (isDebugEnabled) {
+                            log.debug("Role was excluded or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        }
                     } else {
-                        log.warn("No or empty attribute '{}' for entry {}", roleName, roleLdapName);
+                        user.addRole(role);
                     }
                 }
 
diff --git a/src/main/java/org/opensearch/security/support/WildcardMatcher.java b/src/main/java/org/opensearch/security/support/WildcardMatcher.java
index 99c34b53ba..d811a73730 100644
--- a/src/main/java/org/opensearch/security/support/WildcardMatcher.java
+++ b/src/main/java/org/opensearch/security/support/WildcardMatcher.java
@@ -150,7 +150,9 @@ public String toString() {
     };
 
     public static WildcardMatcher from(String pattern, boolean caseSensitive) {
-        if (pattern.equals("*")) {
+        if (pattern == null) {
+            return NONE;
+        } else if (pattern.equals("*")) {
             return ANY;
         } else if (pattern.startsWith("/") && pattern.endsWith("/")) {
             return new RegexMatcher(pattern, caseSensitive);
@@ -168,7 +170,9 @@ public static WildcardMatcher from(String pattern) {
     // This may in future use more optimized techniques to combine multiple WildcardMatchers in a single automaton
     public static <T> WildcardMatcher from(Stream<T> stream, boolean caseSensitive) {
         Collection<WildcardMatcher> matchers = stream.map(t -> {
-            if (t instanceof String) {
+            if (t == null) {
+                return NONE;
+            } else if (t instanceof String) {
                 return WildcardMatcher.from(((String) t), caseSensitive);
             } else if (t instanceof WildcardMatcher) {
                 return ((WildcardMatcher) t);
diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java
index 4fe7ad0514..8e5e2541b8 100755
--- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java
+++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java
@@ -14,6 +14,7 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Paths;
 import java.util.Arrays;
+import java.util.List;
 
 import org.hamcrest.MatcherAssert;
 import org.junit.AfterClass;
@@ -39,6 +40,7 @@
 import org.ldaptive.ReturnAttributes;
 
 import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.not;
 
 public class LdapBackendTest {
 
@@ -579,6 +581,90 @@ public void testLdapAuthorizationNested() throws Exception {
         MatcherAssert.assertThat(user.getRoles(), hasItem("nested1"));
     }
 
+    @Test
+    public void testLdapNestedRoleFiltering() {
+
+        final Settings settings = Settings.builder()
+            .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort)
+            .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})")
+            .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLEBASE, "ou=groups,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn")
+            .put(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, true)
+            .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})")
+            .putList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES, List.of("nested1", "nested2"))
+            .build();
+
+        final User user = new User("spock");
+
+        new LDAPAuthorizationBackend(settings, null).fillRoles(user, null);
+
+        Assert.assertNotNull(user);
+        Assert.assertEquals("spock", user.getName());
+        Assert.assertEquals(2, user.getRoles().size());
+        // filtered out
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("nested1")));
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("nested2")));
+        MatcherAssert.assertThat(user.getRoles(), hasItem("role2"));
+        MatcherAssert.assertThat(user.getRoles(), hasItem("ceo"));
+    }
+
+    @Test
+    public void testLdapNestedRoleFilteringWithExcludedRolesWildcard() {
+
+        final Settings settings = Settings.builder()
+            .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort)
+            .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})")
+            .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLEBASE, "ou=groups,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn")
+            .put(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, true)
+            .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})")
+            .putList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES, List.of("nested*"))
+            .build();
+
+        final User user = new User("spock");
+
+        new LDAPAuthorizationBackend(settings, null).fillRoles(user, null);
+
+        Assert.assertNotNull(user);
+        Assert.assertEquals("spock", user.getName());
+        Assert.assertEquals(2, user.getRoles().size());
+        // filtered out
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("nested1")));
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("nested2")));
+        MatcherAssert.assertThat(user.getRoles(), hasItem("role2"));
+        MatcherAssert.assertThat(user.getRoles(), hasItem("ceo"));
+    }
+
+    @Test
+    public void testLdapdRoleFiltering() {
+
+        final Settings settings = Settings.builder()
+            .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort)
+            .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})")
+            .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLEBASE, "ou=groups,o=TEST")
+            .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn")
+            .put(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, true)
+            .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})")
+            .putList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES, List.of("ceo", "role1", "role2"))
+            .build();
+
+        final User user = new User("spock");
+
+        new LDAPAuthorizationBackend(settings, null).fillRoles(user, null);
+
+        Assert.assertNotNull(user);
+        Assert.assertEquals("spock", user.getName());
+        Assert.assertEquals(2, user.getRoles().size());
+        MatcherAssert.assertThat(user.getRoles(), hasItem("nested1"));
+        MatcherAssert.assertThat(user.getRoles(), hasItem("nested2"));
+        // filtered out
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("role2")));
+        MatcherAssert.assertThat(user.getRoles(), not(hasItem("ceo")));
+    }
+
     @Test
     public void testLdapAuthorizationNestedFilter() throws Exception {
 
diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java
index 634584c167..6f23e4ab44 100644
--- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java
+++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java
@@ -15,6 +15,7 @@
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import java.util.TreeSet;
 
 import org.apache.commons.lang3.exception.ExceptionUtils;
@@ -564,16 +565,18 @@ public void testLdapAuthorizationNested() throws Exception {
             .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn")
             .put(ConfigConstants.LDAP_AUTHZ_RESOLVE_NESTED_ROLES, true)
             .put("roles.g1.search", "(uniqueMember={0})")
+            .putList(ConfigConstants.LDAP_AUTHZ_EXCLUDE_ROLES, List.of("nested2"))
             .build();
 
         final User user = new User("spock");
 
-        new LDAPAuthorizationBackend(settings, null).fillRoles(user, null);
+        new LDAPAuthorizationBackend2(settings, null).fillRoles(user, null);
 
         Assert.assertNotNull(user);
         Assert.assertEquals("spock", user.getName());
-        Assert.assertEquals(4, user.getRoles().size());
-        Assert.assertEquals("nested1", new ArrayList<>(new TreeSet<>(user.getRoles())).get(1));
+        Assert.assertEquals(3, user.getRoles().size());
+        Assert.assertTrue(user.getRoles().contains("nested1"));
+        Assert.assertFalse(user.getRoles().contains("nested2"));
     }
 
     @Test
@@ -759,7 +762,7 @@ public void testLdapAuthorizationNestedAttrFilter() throws Exception {
     }
 
     @Test
-    public void testLdapAuthorizationNestedAttrFilterAll() throws Exception {
+    public void testLdapAuthorizationNestedAttrFilterAll() {
 
         final Settings settings = createBaseSettings().putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort)
             .put("users.u1.search", "(uid={0})")
@@ -780,7 +783,6 @@ public void testLdapAuthorizationNestedAttrFilterAll() throws Exception {
         Assert.assertNotNull(user);
         Assert.assertEquals("spock", user.getName());
         Assert.assertEquals(4, user.getRoles().size());
-
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/UtilTests.java b/src/test/java/org/opensearch/security/UtilTests.java
index 3b6ed2edc9..402d5dc92f 100644
--- a/src/test/java/org/opensearch/security/UtilTests.java
+++ b/src/test/java/org/opensearch/security/UtilTests.java
@@ -70,6 +70,8 @@ public void testWildcardMatcherClasses() {
         assertTrue(wc("/\\S+/").test("abc"));
         assertTrue(wc("abc").test("abc"));
         assertFalse(wc("ABC").test("abc"));
+        assertFalse(wc(null).test("abc"));
+        assertTrue(WildcardMatcher.from(null, "abc").test("abc"));
     }
 
     @Test

From babf0123383d8f8334c128071e75ec1334cc1725 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 14 Feb 2024 14:05:55 -0500
Subject: [PATCH 055/143] Add exlusion for logback-core to resolve
 CVE-2023-6378 (#4049)

### Description
[Describe what this change achieves]
This change adds an exclusion for the transitive logback-core dependency
that the Security plugin was still using as a test dependency.

This should resolve the flagging of CVE-2023-6378 even though we should
not have been directly impacted.

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index d5d1dbae3d..15cbcb0426 100644
--- a/build.gradle
+++ b/build.gradle
@@ -707,6 +707,7 @@ dependencies {
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.1') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
+        exclude(group:'ch.qos.logback', module: 'logback-core' )
     }
     testRuntimeOnly "org.apache.kafka:kafka-metadata:${kafka_version}"
     testRuntimeOnly "org.apache.kafka:kafka-storage:${kafka_version}"

From b7b49b9de147126a7c7a3ed0f2f1a33d02eaee9f Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 14 Feb 2024 16:38:32 -0500
Subject: [PATCH 056/143] Update Bouncy Castle Version from *jdk15to18 to
 *jdk18on  (#4052)

### Description
[Describe what this change achieves]
Following: https://github.com/opensearch-project/OpenSearch/pull/12317
in core, this PR increases the version used for bouncycastle in the
Security plugin. This is an attempt to correct the intermittent failures
described here:
[#3299](https://github.com/opensearch-project/security/issues/3299)

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 build.gradle | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 15cbcb0426..b50cdcc7a7 100644
--- a/build.gradle
+++ b/build.gradle
@@ -582,7 +582,7 @@ dependencies {
     implementation "com.google.guava:guava:${guava_version}"
     implementation 'org.greenrobot:eventbus-java:3.3.1'
     implementation 'commons-cli:commons-cli:1.6.0'
-    implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
+    implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
@@ -654,7 +654,7 @@ dependencies {
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
     runtimeOnly 'org.checkerframework:checker-qual:3.42.0'
-    runtimeOnly "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
+    runtimeOnly "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
 
@@ -728,8 +728,8 @@ dependencies {
     integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
-    integrationTestImplementation "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
-    integrationTestImplementation "org.bouncycastle:bcutil-jdk15to18:${versions.bouncycastle}"
+    integrationTestImplementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
+    integrationTestImplementation "org.bouncycastle:bcutil-jdk18on:${versions.bouncycastle}"
     integrationTestImplementation('org.awaitility:awaitility:4.2.0') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }

From 9fa07370036d32d9cd1e00ba86751dbb2c8ca5c5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Feb 2024 08:42:29 -0600
Subject: [PATCH 057/143] Bump com.google.errorprone:error_prone_annotations
 from 2.24.1 to 2.25.0 (#4057)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index b50cdcc7a7..bfce9121b1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -499,7 +499,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.24.1"
+            force "com.google.errorprone:error_prone_annotations:2.25.0"
             force "org.checkerframework:checker-qual:3.42.0"
             force "ch.qos.logback:logback-classic:1.2.13"
         }
@@ -609,7 +609,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.24.1'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.25.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
     runtimeOnly 'org.ow2.asm:asm:9.6'

From bd3415a63c6bf4ea513543a3c59b88b7be79563f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Feb 2024 08:42:40 -0600
Subject: [PATCH 058/143] Bump spring_version from 5.3.31 to 5.3.32 (#4056)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index bfce9121b1..76974f469b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -32,7 +32,7 @@ buildscript {
         jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'
         jaxb_version = '2.3.9'
-        spring_version = '5.3.31'
+        spring_version = '5.3.32'
 
         if (buildVersionQualifier) {
             opensearch_build += "-${buildVersionQualifier}"

From ccea7441545c807b7c4eb531706b1d919ea11988 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Wed, 21 Feb 2024 20:48:31 -0500
Subject: [PATCH 059/143] Fix unconsumed parameter exception when
 authenticating with jwtUrlParameter (#3975)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
---
 .../JwtAuthenticationWithUrlParamTests.java   | 108 ++++++++++++++++++
 .../test/framework/JwtConfigBuilder.java      |   9 ++
 .../framework/cluster/TestRestClient.java     |   7 ++
 .../security/filter/NettyRequest.java         |  35 +++++-
 .../security/filter/OpenSearchRequest.java    |  15 ++-
 .../security/filter/SecurityRequest.java      |   4 +
 .../filter/SecurityRequestChannel.java        |   4 +-
 .../security/filter/SecurityRestFilter.java   |   8 ++
 .../http/SecurityHttpServerTransport.java     |   3 +
 .../Netty4HttpRequestHeaderVerifier.java      |   3 +
 10 files changed, 192 insertions(+), 4 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java

diff --git a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
new file mode 100644
index 0000000000..6dfb3c3bbc
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.http;
+
+import java.security.KeyPair;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.hc.core5.http.Header;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.JwtConfigBuilder;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+import org.opensearch.test.framework.log.LogsRule;
+
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
+
+import static java.nio.charset.StandardCharsets.US_ASCII;
+import static org.apache.http.HttpHeaders.AUTHORIZATION;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.BASIC_AUTH_DOMAIN_ORDER;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class JwtAuthenticationWithUrlParamTests {
+
+    public static final String CLAIM_USERNAME = "preferred-username";
+    public static final String CLAIM_ROLES = "backend-user-roles";
+    public static final String POINTER_USERNAME = "/user_name";
+
+    private static final KeyPair KEY_PAIR = Keys.keyPairFor(SignatureAlgorithm.RS256);
+    private static final String PUBLIC_KEY = new String(Base64.getEncoder().encode(KEY_PAIR.getPublic().getEncoded()), US_ASCII);
+
+    static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
+
+    private static final String TOKEN_URL_PARAM = "token";
+
+    private static final JwtAuthorizationHeaderFactory tokenFactory = new JwtAuthorizationHeaderFactory(
+        KEY_PAIR.getPrivate(),
+        CLAIM_USERNAME,
+        CLAIM_ROLES,
+        AUTHORIZATION
+    );
+
+    public static final TestSecurityConfig.AuthcDomain JWT_AUTH_DOMAIN = new TestSecurityConfig.AuthcDomain(
+        "jwt",
+        BASIC_AUTH_DOMAIN_ORDER - 1
+    ).jwtHttpAuthenticator(
+        new JwtConfigBuilder().jwtUrlParameter(TOKEN_URL_PARAM).signingKey(PUBLIC_KEY).subjectKey(CLAIM_USERNAME).rolesKey(CLAIM_ROLES)
+    ).backend("noop");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .nodeSettings(
+            Map.of("plugins.security.restapi.roles_enabled", List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()))
+        )
+        .authc(AUTHC_HTTPBASIC_INTERNAL)
+        .authc(JWT_AUTH_DOMAIN)
+        .users(ADMIN_USER)
+        .build();
+
+    @Rule
+    public LogsRule logsRule = new LogsRule("com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator");
+
+    @Test
+    public void shouldAuthenticateWithJwtTokenInUrl_positive() {
+        Header jwtToken = tokenFactory.generateValidToken(ADMIN_USER.getName());
+        String jwtTokenValue = jwtToken.getValue();
+        try (TestRestClient client = cluster.getRestClient()) {
+            HttpResponse response = client.getAuthInfo(Map.of(TOKEN_URL_PARAM, jwtTokenValue));
+
+            response.assertStatusCode(200);
+            String username = response.getTextFromJsonBody(POINTER_USERNAME);
+            assertThat(username, equalTo(ADMIN_USER.getName()));
+        }
+    }
+
+    @Test
+    public void testUnauthenticatedRequest() {
+        try (TestRestClient client = cluster.getRestClient()) {
+            HttpResponse response = client.getAuthInfo();
+
+            response.assertStatusCode(401);
+            logsRule.assertThatContainExactly(String.format("No JWT token found in '%s' url parameter header", TOKEN_URL_PARAM));
+        }
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/test/framework/JwtConfigBuilder.java b/src/integrationTest/java/org/opensearch/test/framework/JwtConfigBuilder.java
index 48dfa128e0..88297bacd2 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/JwtConfigBuilder.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/JwtConfigBuilder.java
@@ -18,6 +18,7 @@
 
 public class JwtConfigBuilder {
     private String jwtHeader;
+    private String jwtUrlParameter;
     private String signingKey;
     private String subjectKey;
     private String rolesKey;
@@ -27,6 +28,11 @@ public JwtConfigBuilder jwtHeader(String jwtHeader) {
         return this;
     }
 
+    public JwtConfigBuilder jwtUrlParameter(String jwtUrlParameter) {
+        this.jwtUrlParameter = jwtUrlParameter;
+        return this;
+    }
+
     public JwtConfigBuilder signingKey(String signingKey) {
         this.signingKey = signingKey;
         return this;
@@ -51,6 +57,9 @@ public Map<String, Object> build() {
         if (isNoneBlank(jwtHeader)) {
             builder.put("jwt_header", jwtHeader);
         }
+        if (isNoneBlank(jwtUrlParameter)) {
+            builder.put("jwt_url_parameter", jwtUrlParameter);
+        }
         if (isNoneBlank(subjectKey)) {
             builder.put("subject_key", subjectKey);
         }
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
index c2e01bb338..b7da92b270 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
@@ -36,6 +36,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -113,6 +114,12 @@ public HttpResponse getAuthInfo(Header... headers) {
         return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo?pretty"), headers);
     }
 
+    public HttpResponse getAuthInfo(Map<String, String> urlParams, Header... headers) {
+        String urlParamsString = "?"
+            + urlParams.entrySet().stream().map(e -> e.getKey() + "=" + e.getValue()).collect(Collectors.joining("&"));
+        return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo" + urlParamsString), headers);
+    }
+
     public void confirmCorrectCredentials(String expectedUserName) {
         HttpResponse response = getAuthInfo();
         assertThat(response, notNullValue());
diff --git a/src/main/java/org/opensearch/security/filter/NettyRequest.java b/src/main/java/org/opensearch/security/filter/NettyRequest.java
index 7b65e4e0de..c827ddc779 100644
--- a/src/main/java/org/opensearch/security/filter/NettyRequest.java
+++ b/src/main/java/org/opensearch/security/filter/NettyRequest.java
@@ -14,12 +14,17 @@
 import java.net.InetSocketAddress;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.TreeMap;
 import javax.net.ssl.SSLEngine;
 
+import com.google.common.base.Supplier;
+import com.google.common.base.Suppliers;
+
 import org.opensearch.http.netty4.Netty4HttpChannel;
 import org.opensearch.rest.RestRequest.Method;
 import org.opensearch.rest.RestUtils;
@@ -34,6 +39,7 @@ public class NettyRequest implements SecurityRequest {
 
     protected final HttpRequest underlyingRequest;
     protected final Netty4HttpChannel underlyingChannel;
+    protected final Supplier<CheckedAccessMap> parameters = Suppliers.memoize(() -> new CheckedAccessMap(params(uri())));
 
     NettyRequest(final HttpRequest request, final Netty4HttpChannel channel) {
         this.underlyingRequest = request;
@@ -82,7 +88,12 @@ public String uri() {
 
     @Override
     public Map<String, String> params() {
-        return params(underlyingRequest.uri());
+        return parameters.get();
+    }
+
+    @Override
+    public Set<String> getUnconsumedParams() {
+        return parameters.get().accessedKeys();
     }
 
     private static Map<String, String> params(String uri) {
@@ -100,4 +111,26 @@ private static Map<String, String> params(String uri) {
 
         return params;
     }
+
+    /** Records access of any keys if explicitly requested from this map */
+    private static class CheckedAccessMap extends HashMap<String, String> {
+        private final Set<String> accessedKeys = new HashSet<>();
+
+        public CheckedAccessMap(final Map<String, String> map) {
+            super(map);
+        }
+
+        @Override
+        public String get(final Object key) {
+            // Never noticed this about java's map interface the getter is not generic
+            if (key instanceof String) {
+                accessedKeys.add((String) key);
+            }
+            return super.get(key);
+        }
+
+        public Set<String> accessedKeys() {
+            return accessedKeys;
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java b/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
index e86012f594..7cca8111c9 100644
--- a/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
+++ b/src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
@@ -12,9 +12,11 @@
 package org.opensearch.security.filter;
 
 import java.net.InetSocketAddress;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import javax.net.ssl.SSLEngine;
 
 import org.opensearch.rest.RestRequest;
@@ -69,7 +71,18 @@ public String uri() {
 
     @Override
     public Map<String, String> params() {
-        return underlyingRequest.params();
+        return new HashMap<>(underlyingRequest.params()) {
+            @Override
+            public String get(Object key) {
+                return underlyingRequest.param((String) key);
+            }
+        };
+    }
+
+    @Override
+    public Set<String> getUnconsumedParams() {
+        // params() Map consumes explict parameter access
+        return Set.of();
     }
 
     /** Gets access to the underlying request object */
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequest.java b/src/main/java/org/opensearch/security/filter/SecurityRequest.java
index 4c7ea27a87..d3741585ac 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRequest.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRequest.java
@@ -15,6 +15,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Stream;
 import javax.net.ssl.SSLEngine;
 
@@ -49,4 +50,7 @@ default String header(final String headerName) {
 
     /** The parameters associated with this request */
     Map<String, String> params();
+
+    /** The list of parameters that have been accessed but not recorded as being consumed */
+    Set<String> getUnconsumedParams();
 }
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java
index 66744d01dd..241c9009f4 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java
@@ -14,13 +14,13 @@
 import java.util.Optional;
 
 /**
- * When a request is recieved by the security plugin this governs getting information about the request and complete with with a response
+ * When a request is received by the security plugin this governs getting information about the request and complete with a response
  */
 public interface SecurityRequestChannel extends SecurityRequest {
 
     /** Associate a response with this channel */
     void queueForSending(final SecurityResponse response);
 
-    /** Acess the queued response */
+    /** Access the queued response */
     Optional<SecurityResponse> getQueuedResponse();
 }
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
index d52c5109fc..b649b8d71f 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -72,6 +72,7 @@
 import static org.opensearch.security.http.SecurityHttpServerTransport.CONTEXT_TO_RESTORE;
 import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
 import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
+import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
 
 public class SecurityRestFilter {
 
@@ -144,6 +145,13 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
                 }
             });
 
+            NettyAttribute.popFrom(request, UNCONSUMED_PARAMS).ifPresent(unconsumedParams -> {
+                for (String unconsumedParam : unconsumedParams) {
+                    // Consume the parameter on the RestRequest
+                    request.param(unconsumedParam);
+                }
+            });
+
             final SecurityRequestChannel requestChannel = SecurityRequestFactory.from(request, channel);
 
             // Authenticate request
diff --git a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
index c5fbbfbbc6..eb75f898f4 100644
--- a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
@@ -26,6 +26,8 @@
 
 package org.opensearch.security.http;
 
+import java.util.Set;
+
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
@@ -47,6 +49,7 @@
 public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
 
     public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
+    public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
     public static final AttributeKey<ThreadContext.StoredContext> CONTEXT_TO_RESTORE = AttributeKey.newInstance(
         "opensearch-http-request-thread-context"
     );
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
index 9adca0f377..e6dec0c213 100644
--- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
+++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
@@ -36,6 +36,7 @@
 import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
 import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
 import static org.opensearch.security.http.SecurityHttpServerTransport.SHOULD_DECOMPRESS;
+import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
 
 @Sharable
 public class Netty4HttpRequestHeaderVerifier extends SimpleChannelInboundHandler<DefaultHttpRequest> {
@@ -84,6 +85,8 @@ public void channelRead0(ChannelHandlerContext ctx, DefaultHttpRequest msg) thro
             // If request channel is completed and a response is sent, then there was a failure during authentication
             restFilter.checkAndAuthenticateRequest(requestChannel);
 
+            ctx.channel().attr(UNCONSUMED_PARAMS).set(requestChannel.getUnconsumedParams());
+
             ThreadContext.StoredContext contextToRestore = threadPool.getThreadContext().newStoredContext(false);
             ctx.channel().attr(CONTEXT_TO_RESTORE).set(contextToRestore);
 

From 9a6a018c44aeae20639dfb45ff5c74b2ec3822d8 Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com>
Date: Thu, 22 Feb 2024 11:13:53 -0500
Subject: [PATCH 060/143] Regenerates root-ca, kirk and esnode certificates to
 address already expired root ca certificate (#4061)

### Description

During the last renewal of certs
https://github.com/opensearch-project/security/pull/3268, the option
`-days 3650` was missed for root-ca.pem cert causing it to set the
default expiry of 30 days. This PR regenerates the public cert
root-ca.pem, using the same private-key, and it also regenerate public
certs `es-node.pem` and `kirk.pem` so that they can be verified with
this new certificate.
* Category : Bug fix
* Why these changes are required?
    - To ensure the expiry is in 10 years from now
* What is the old behavior before changes and new behavior after
changes?
- root-ca is currently expired, and this change will set expiry to 2034

### Issues Resolved
- Resolves https://github.com/opensearch-project/security/issues/4047


### Testing
- Automated testing + [Manual
Testing](https://github.com/opensearch-project/security/pull/4061#issuecomment-1954817947)



---------

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 DEVELOPER_GUIDE.md                            |   8 ++-
 .../src/test/resources/security/esnode.pem    |  16 ++---
 bwc-test/src/test/resources/security/kirk.pem |  28 ++++----
 .../src/test/resources/security/root-ca.pem   |  18 ++---
 .../security/OpenSearchSecurityPlugin.java    |   5 ++
 .../tools/democonfig/Certificates.java        |  62 +++++++++---------
 .../democonfig/CertificateGeneratorTests.java |   6 --
 .../resources/sanity-tests/kirk-keystore.jks  | Bin 4504 -> 3766 bytes
 src/test/resources/sanity-tests/root-ca.pem   |  18 ++---
 9 files changed, 81 insertions(+), 80 deletions(-)

diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md
index 472f3f06a9..4b5a53a8c0 100644
--- a/DEVELOPER_GUIDE.md
+++ b/DEVELOPER_GUIDE.md
@@ -86,7 +86,7 @@ rm -rf config/
 ## ROOT
 
 openssl genrsa -out root-ca-key.pem 2048
-openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -addext "basicConstraints = critical,CA:TRUE" -addext "keyUsage = critical, digitalSignature, keyCertSign, cRLSign" -addext "subjectKeyIdentifier = hash" -addext "authorityKeyIdentifier = keyid:always,issuer:always" -out root-ca.pem
+openssl req -new -x509 -sha256 -days 3650 -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -addext "basicConstraints = critical,CA:TRUE" -addext "keyUsage = critical, digitalSignature, keyCertSign, cRLSign" -addext "subjectKeyIdentifier = hash" -addext "authorityKeyIdentifier = keyid:always,issuer:always" -out root-ca.pem
 
 
 ## NODE
@@ -94,13 +94,15 @@ openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/DC=com/DC=example/O=
 openssl genrsa -out esnode-key-temp.pem 2048
 openssl pkcs8 -inform PEM -outform PEM -in esnode-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out esnode-key.pem
 openssl req -new -key esnode-key.pem -subj "/C=de/L=test/O=node/OU=node/CN=node-0.example.com" -out esnode.csr
-openssl x509 -req -in esnode.csr -out esnode.pem -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -days 3650 -extfile <(printf "subjectAltName = RID:1.2.3.4.5.5, DNS:node-0.example.com, DNS:localhost, IP:::1, IP:127.0.0.1\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment\nextendedKeyUsage = serverAuth, clientAuth\nbasicConstraints = critical,CA:FALSE")
+printf "subjectAltName = RID:1.2.3.4.5.5, DNS:node-0.example.com, DNS:localhost, IP:::1, IP:127.0.0.1\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment\nextendedKeyUsage = serverAuth, clientAuth\nbasicConstraints = critical,CA:FALSE" > esnode_ext.conf
+openssl x509 -req -in esnode.csr -out esnode.pem -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -days 3650 -extfile esnode_ext.conf
 
 
 ## ADMIN
 
 openssl req -new -newkey rsa:2048 -keyout kirk-key.pem -out kirk.csr -nodes -subj "/C=de/L=test/O=client/OU=client/CN=kirk"
-openssl x509 -req -in kirk.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -out kirk.pem -days 3650 -extfile <(printf "basicConstraints = critical,CA:FALSE\nkeyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment\nextendedKeyUsage = critical,clientAuth\nauthorityKeyIdentifier = keyid,issuer:always\nsubjectKeyIdentifier = hash")
+printf "basicConstraints = critical,CA:FALSE\nkeyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment\nextendedKeyUsage = critical,clientAuth\nauthorityKeyIdentifier=keyid,issuer:always\nsubjectKeyIdentifier = hash" > kirk_ext.conf
+openssl x509 -req -in kirk.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -out kirk.pem -days 3650 -extfile kirk_ext.conf
 
 ## Remove root-ca-key.pem and other temp keys
 
diff --git a/bwc-test/src/test/resources/security/esnode.pem b/bwc-test/src/test/resources/security/esnode.pem
index 12801ce5e7..b690a603da 100644
--- a/bwc-test/src/test/resources/security/esnode.pem
+++ b/bwc-test/src/test/resources/security/esnode.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iMwDQYJKoZIhvcNAQEL
+MIIEPDCCAySgAwIBAgIUaYSlET3nzsotWTrWueVPPh10yLYwDQYJKoZIhvcNAQEL
 BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
 cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
 IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
-dCBDQTAeFw0yMzA4MjkxOTQ0NDJaFw0zMzA4MjYxOTQ0NDJaMFcxCzAJBgNVBAYT
+dCBDQTAeFw0yNDAyMjAxNzAzMjVaFw0zNDAyMTcxNzAzMjVaMFcxCzAJBgNVBAYT
 AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl
 MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
 A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud
@@ -16,10 +16,10 @@ BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA
 AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF
 BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo
 wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ
-KoZIhvcNAQELBQADggEBAHfKc6NUXJfsT5nL1CtaGy3dutV13UQkdUwEkB0BikkX
-1PNaz2NeHyO2yQvp4G6WlovZB78tVqn5hbEZL7v8kUlAOTkjEJjsOu1Ib746eBdT
-gmUBKpIeBrm3a+tsLR9OBOuDb8aQO6fnFehFs/70y0sbyRbVqSmxLaYgRkPhhqwl
-3U7Ha1TpdJrckETk/iRcma0igvym1SvlUahgFXN4ZCLG3SycH+YRFtM749GVZBo5
-5E5gSfkWCj9jao3LjJn3ThtMsiL405uIPbFNm+5iXtflMk2aW666j1jlpeaZySuy
-DWBtA+T5Y6HhDECSjHOV131UekvHLF+SbWrv0S+ptjA=
+KoZIhvcNAQELBQADggEBAGbij5WyF0dKhQodQfTiFDb73ygU6IyeJkFSnxF67gDz
+pQJZKFvXuVBa3cGP5e7Qp3TK50N+blXGH0xXeIV9lXeYUk4hVfBlp9LclZGX8tGi
+7Xa2enMvIt5q/Yg3Hh755ZxnDYxCoGkNOXUmnMusKstE0YzvZ5Gv6fcRKFBUgZLh
+hUBqIEAYly1EqH/y45APiRt3Nor1yF6zEI4TnL0yNrHw6LyQkUNCHIGMJLfnJQ9L
+camMGIXOx60kXNMTigF9oXXwixWAnDM9y3QT8QXA7hej/4zkbO+vIeV/7lGUdkyg
+PAi92EvyxmsliEMyMR0VINl8emyobvfwa7oMeWMR+hg=
 -----END CERTIFICATE-----
diff --git a/bwc-test/src/test/resources/security/kirk.pem b/bwc-test/src/test/resources/security/kirk.pem
index 716b4ec4d9..b89edfe18f 100644
--- a/bwc-test/src/test/resources/security/kirk.pem
+++ b/bwc-test/src/test/resources/security/kirk.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL
+MIIEmDCCA4CgAwIBAgIUaYSlET3nzsotWTrWueVPPh10yLcwDQYJKoZIhvcNAQEL
 BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
 cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
 IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
-dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT
+dCBDQTAeFw0yNDAyMjAxNzA0MjRaFw0zNDAyMTcxNzA0MjRaME0xCzAJBgNVBAYT
 AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs
 aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs
@@ -12,16 +12,16 @@ O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx
 vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6
 cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0
 bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw
-DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME
-gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy
-LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh
-bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB
-MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G
-xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG
-9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m
-y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p
-fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d
-1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec
-h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp
-RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==
+DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMB0GA1UdDgQW
+BBSjMS8tgguX/V7KSGLoGg7K6XMzIDCBzwYDVR0jBIHHMIHEgBQXh9+gWutmEqfV
+0Pi6EkU8tysAnKGBlaSBkjCBjzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmS
+JomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4xITAf
+BgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8GA1UEAwwYRXhhbXBs
+ZSBDb20gSW5jLiBSb290IENBghQNZAmZZn3EFOxBR4630XlhI+mo4jANBgkqhkiG
+9w0BAQsFAAOCAQEACEUPPE66/Ot3vZqRGpjDjPHAdtOq+ebaglQhvYcnDw8LOZm8
+Gbh9M88CiO6UxC8ipQLTPh2yyeWArkpJzJK/Pi1eoF1XLiAa0sQ/RaJfQWPm9dvl
+1ZQeK5vfD4147b3iBobwEV+CR04SKow0YeEEzAJvzr8YdKI6jqr+2GjjVqzxvRBy
+KRVHWCFiR7bZhHGLq3br8hSu0hwjb3oGa1ZI8dui6ujyZt6nm6BoEkau3G/6+zq9
+E6vX3+8Fj4HKCAL6i0SwfGmEpTNp5WUhqibK/fMhhmMT4Mx6MxkT+OFnIjdUU0S/
+e3kgnG8qjficUr38CyEli1U0M7koIXUZI7r+LQ==
 -----END CERTIFICATE-----
diff --git a/bwc-test/src/test/resources/security/root-ca.pem b/bwc-test/src/test/resources/security/root-ca.pem
index 5948a73b30..854323e6fe 100644
--- a/bwc-test/src/test/resources/security/root-ca.pem
+++ b/bwc-test/src/test/resources/security/root-ca.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL
+MIIExjCCA66gAwIBAgIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcNAQEL
 BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
 cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
 IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
-dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm
+dCBDQTAeFw0yNDAyMjAxNzAwMzZaFw0zNDAyMTcxNzAwMzZaMIGPMRMwEQYKCZIm
 iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
 RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
 IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG
@@ -18,11 +18,11 @@ F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4
 uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ
 k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD
 VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg
-Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN
-AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f
-qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i
-jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD
-jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae
-dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du
-8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=
+Q29tIEluYy4gUm9vdCBDQYIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcN
+AQELBQADggEBAL3Q3AHUhMiLUy6OlLSt8wX9I2oNGDKbBu0atpUNDztk/0s3YLQC
+YuXgN4KrIcMXQIuAXCx407c+pIlT/T1FNn+VQXwi56PYzxQKtlpoKUL3oPQE1d0V
+6EoiNk+6UodvyZqpdQu7fXVentRMk1QX7D9otmiiNuX+GSxJhJC2Lyzw65O9EUgG
+1yVJon6RkUGtqBqKIuLksKwEr//ELnjmXit4LQKSnqKr0FTCB7seIrKJNyb35Qnq
+qy9a/Unhokrmdda1tr6MbqU8l7HmxLuSd/Ky+L0eDNtYv6YfMewtjg0TtAnFyQov
+rdXmeq1dy9HLo3Ds4AFz3Gx9076TxcRS/iI=
 -----END CERTIFICATE-----
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 53493e7f6c..bde984531e 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -339,6 +339,11 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
         demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
         demoCertHashes.add("9948688bc4c7a198f2a0db1d91f4f54499b8626902d03361b6d43e822d3691e4"); // root-ca
 
+        // updates certs with renewed root-ca (02-2024)
+        demoCertHashes.add("a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042"); // kirk
+        demoCertHashes.add("a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1"); // esnode
+        demoCertHashes.add("cd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca
+
         final SecurityManager sm = System.getSecurityManager();
 
         if (sm != null) {
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java b/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java
index 8e2af4dac7..baff8d7078 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java
@@ -23,11 +23,11 @@ public enum Certificates {
         () -> getCertContent(
             List.of(
                 "-----BEGIN CERTIFICATE-----",
-                "MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL",
+                "MIIEmDCCA4CgAwIBAgIUaYSlET3nzsotWTrWueVPPh10yLcwDQYJKoZIhvcNAQEL",
                 "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt",
                 "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl",
                 "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v",
-                "dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT",
+                "dCBDQTAeFw0yNDAyMjAxNzA0MjRaFw0zNDAyMTcxNzA0MjRaME0xCzAJBgNVBAYT",
                 "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs",
                 "aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC",
                 "ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs",
@@ -36,18 +36,18 @@ public enum Certificates {
                 "vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6",
                 "cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0",
                 "bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw",
-                "DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME",
-                "gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy",
-                "LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh",
-                "bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB",
-                "MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G",
-                "xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG",
-                "9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m",
-                "y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p",
-                "fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d",
-                "1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec",
-                "h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp",
-                "RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==",
+                "DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMB0GA1UdDgQW",
+                "BBSjMS8tgguX/V7KSGLoGg7K6XMzIDCBzwYDVR0jBIHHMIHEgBQXh9+gWutmEqfV",
+                "0Pi6EkU8tysAnKGBlaSBkjCBjzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmS",
+                "JomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4xITAf",
+                "BgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8GA1UEAwwYRXhhbXBs",
+                "ZSBDb20gSW5jLiBSb290IENBghQNZAmZZn3EFOxBR4630XlhI+mo4jANBgkqhkiG",
+                "9w0BAQsFAAOCAQEACEUPPE66/Ot3vZqRGpjDjPHAdtOq+ebaglQhvYcnDw8LOZm8",
+                "Gbh9M88CiO6UxC8ipQLTPh2yyeWArkpJzJK/Pi1eoF1XLiAa0sQ/RaJfQWPm9dvl",
+                "1ZQeK5vfD4147b3iBobwEV+CR04SKow0YeEEzAJvzr8YdKI6jqr+2GjjVqzxvRBy",
+                "KRVHWCFiR7bZhHGLq3br8hSu0hwjb3oGa1ZI8dui6ujyZt6nm6BoEkau3G/6+zq9",
+                "E6vX3+8Fj4HKCAL6i0SwfGmEpTNp5WUhqibK/fMhhmMT4Mx6MxkT+OFnIjdUU0S/",
+                "e3kgnG8qjficUr38CyEli1U0M7koIXUZI7r+LQ==",
                 "-----END CERTIFICATE-----"
             )
         )
@@ -92,11 +92,11 @@ public enum Certificates {
         () -> getCertContent(
             List.of(
                 "-----BEGIN CERTIFICATE-----",
-                "MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL",
+                "MIIEPDCCAySgAwIBAgIUaYSlET3nzsotWTrWueVPPh10yLYwDQYJKoZIhvcNAQEL",
                 "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt",
                 "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl",
                 "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v",
-                "dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT",
+                "dCBDQTAeFw0yNDAyMjAxNzAzMjVaFw0zNDAyMTcxNzAzMjVaMFcxCzAJBgNVBAYT",
                 "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl",
                 "MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA",
                 "A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud",
@@ -109,12 +109,12 @@ public enum Certificates {
                 "AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF",
                 "BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo",
                 "wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ",
-                "KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR",
-                "MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27",
-                "zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N",
-                "1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy",
-                "vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L",
-                "zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo=",
+                "KoZIhvcNAQELBQADggEBAGbij5WyF0dKhQodQfTiFDb73ygU6IyeJkFSnxF67gDz",
+                "pQJZKFvXuVBa3cGP5e7Qp3TK50N+blXGH0xXeIV9lXeYUk4hVfBlp9LclZGX8tGi",
+                "7Xa2enMvIt5q/Yg3Hh755ZxnDYxCoGkNOXUmnMusKstE0YzvZ5Gv6fcRKFBUgZLh",
+                "hUBqIEAYly1EqH/y45APiRt3Nor1yF6zEI4TnL0yNrHw6LyQkUNCHIGMJLfnJQ9L",
+                "camMGIXOx60kXNMTigF9oXXwixWAnDM9y3QT8QXA7hej/4zkbO+vIeV/7lGUdkyg",
+                "PAi92EvyxmsliEMyMR0VINl8emyobvfwa7oMeWMR+hg=",
                 "-----END CERTIFICATE-----"
             )
         )
@@ -159,11 +159,11 @@ public enum Certificates {
         () -> getCertContent(
             List.of(
                 "-----BEGIN CERTIFICATE-----",
-                "MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL",
+                "MIIExjCCA66gAwIBAgIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcNAQEL",
                 "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt",
                 "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl",
                 "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v",
-                "dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm",
+                "dCBDQTAeFw0yNDAyMjAxNzAwMzZaFw0zNDAyMTcxNzAwMzZaMIGPMRMwEQYKCZIm",
                 "iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ",
                 "RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290",
                 "IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG",
@@ -178,13 +178,13 @@ public enum Certificates {
                 "uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ",
                 "k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD",
                 "VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg",
-                "Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN",
-                "AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f",
-                "qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i",
-                "jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD",
-                "jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae",
-                "dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du",
-                "8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=",
+                "Q29tIEluYy4gUm9vdCBDQYIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcN",
+                "AQELBQADggEBAL3Q3AHUhMiLUy6OlLSt8wX9I2oNGDKbBu0atpUNDztk/0s3YLQC",
+                "YuXgN4KrIcMXQIuAXCx407c+pIlT/T1FNn+VQXwi56PYzxQKtlpoKUL3oPQE1d0V",
+                "6EoiNk+6UodvyZqpdQu7fXVentRMk1QX7D9otmiiNuX+GSxJhJC2Lyzw65O9EUgG",
+                "1yVJon6RkUGtqBqKIuLksKwEr//ELnjmXit4LQKSnqKr0FTCB7seIrKJNyb35Qnq",
+                "qy9a/Unhokrmdda1tr6MbqU8l7HmxLuSd/Ky+L0eDNtYv6YfMewtjg0TtAnFyQov",
+                "rdXmeq1dy9HLo3Ds4AFz3Gx9076TxcRS/iI=",
                 "-----END CERTIFICATE-----"
             )
         )
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java b/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java
index 58cf6d1368..3b43311679 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java
@@ -116,12 +116,6 @@ private static void checkCertificateValidity(String certPath) throws Exception {
                 Instant expiry = expiryDate.toInstant();
 
                 Period duration = getPeriodBetween(x509Certificate.getNotBefore().toInstant(), expiry);
-                if (certPath.endsWith("-ca.pem")) {
-                    // root-ca.pem is already expired as the validity is only 30 days from generation
-                    // so we just check interval to be of 30 days
-                    assertThat(duration.getDays(), equalTo(30));
-                    return;
-                }
 
                 // we check that cert is valid for total of ~10 yrs
                 // we don't check days as leaps years may cause flaky-ness
diff --git a/src/test/resources/sanity-tests/kirk-keystore.jks b/src/test/resources/sanity-tests/kirk-keystore.jks
index 6dbc51e714784fa58a4209c75deab8b9ed1698ff..6c8c5ef77e20980f8c78295b159256b805da6a28 100644
GIT binary patch
literal 3766
zcmd^=c{r47AIImJ%`(PV###wuU&o%k$xbMgr4m`Pk2Tv-j4?=zEwY?!X|aVw)I`=A
zPAY52Rt6y<MCcv8=bWqaUhjLo@1N(o-aqa?zTe;dT+e;~p5OEN?k(*tfj}TIeE~lf
z)Y~)An=X>ODkPjhAQ%WsfbL*f;mp!-018Nf*#Q6sf)b!}Nv;s_8gzOC@mT<CUb9=$
zb*GftTO^)EqWVFr<Fd9FB>mi+D9F}jyYkhL=#Xk3eYM2csmxKA&W!xAdE{tZ2mEGS
z;L%QU`DHcrbdbw$3GsKUvmf<JNYcVO>Qu0Z^?sH7B)!W)eLbG*fXB^G$&6CbCnj4~
z*J>Rkut6vL1EvT!JqAq#X=O~#!JHQ#QVSPuOGlnLrXXB~{{FsGRq?o?I;>^GFEhMB
z<S6%^>w;z!v1sXap8nq3zz&+prKs-DRPm*XsS4BaP6Z{8tM~n@m|rxMA=p6*i(w=7
z*2&*Yg-uWU$5|W>>g5h)Fn{3B={`skAJ5_wXB5pDwyj{vG1_{{Y-`wB_i^B!5PA|=
zrx=_>rprb&75BQ=J)SKPAJI;?(D#46)o+a?SsR^-&qJj<M@haWtNMJaJC{ZhmE(KW
zR`GsYms+rN;FF)lWOFvHpnx>XY2ER8S*1ZvU`t7~M6?NKULuzlAZ8C#X9>8j2;WDY
z(TY-^!`&0%67`u|U_-Y(knWVcSlh-kwZQ6KG@S?L`W!iVl>Gyd(LnpMc@C!QeY{(E
z)uAwF_CcqH#00}jer2dQk3}R|p^87XCxR8`n4c@g9rASTt9$8}SuGW!!+QQ&w&G!P
zvv5Mft<&pzv^&XuuQAj&ieoa*3nI-hx}0`4kym=(cd>?v6yM3v43y@5@;yPeJ_N{@
z622W$@5Z4VqliMF3GAf_RcB;$HX^%cwTCgxg^4)5I0?*&oW|giBB@nUNBO+IX=iON
zo~;L}HOwhyeqH4GHvAQ5i=|0c+_5*661aDyT_tr=I#+<g(Yu10zfD_^pDpQO19RRH
zPu{Y%5Os~c%c~M4;1lLWX=8Pmc=7A5%@HXNs>Zog%!9nRiuBb8m&SS4qp2fv7HJMG
zwJFuqV*Hoq3`|Mayml;So|9W4Um6Lu8(k+(Hc2}p@&>?!7!7H~9*O%@BrKNAOa-~e
z$e6#G)fJ+<lU2(P^650WZ?&Mj95TPOxc2CP-dS!rkL$d&lh3k>wNz5x9zU;#>&V}d
z?!F1W_eNN;&LI9$!kWa0Zqa)0CVM4D=x(r>aXgW=XQ)PTRsJJ&MC?WjjoMwLRh`-I
z8yD|^&(r#NU|pRpRF%wn&t%X`)8HQe%uxEKnXxIu9yui1s$eH0*YZ^Wvt25yOg6{5
zPefKstjqam-PRDz=&-BVb^xZe>{C{$cza!_sV&3M*l0ocMJVr!l~TlJi4JChDn9Nn
zc&la1caY}0P&Ho=r;)l;mKBf$V<6A*R6XC}s98g%I7ZIAFI=e6SqQ4;oevw)nw0%^
zKq9#$;{3R0zJv}#mr7@}e+5-(`{C?^vEE#xb7uBY=X#_1v+@~@l?W@Zaq+Yo9bpu&
zR<0us_T`(Q6qp1xYb)Rq;tJ|aTZ&y5xqx<_j-|<O%}#{2?ityHF3aw0N57-#y`Ww0
z-c2pK`KdJXhW0p$jGEqJg~+U%?7C)s7?$GYdTCx@+&suSP}XlD@L31lS`Yx<N?pS0
zUP|G0vv_7T#<RSFC+5}g+}j-+o|4Rsc{JR&QsnDx9Wl)6S*z2z^Wl9fpN420S~IQ2
zp?Q9SExxWJZQ5n#gNVET<L!+{Rg1U-&XWdLl&#?~=Ab%`WM`%e2fb5y58&r8Kj;Xv
zlT*Q}gFw)HIu37O36SVQ2p9l^(VoOocJ0}hR9SnC!NwU&okPLT8?Z<?lN8CAw21@&
z1RbC;WCczvJDiy*T`VzURmK(I<A%84eHD1HTz@ec+`^oF{e9dN_^>>1$SEi@3!A||
z9YH<3ub_#ai=2WG_V9iQ!NU8mB|$4ZK3Gr>_s15<f8K%>;6W-XV-*##3TjwoMP&yb
zq!L{!sQoUn<_ZWb)BbzloM2Zs1tb=+FBn*$!EQmp3Ml#oe;g0);^XP&_osni`NR1A
z0SL>FG{F)8;h%d#4-g0eK+%&0U<MNa0CfHA5vVA$bj<oZAxqf;2%o9m=v-V;OC8&&
zo`~`Bu3mVV6)PFqsKF($?o(PKCTn`T|F+U5gu`ADaA!8z;N};qsX-BO_@)d{0o&Bj
zG24sZEE5B~$lFOAI+`X|pm_apSHqI+FKu&6=ExBvuZW0i4(g<V=X$(#R!4A|9|C~{
zEg$#3{3o4>D-=ghUr~yDQ?!lNE5tKiJ_rjY{@`Q1vj<Bnb5xliI}k1N#8$q^!|*Yo
zh9mx3+y1^BWA=p!MOBSbncbK1d*-XlN(?yhfJNoBk+G@68_(pwd+~2uFI!!`&$;A{
zuJd6g`<pP^X=n<*Fy!;=_J9@eqreaV1e6c}X?jP*u`KlF9^wRm?@%xnL{DD2LhUOk
z1Pq(Ra_?)=ea(VphBMMr83tp3fU$@6eO4$p6kVbqFH1mV?>bVAFU;|?Qs;w|1hFx_
z`*jR7rVAU>9*yRSpD1)#aOb!)@ak(5hk;guG$_9)=K8Ie^uOP<63|FjrX2UEcJw07
zD5c?bxHD${?)1+CMgPg@0|kH>4NzJZO*;#rl-xA_8*SHCS}ygKZP7*uHbRtmaTE%n
zp7Vt7QIt|IIN?)fyS#8IxKHO$?TeY{DpQl5^kyAd$HH^Aa)SJC+I0<z&*NNZ>!ULR
znF7*z6R6~{CCW6M^qKuU!N`I`>YB3i6toA7f7#3%T&$5&wm0nY{&d9(g)LB$%g9dX
zf>HfjVn9;)rG-^=)tiGDd<5M4wDHPl@yEGU_whS<g&rJ+Rb%+=ZyFTN@}Y@k7&(T@
z2;NT8ul|J&6eZ6YH=!~y>h78l$%S*WCqjvj^Xt?_VKp0T{pQGU!F;?_^4EMT$__$E
zH0hMGQlo@W2p^_tPZsnirl@pGb<#0a^*g5ihYtSzKKx%Wg;i4h8B_c6Z+PPWM!I%g
zOr-dLp|0@RV@@&InVrwRJfPT~ZY840gT$Jl4)HP^qcTUWE~1&}C2wS3Sv9pJWiRva
zyK}a9ilnrYe7SB$bu~GF&GM`D1h@ukNsJY|Yt>|?q(4gzgSUuGwSIfsmlD)%J2V0@
zTU&-58&x%P)-#Oev2~&}bv^wwRbD$?Enu(jJiuwM3shGOZ{$juY+RGk#m^`!p7+vO
zAjWFn1{dq`T?N^TggHmN3~VGf^5?a_)R-cj5yfk-?V<|S)%uKn{YGL)7(~eAhWA56
zj7ZS7amp#qQM;t>%6F)v{1S-Gq>88IPiL?2X9<M>=q_r$vhc4{Pd3$WssBMbZaV2W
zu&8||{U99-3!x+JudoA1KSAx^0qg$*YLr)FKtJ($lC@k)W?khPY!~B&<W<arFY(u3
zN1`-czniH!)qyX}OsWyeh1z(ICPkl>3F~Xnxs_<Wt8Jiq<vQ*c;n|YmUNm#PgNNj?
z&B8Cxfp=VUroyV0O;+*v7rFOB5Raom9B=j?&#>WH)b*(MC{~@><C8HVrq;{Ld|t?)
zup7gNL`{k>r={U4@A6+2p8il>0lojdT`r8~C><sXPQO`P{>rA6;jw^lZK9gk<_y!v
za(Rbclc{1;TFBtT`lr|YO0}|UXzh>FLsx6RQUq8=?V4{NR#=oxL2}kHb-ZAfuN<I7
wRG#a8-Cg3pI0*!e`9$?S&FE;i+7p(D(a$T2T}ZlS8exCJi}74&y<F@+00~9w<p2Nx

literal 4504
zcma)AXEYp+vt7GZ$?DyT=tPUf>Rt32Rtcg+B4P<q7YWPiWyMA>QKLo)5nT`xBt(f8
zz4zYx{`1az=l47B(|aH0%$a-V&c}OZ28N+d1QLK?7-~f#Qh{)-@KbUEVuBnDwFn`G
zTJSH-2g86X{uc$#Cd7a<{=zALBY_C=KPs|Y1i%~&Sotp~4}12H0!$9GfJy&blEDNC
z=>%hA9@l)1y-8vD6#cH^U}=KBI0FdeqXH7J!^nt8{(B;j6byi|5|P@4YY{kr2nhrT
zsl1TD93_M516EPM#9d4EG(rsFKtBW4^r*(5KwKbTLB){+^0E(}Q+A7HoW0lrA)@i+
zydGtY^95cAh7C?*2qIcESObb&7%#|($|(-eXIiQ#0>bYpj@=?*4?U=5@-ISTdSa4x
zOtEjIWb0hr)D^1HVpX7-CjwnsDG8#WM@AVZvyufeW?}`^GtGW7WcGsVl)G*$?lP3S
z^GYelg04B!ZBp4GnwCzq@uOLfB4xY#hE;StB61*Yd8?%(Nl9NW{s<jzW1dwSjeF8*
z4cJM0uzTC?Wpq&(^P9*?(;L(#nK@@Qysjw)#yn<HNLOUc>3+HODy#ik72s%Hj($a8
zhF0>hs}=106=eHlR<&9zT@LuHAUIZWLFWrKQ#$R3^=pv*&-7e6{O_Ji`|s`^<rgvp
z8PU+>^4v<OQcnWPsZ**<dyNOIVz_SOd1jYbf@a{~2}FV^M;f`ol#K}l6KrO{n|J`e
z&({1jvkP$8cYQb~32gPbj6@80+g3h1k(F3+eUh>@-Hr>`?(V#!ktZ-$-0?Jt1G-G?
zE9HvN@-<y;e=Uos*UY=Ltu^hsjEgto@IIVJk5`4Uhf@1YDPo{l@hA5hd6ykBydC%n
zlkbY0>0iPpKSDRsLacPB>#JY4d$KM!zs7xPBvUu4HQ}!Bz$qc)A`=Ver4EBC?!g7b
zuW7GvE*puJA=;!bv2_S?8ZQ<Eb-V($ct96;)A4TIsjU)ABFVB!ap+;~VBW2$Z_6JU
z%8;<e`)p!ki=0|IU51?dr&pN)ziu9v$VVebTfLu-0iHoV)*+p4>x_n`M?F&kkb{-h
zKwO=OA_@auvAUmAsQW~NjYK|}m{>`{*n^45MJ^ph*%K9}8GnxA%-;D^^-}ih8oWP*
zX<q*oGcJ`X`yNVN@Od8t%s+_Nh%PG32CawOi^hBZ>J#vzJY3e4?&oSey+_=qv19lq
zeLI>%Gjx=y!qVzf%Y&c7dgkjEw?^rl8^KxGs^%{Fd_(b51&l(wYCO&Rc~ZUl5^~y>
zc}BJ!4+n2KaS|<{vd#M44my1W|M0Y-gfk9<&l%IBje@31-Sr1Mt!fvT(Pe+Gt$Bz?
z_up@HJf$b!)YfI|4{%l^JDxgWvp75|nMzg7<UbAhy~3Z(UMP_;D{v>E)(qZ%=alvt
zXMfZg7Z=_eanGP?tBXFKyvFRu$?uMAzg|k-(32orZccxnHGr$(gM%4Hgc&3blJCi;
z6j@^Y3XVg*doBz<dB@_wX}TU(uRt$4g2}L_F`Ew8KBc;(np3}-vTAO5_ZvFq#X_iN
z`TJs~{TJ&Q(~V;gH7@2<%-lIZKbxt0W`$Y1+yV6`(j@+=F_A02puDAE=IQ+C$Hv3X
z6jBEfEV!6BFn7zDPiRG({yi%=TxRr}6S_!xbYx#)WLl4wjd%}2(hC1G;jZ_7s3D3F
zJ64)xtqF-8ahF!`o?merqW|PU0OwH|F)uPkBX&QFxkx#|LVjG0eDy@eS>7pms~Jn7
z9>1&oI7bPBOnn7vyV1x>YahPMDy_bySw!71ij);ebzBEUSZK&o1y43I-AuJKXJ~C3
z{ScF0neCZ<?g+<M_{wA2N1{sak)7*Sa5`!UwWgP710wk+nZe?dp`I#qeI;sNYziNb
zmz*DoD#KX*u}e}qQHnccfF}SKfD^z0;0o}9ar{fti_#I&m^i&~U>B8?5r>Px#3V%}
zq$OY&i2FZH#6&q5i2Yy421o$-o6P@Z2>vgd4p$sB)+@I7CAQvk>m=OVG#EC`^#8Hx
zXo}&oS5+Eg(sw4>QN<sVgD|(|;4dQmExUm6GCWdyUL0Z}WX~z=AoXKDn%12b-&$cx
ztxkG0=`Etd?%bylZj5P(+~<;Eg{;AYaPORSyZ61bKOhLcA9DG@PH){-Eo!E+FTA-2
zSSSPgtwHn=vJAI>4_Cy_0U!W9o!pxS@}|4s+L{ow)59*P>fYuDV~JqCwTL5s{)3(v
zzbM`$E<D@S#x8lv$w#*S)^$6S?~iBLn;}jWi?u6;VM-(-FxNSb>?)E;`zu*Kjpah>
zgQl1ucOJOd1|%MDBk_Lsu64*-#r>9orWT19xT!DnCoNv_AnWczl?5a3@Sd4mtPrx@
z;QPqXK#%ve%3=_Sa$)(zJ)mvCYW0$Uim6bQ!S}#H@uPFY+qvmT_x`cr%&q*~6sufG
zKKVZ8ebd?WhVYT)or=?jzV*~PLH&t?CH^KO=IX%=oHNr75%vVz=nN9ipHOrX*7{h!
zNkaI3@a@JfTINcbD<@;DNwqa&=S5v4pM=tBEMN8HU3}euq?(dEFWfNC>H+2C+1dBA
zFs<T8yk2NG?l96?VX~*YV+Y9W$Pg~d<7$Vfz;0^5P#7+f_^g-Yqq0v`x8IJ5rWEFj
z$TXEW$ZJs+RRi+$e`<>|s&27315cK^vG`LRKX~{Ugw!|2K~TP_VAqXtzNY6)j={rQ
zv73v$!psb1ph9o6`kKlGjC8GEdFX9+@{I}q{33}%?v>$a-cw6HGOOLVnv3ITN_D~k
zo^QL%)6K#_{j)b&>8Qy@Eweq=Ne8rKsjJTe)mfDw?scqlc&US2dxU0@o5$(Zu(GB4
zujr5^yZdwlP>E{wrkq=NiW~PQZm5`fJz5m&9I}B^zPVNSSa9vWcXu^m%+bU|aOg5q
zK%|a72J^vxGy)&3GlNod=Wt|FBG=mgP)o%{(2PCL$9s$dMvIcv^FdM?hbNYQrX%I|
z{binoW_?J27M3L2<nVWk9+&Dr=kNH)xt*AK`r(bVFjW?KgGt?&NBqim#~bxsvmlq=
zG^Mc%t$fAv^3um4zTd8%<-R3SXI!W3U0n>H_Y4n0!3PGL<Csn4xR%E`HL6X93Uub{
z>#b*UxRbpd3l$RLC#I})-32((m#4}vP%kHB3Q7PGLpvuro4~7<S1A!#yKmAIrnDiR
zX}8(KyT;`$zV)d6tZs{g`*hD~vW+c4tI2Zf;#umpeq>i2u6z$3ar+YSP2?_%+^%f*
zR}5Rl@nUnDVdT&uE_ZP%NU-(Zn*^k2*4S;xubW_f3f-cK+=>uy-sK;&F{mRdp<kJ+
z4bv&6yYh5vAN#Ybqre}p2hy78?0;_)w;UC(bt0v!9-}JxQE1vGkI9GZ^KZGmRrRbU
z)gK-}T~U`kk|OyI$V+Xj=E}Oxtl>gwIgSHfJSw=2<H*dW$$zusz%v|0ZTAv;4Uy$&
zmF`a}9I<j`K(-E6mR8^w6`LRX_EM2BQv59Sc>2paH-mu>R=3Kf9cR*A_Sjg7q#MM<
zqobyHu#q_oM3;REOf&nTGa=n6MK4QZ{pey;iGwX&bnAUCVq`=c0{gykLm{VZo%ulF
z*n_LEk<DpDXj9X&g^LSZs=#}1e~Gd!q)%@j5}|%T(wB+~4x&Ce&ANcTIa0cb3fElB
zZXFZ2qNz8yP2J1!d&y?Njpub<!V3;mK{BQx_;-oW@=~To0E5el(M~)#5}wTk3&(Jz
z6{5q6#CNMyPoMQ;@%ZO?DPp(V1>%}KbmVW1)L+Ab3sSZPR+Fe*5p$^HC|Oyb{_is>
zsuD42;l;BT-a#X6fP(~C+`TP&(``5KD7dp9)GD&EVfNN4Bf@5N63j4c_IOZZ`^gF1
zphj9>;b1JVOWrk`HhO{mmk*Lp>wXpL*r|VQth!^2ajO2-Q<bZp#_xCQ`#xlNCwxAt
z(H$puTIE8Xd%28jn(<C&ffc$m&51f>$=;E0ZcMzj9V;D}3k7ej?g$MEOSvfr*p<&b
z6B?7p3F<H2CMSGxCfVSoysj3R$=?svk98^h$-3@Fa~i3TPjK_2{5?n4_=E7Zb}Yyp
zcfNBhDDjO+TRSA~#vftDRyKYyP}T)_6=eT8q61+{)DTNV5}+#rjTk(lN!By?aJ?Rh
z1_;bX=Rc6O=3C=&e68jAx`~ngx;3&L0z`x|TT79(s-cR7c6>^a78y9pEd$#q2Pm1b
zU#?c^Op~TXSZ`3z2a{A=UzcS`zB%Z|XG2xth@1`h=wY$wyp|u2)s&QN#af+k>`vF!
z&{oB;K{Wblwtcc`JH%E<z1dT<15SQm)Bf3+P>!TwV2q%vd}p>iZ9d@C(kwR>Dm)p?
zV-i0tv8PP66)jD1#I*Qm*`@U`^o)}|58+bGD1y(EEM_dJh-O9xP^xdF-_Z#qZ&m{c
zbC6W;iNU!24Cvnj14>>_V8a{IB$GXu&z39rEKNX_07*3xp*W3rJo!}pp2M0Hwe$#*
zi#HgV_>>SSD;YT=uK8*Lu|$a+IIXPF$${!eaPU%X#jh@y96VcWEFGqB#<_hE8QPmQ
zO_C$p_nXzGgQtqVrC1t-5`*juoj0Q%VLnw`@Yt&eCg!x)84Pq&N%`@t*<S}Rs_9kA
z*L)l6jckVJZ3qKid9%-2j0b4d$GlrfUqo98u>*O@LYz3OR(@+})Hu&$>gJ;6oxdO{
z&KR3!hDx52>YBb*JE@4B`8}j*yOg=37>&zbSN}#T@GA6n9+dFcA*9q_l2eI%Xh*7~
ziU87?k{%5!@e5oasj8xTY|ysPyOMR3W;w?vvG}prD%~$8wf$j!6&K4LI%aD1$6B&8
zG|Bq_{em<75I~pVeMNJ6Dv9e{<=x@Es?2r|L;d(lJhNv+5~$`ps7`1lAq>B{Ot5Ga
z6qD6CeNHKADuYBeC(!$C>E5yJ7O5IFfdN*2lPV*LTj(fX$`T*h6!l7_BFQ%HhbJFp
zKUVk@Dl`5ZH)LoQ^{7N6?HyY_;Jo?*Uu#dn_XW`49o!xdK!+JJN_3KD7k@2J((0h0
z?0!++a*3VkR_Y8<v++zHb^}jv7bKSQC4fNB#q27YL!wWpcKYo0*NGy6xh}G0+nemp
zK#Z4rulfgeJDu-u_t?A-sS!=M)Rx;$ReA6kTATCdjRG6->-s+o<1M(>PCz=|sJMqa
z0+r0sNH_$gvD_@AC}TCb8}m~2v}_leWOtWdheZwxJl0i{OGIRcO0i<r93_X3mT5HB
zSlMJ0WA;zH)~y52>VJ-B>5CgP^O-M7OYVJ*8(0|euX~UGp`sq@@gaEw*bHD4*Dj8_
zPO4*=dce-k-f;9Xl`P>A2U6SzIPhFWQT>2(PjqTMlBf}zL3<&dS*!E0mM}&jbXhc-
zAb9}5!V(`=H1zl4fM|8TdAE{XwAuTJ>dTw3o}wzSb&xhxCijhe4Q#{|l(FXGy+A)j
zH>IZrWy4|#?wJ-1?zBm;cKLHK*H5ngXeiJE?k?6Lz1i+02rcMG7kNDQlDJ_??0D#;
z(Bju>vbV@>IGl97vC?TD(|fa!E?NjDA;*m&#_ZiX>Vgi+wr`atYOngkRp_w%?M~sv
zUVImV4>dX4Ih+MO4LU`Ui=K%20a~JOwq1$6)KUw@81y#uUGKMV4>O0ioDGDvtZ{Jl
zmay)x!zLD>Hl1jqnzX9b_da}w9xr9S`kQwUZPAei4I5Ao#$N}f9I10=!}MXIF!F!C
z6+i+ofRKI2Rvlk8erCmgYu2%A6S_nSX7!cGJQ6pQ{xw*Iw(KXQGft90Ft(YQ<7nw!
ROz*Khv5A{`^It3We*oUlR=)rM

diff --git a/src/test/resources/sanity-tests/root-ca.pem b/src/test/resources/sanity-tests/root-ca.pem
index 5948a73b30..854323e6fe 100644
--- a/src/test/resources/sanity-tests/root-ca.pem
+++ b/src/test/resources/sanity-tests/root-ca.pem
@@ -1,9 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL
+MIIExjCCA66gAwIBAgIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcNAQEL
 BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
 cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
 IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
-dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm
+dCBDQTAeFw0yNDAyMjAxNzAwMzZaFw0zNDAyMTcxNzAwMzZaMIGPMRMwEQYKCZIm
 iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
 RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
 IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG
@@ -18,11 +18,11 @@ F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4
 uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ
 k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD
 VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg
-Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN
-AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f
-qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i
-jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD
-jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae
-dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du
-8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=
+Q29tIEluYy4gUm9vdCBDQYIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcN
+AQELBQADggEBAL3Q3AHUhMiLUy6OlLSt8wX9I2oNGDKbBu0atpUNDztk/0s3YLQC
+YuXgN4KrIcMXQIuAXCx407c+pIlT/T1FNn+VQXwi56PYzxQKtlpoKUL3oPQE1d0V
+6EoiNk+6UodvyZqpdQu7fXVentRMk1QX7D9otmiiNuX+GSxJhJC2Lyzw65O9EUgG
+1yVJon6RkUGtqBqKIuLksKwEr//ELnjmXit4LQKSnqKr0FTCB7seIrKJNyb35Qnq
+qy9a/Unhokrmdda1tr6MbqU8l7HmxLuSd/Ky+L0eDNtYv6YfMewtjg0TtAnFyQov
+rdXmeq1dy9HLo3Ds4AFz3Gx9076TxcRS/iI=
 -----END CERTIFICATE-----

From e40efdc0fbf901a8b932bdb36d966ff769cadf53 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 22 Feb 2024 17:25:58 -0500
Subject: [PATCH 061/143] Redact sensitive URL parameters from audit logging
 (#4067)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <craig5008@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
---
 .../JwtAuthenticationWithUrlParamTests.java   | 20 +++++++++-
 .../test/framework/AuditFilters.java          |  8 ++++
 .../audit/AuditMessagePredicate.java          | 30 ++++++++++++++-
 .../auth/http/jwt/HTTPJwtAuthenticator.java   | 10 +++++
 .../security/auditlog/config/AuditConfig.java | 38 +++++++++++++++++++
 .../auditlog/impl/AbstractAuditLog.java       | 18 +++++++++
 .../security/auditlog/impl/AuditMessage.java  | 14 +++++--
 .../security/auth/HTTPAuthenticator.java      | 12 ++++++
 .../security/rest/SecurityInfoAction.java     |  3 +-
 .../config/AuditConfigSerializeTest.java      |  5 +++
 .../dlic/rest/api/AuditApiActionTest.java     |  2 +-
 11 files changed, 152 insertions(+), 8 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
index 6dfb3c3bbc..e10ad82e8c 100644
--- a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
+++ b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
@@ -21,8 +21,12 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import org.opensearch.test.framework.AuditCompliance;
+import org.opensearch.test.framework.AuditConfiguration;
+import org.opensearch.test.framework.AuditFilters;
 import org.opensearch.test.framework.JwtConfigBuilder;
 import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.audit.AuditLogsRule;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -36,9 +40,11 @@
 import static org.apache.http.HttpHeaders.AUTHORIZATION;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.BASIC_AUTH_DOMAIN_ORDER;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+import static org.opensearch.test.framework.audit.AuditMessagePredicate.userAuthenticated;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
@@ -69,12 +75,19 @@ public class JwtAuthenticationWithUrlParamTests {
         new JwtConfigBuilder().jwtUrlParameter(TOKEN_URL_PARAM).signingKey(PUBLIC_KEY).subjectKey(CLAIM_USERNAME).rolesKey(CLAIM_ROLES)
     ).backend("noop");
 
+    @Rule
+    public AuditLogsRule auditLogsRule = new AuditLogsRule();
+
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
         .anonymousAuth(false)
         .nodeSettings(
             Map.of("plugins.security.restapi.roles_enabled", List.of("user_" + ADMIN_USER.getName() + "__" + ALL_ACCESS.getName()))
         )
+        .audit(
+            new AuditConfiguration(true).compliance(new AuditCompliance().enabled(true))
+                .filters(new AuditFilters().enabledRest(true).enabledTransport(true))
+        )
         .authc(AUTHC_HTTPBASIC_INTERNAL)
         .authc(JWT_AUTH_DOMAIN)
         .users(ADMIN_USER)
@@ -88,11 +101,16 @@ public void shouldAuthenticateWithJwtTokenInUrl_positive() {
         Header jwtToken = tokenFactory.generateValidToken(ADMIN_USER.getName());
         String jwtTokenValue = jwtToken.getValue();
         try (TestRestClient client = cluster.getRestClient()) {
-            HttpResponse response = client.getAuthInfo(Map.of(TOKEN_URL_PARAM, jwtTokenValue));
+            HttpResponse response = client.getAuthInfo(Map.of(TOKEN_URL_PARAM, jwtTokenValue, "verbose", "true"));
 
             response.assertStatusCode(200);
             String username = response.getTextFromJsonBody(POINTER_USERNAME);
             assertThat(username, equalTo(ADMIN_USER.getName()));
+            Map<String, String> expectedParams = Map.of("token", "REDACTED", "verbose", "true");
+
+            auditLogsRule.assertExactlyOne(
+                userAuthenticated(ADMIN_USER).withRestRequest(GET, "/_opendistro/_security/authinfo").withRestParams(expectedParams)
+            );
         }
     }
 
diff --git a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
index 087342eb6f..5e63665f41 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
@@ -35,6 +35,7 @@ public class AuditFilters implements ToXContentObject {
     private List<String> ignoreRequests;
 
     private List<String> ignoreHeaders;
+    private List<String> ignoreUrlParams;
 
     private List<String> disabledRestCategories;
 
@@ -52,6 +53,7 @@ public AuditFilters() {
         this.ignoreUsers = Collections.emptyList();
         this.ignoreRequests = Collections.emptyList();
         this.ignoreHeaders = Collections.emptyList();
+        this.ignoreUrlParams = Collections.emptyList();
         this.disabledRestCategories = Collections.emptyList();
         this.disabledTransportCategories = Collections.emptyList();
     }
@@ -101,6 +103,11 @@ public AuditFilters ignoreHeaders(List<String> ignoreHeaders) {
         return this;
     }
 
+    public AuditFilters ignoreUrlParams(List<String> ignoreUrlParams) {
+        this.ignoreUrlParams = ignoreUrlParams;
+        return this;
+    }
+
     public AuditFilters disabledRestCategories(List<String> disabledRestCategories) {
         this.disabledRestCategories = disabledRestCategories;
         return this;
@@ -123,6 +130,7 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
         xContentBuilder.field("ignore_users", ignoreUsers);
         xContentBuilder.field("ignore_requests", ignoreRequests);
         xContentBuilder.field("ignore_headers", ignoreHeaders);
+        xContentBuilder.field("ignore_url_params", ignoreUrlParams);
         xContentBuilder.field("disabled_rest_categories", disabledRestCategories);
         xContentBuilder.field("disabled_transport_categories", disabledTransportCategories);
         xContentBuilder.endObject();
diff --git a/src/integrationTest/java/org/opensearch/test/framework/audit/AuditMessagePredicate.java b/src/integrationTest/java/org/opensearch/test/framework/audit/AuditMessagePredicate.java
index 4935bf0387..34565e9926 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/audit/AuditMessagePredicate.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/audit/AuditMessagePredicate.java
@@ -29,6 +29,7 @@
 import static org.opensearch.security.auditlog.impl.AuditCategory.MISSING_PRIVILEGES;
 import static org.opensearch.security.auditlog.impl.AuditMessage.REQUEST_LAYER;
 import static org.opensearch.security.auditlog.impl.AuditMessage.RESOLVED_INDICES;
+import static org.opensearch.security.auditlog.impl.AuditMessage.REST_REQUEST_PARAMS;
 import static org.opensearch.security.auditlog.impl.AuditMessage.REST_REQUEST_PATH;
 
 public class AuditMessagePredicate implements Predicate<AuditMessage> {
@@ -36,6 +37,7 @@ public class AuditMessagePredicate implements Predicate<AuditMessage> {
     private final AuditCategory category;
     private final Origin requestLayer;
     private final String restRequestPath;
+    private final Map<String, String> restParams;
     private final String initiatingUser;
     private final Method requestMethod;
     private final String transportRequestType;
@@ -47,6 +49,7 @@ private AuditMessagePredicate(
         AuditCategory category,
         Origin requestLayer,
         String restRequestPath,
+        Map<String, String> restParams,
         String initiatingUser,
         Method requestMethod,
         String transportRequestType,
@@ -57,6 +60,7 @@ private AuditMessagePredicate(
         this.category = category;
         this.requestLayer = requestLayer;
         this.restRequestPath = restRequestPath;
+        this.restParams = restParams;
         this.initiatingUser = initiatingUser;
         this.requestMethod = requestMethod;
         this.transportRequestType = transportRequestType;
@@ -66,7 +70,7 @@ private AuditMessagePredicate(
     }
 
     private AuditMessagePredicate(AuditCategory category) {
-        this(category, null, null, null, null, null, null, null, null);
+        this(category, null, null, null, null, null, null, null, null, null);
     }
 
     public static AuditMessagePredicate auditPredicate(AuditCategory category) {
@@ -110,6 +114,7 @@ public AuditMessagePredicate withLayer(Origin layer) {
             category,
             layer,
             restRequestPath,
+            restParams,
             initiatingUser,
             requestMethod,
             transportRequestType,
@@ -124,6 +129,22 @@ public AuditMessagePredicate withRequestPath(String path) {
             category,
             requestLayer,
             path,
+            restParams,
+            initiatingUser,
+            requestMethod,
+            transportRequestType,
+            effectiveUser,
+            index,
+            privilege
+        );
+    }
+
+    public AuditMessagePredicate withRestParams(Map<String, String> params) {
+        return new AuditMessagePredicate(
+            category,
+            requestLayer,
+            restRequestPath,
+            params,
             initiatingUser,
             requestMethod,
             transportRequestType,
@@ -138,6 +159,7 @@ public AuditMessagePredicate withInitiatingUser(String user) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             user,
             requestMethod,
             transportRequestType,
@@ -156,6 +178,7 @@ public AuditMessagePredicate withRestMethod(Method method) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             initiatingUser,
             method,
             transportRequestType,
@@ -170,6 +193,7 @@ public AuditMessagePredicate withTransportRequestType(String type) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             initiatingUser,
             requestMethod,
             type,
@@ -184,6 +208,7 @@ public AuditMessagePredicate withEffectiveUser(String user) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             initiatingUser,
             requestMethod,
             transportRequestType,
@@ -206,6 +231,7 @@ public AuditMessagePredicate withIndex(String indexName) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             initiatingUser,
             requestMethod,
             transportRequestType,
@@ -220,6 +246,7 @@ public AuditMessagePredicate withPrivilege(String privilegeAction) {
             category,
             requestLayer,
             restRequestPath,
+            restParams,
             initiatingUser,
             requestMethod,
             transportRequestType,
@@ -235,6 +262,7 @@ public boolean test(AuditMessage auditMessage) {
         predicates.add(audit -> Objects.isNull(category) || category.equals(audit.getCategory()));
         predicates.add(audit -> Objects.isNull(requestLayer) || requestLayer.equals(audit.getAsMap().get(REQUEST_LAYER)));
         predicates.add(audit -> Objects.isNull(restRequestPath) || restRequestPath.equals(audit.getAsMap().get(REST_REQUEST_PATH)));
+        predicates.add(audit -> Objects.isNull(restParams) || restParams.equals(auditMessage.getAsMap().get(REST_REQUEST_PARAMS)));
         predicates.add(audit -> Objects.isNull(initiatingUser) || initiatingUser.equals(audit.getInitiatingUser()));
         predicates.add(audit -> Objects.isNull(requestMethod) || requestMethod.equals(audit.getRequestMethod()));
         predicates.add(audit -> Objects.isNull(transportRequestType) || transportRequestType.equals(audit.getRequestType()));
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
index 9bf22bf7f3..a6ff27eb6b 100644
--- a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
@@ -15,9 +15,11 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Optional;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 import org.apache.http.HttpStatus;
@@ -194,6 +196,14 @@ public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest
         );
     }
 
+    @Override
+    public Set<String> getSensitiveUrlParams() {
+        if (jwtUrlParameter != null) {
+            return Set.of(jwtUrlParameter);
+        }
+        return Collections.emptySet();
+    }
+
     @Override
     public String getType() {
         return "jwt";
diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 7b173099b5..3b3ee742b6 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -12,6 +12,7 @@
 package org.opensearch.security.auditlog.config;
 
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -142,9 +143,12 @@ public static class Filter {
         private final Set<String> ignoredAuditRequests;
         @JsonProperty("ignore_headers")
         private final Set<String> ignoredCustomHeaders;
+        @JsonProperty("ignore_url_params")
+        private Set<String> ignoredUrlParams;
         private final WildcardMatcher ignoredAuditUsersMatcher;
         private final WildcardMatcher ignoredAuditRequestsMatcher;
         private final WildcardMatcher ignoredCustomHeadersMatcher;
+        private WildcardMatcher ignoredUrlParamsMatcher;
         private final Set<AuditCategory> disabledRestCategories;
         private final Set<AuditCategory> disabledTransportCategories;
 
@@ -159,6 +163,7 @@ public static class Filter {
             final Set<String> ignoredAuditUsers,
             final Set<String> ignoredAuditRequests,
             final Set<String> ignoredCustomHeaders,
+            final Set<String> ignoredUrlParams,
             final Set<AuditCategory> disabledRestCategories,
             final Set<AuditCategory> disabledTransportCategories
         ) {
@@ -174,6 +179,8 @@ public static class Filter {
             this.ignoredAuditRequestsMatcher = WildcardMatcher.from(ignoredAuditRequests);
             this.ignoredCustomHeaders = ignoredCustomHeaders;
             this.ignoredCustomHeadersMatcher = WildcardMatcher.from(ignoredCustomHeaders);
+            this.ignoredUrlParams = ignoredUrlParams;
+            this.ignoredUrlParamsMatcher = WildcardMatcher.from(ignoredUrlParams);
             this.disabledRestCategories = disabledRestCategories;
             this.disabledTransportCategories = disabledTransportCategories;
         }
@@ -269,6 +276,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                 ignoredAuditUsers,
                 ignoreAuditRequests,
                 ignoreHeaders,
+                new HashSet<>(),
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -314,6 +322,7 @@ public static Filter from(Settings settings) {
                 ignoredAuditUsers,
                 ignoreAuditRequests,
                 ignoreHeaders,
+                new HashSet<>(),
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -422,6 +431,21 @@ WildcardMatcher getIgnoredCustomHeadersMatcher() {
             return ignoredCustomHeadersMatcher;
         }
 
+        @VisibleForTesting
+        WildcardMatcher getIgnoredUrlParamsMatcher() {
+            return ignoredUrlParamsMatcher;
+        }
+
+        /**
+         * Check if the specified url param is excluded from the audit
+         *
+         * @param param
+         * @return true if header should be excluded
+         */
+        public boolean shouldExcludeUrlParam(String param) {
+            return ignoredUrlParamsMatcher.test(param);
+        }
+
         /**
          * Check if the specified header is excluded from the audit
          *
@@ -441,6 +465,17 @@ public boolean isRequestAuditDisabled(String action) {
             return ignoredAuditRequestsMatcher.test(action);
         }
 
+        /**
+         * URL Params to redact for auditing
+         */
+        public void setIgnoredUrlParams(Set<String> ignoredUrlParams) {
+            if (ignoredUrlParams == null) {
+                return;
+            }
+            this.ignoredUrlParamsMatcher = WildcardMatcher.from(ignoredUrlParams);
+            this.ignoredUrlParams = ignoredUrlParams;
+        }
+
         /**
          * Disabled categories for REST API auditing
          * @return set of categories
@@ -470,6 +505,7 @@ public void log(Logger logger) {
             logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled");
             logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher);
             logger.info("Auditing request headers {} is disabled.", ignoredCustomHeadersMatcher);
+            logger.info("Auditing request url params {} is disabled.", ignoredUrlParamsMatcher);
         }
 
         @Override
@@ -497,6 +533,8 @@ public String toString() {
                 + ignoredAuditRequestsMatcher
                 + ", ignoredCustomHeaders="
                 + ignoredCustomHeadersMatcher
+                + ", ignoredUrlParamsMatcher="
+                + ignoredUrlParamsMatcher
                 + '}';
         }
     }
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
index e5f314cd29..a5dd5290f6 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
@@ -19,10 +19,14 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
+import java.util.SortedSet;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 
@@ -62,9 +66,11 @@
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.auditlog.config.AuditConfig;
+import org.opensearch.security.auth.AuthDomain;
 import org.opensearch.security.compliance.ComplianceConfig;
 import org.opensearch.security.dlic.rest.support.Utils;
 import org.opensearch.security.filter.SecurityRequest;
+import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.support.Base64Helper;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
@@ -73,6 +79,7 @@
 import org.opensearch.transport.TransportRequest;
 
 import com.flipkart.zjsonpatch.JsonDiff;
+import org.greenrobot.eventbus.Subscribe;
 
 import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
 
@@ -88,6 +95,7 @@ public abstract class AbstractAuditLog implements AuditLog {
     private volatile ComplianceConfig complianceConfig;
     private final Environment environment;
     private AtomicBoolean externalConfigLogged = new AtomicBoolean();
+    private final Set<String> ignoredUrlParams = new HashSet<>();
 
     protected abstract void enableRoutes();
 
@@ -120,6 +128,7 @@ protected AbstractAuditLog(
     }
 
     protected void onAuditConfigFilterChanged(AuditConfig.Filter auditConfigFilter) {
+        auditConfigFilter.setIgnoredUrlParams(ignoredUrlParams);
         this.auditConfigFilter = auditConfigFilter;
         this.auditConfigFilter.log(log);
     }
@@ -930,4 +939,13 @@ boolean checkRestFilter(final AuditCategory category, final String effectiveUser
     }
 
     protected abstract void save(final AuditMessage msg);
+
+    @Subscribe
+    public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
+        SortedSet<AuthDomain> authDomains = Collections.unmodifiableSortedSet(dcm.getRestAuthDomains());
+        ignoredUrlParams.clear();
+        for (AuthDomain authDomain : authDomains) {
+            ignoredUrlParams.addAll(authDomain.getHttpAuthenticator().getSensitiveUrlParams());
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index b57becc359..716e141ffd 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -350,9 +350,17 @@ public void addTaskParentId(String id) {
         }
     }
 
-    public void addRestParams(Map<String, String> params) {
+    public void addRestParams(Map<String, String> params, AuditConfig.Filter filter) {
         if (params != null && !params.isEmpty()) {
-            auditInfo.put(REST_REQUEST_PARAMS, new HashMap<>(params));
+            Map<String, String> redactedParams = new HashMap<>();
+            for (Entry<String, String> param : params.entrySet()) {
+                if (filter != null && filter.shouldExcludeUrlParam(param.getKey())) {
+                    redactedParams.put(param.getKey(), "REDACTED");
+                } else {
+                    redactedParams.put(param.getKey(), param.getValue());
+                }
+            }
+            auditInfo.put(REST_REQUEST_PARAMS, redactedParams);
         }
     }
 
@@ -380,7 +388,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
             final String path = request.path().toString();
             addPath(path);
             addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter);
-            addRestParams(request.params());
+            addRestParams(request.params(), filter);
             addRestMethod(request.method());
 
             if (filter.shouldLogRequestBody()) {
diff --git a/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java b/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java
index c79576ef5f..927dc0e286 100644
--- a/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java
+++ b/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java
@@ -26,7 +26,9 @@
 
 package org.opensearch.security.auth;
 
+import java.util.Collections;
 import java.util.Optional;
+import java.util.Set;
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.util.concurrent.ThreadContext;
@@ -92,4 +94,14 @@ public interface HTTPAuthenticator {
     default boolean supportsImpersonation() {
         return true;
     }
+
+    /**
+     * Returns a set of URL parameters this authenticator supports that are considered sensitive
+     * and should be redacted in the audit logs
+     *
+     * @return The set of URL parameters considered sensitive for this authenticator.
+     */
+    default Set<String> getSensitiveUrlParams() {
+        return Collections.emptySet();
+    }
 }
diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
index 9300cf72f2..469c7f81b4 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
@@ -88,6 +88,7 @@ public List<Route> routes() {
 
     @Override
     protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        final boolean verbose = request.paramAsBoolean("verbose", false);
         return new RestChannelConsumer() {
 
             @Override
@@ -97,8 +98,6 @@ public void accept(RestChannel channel) throws Exception {
 
                 try {
 
-                    final boolean verbose = request.paramAsBoolean("verbose", false);
-
                     final X509Certificate[] certs = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PEER_CERTIFICATES);
                     final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
                     final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 04cea3dc05..52cb39f41e 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -73,6 +73,7 @@ public void testDefaultSerialize() throws IOException {
             .field("ignore_users", Collections.singletonList("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
             .field("ignore_headers", Collections.emptyList())
+            .field("ignore_url_params", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -136,6 +137,7 @@ public void testDeserialize() throws IOException {
             .field("ignore_users", Collections.singletonList("test-user-1"))
             .field("ignore_requests", Collections.singletonList("test-request"))
             .field("ignore_headers", Collections.singletonList("test-headers"))
+            .field("ignore_url_params", Collections.singletonList("test-param"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -200,6 +202,7 @@ public void testSerialize() throws IOException {
             ImmutableSet.of("ignore-user-1", "ignore-user-2"),
             ImmutableSet.of("ignore-request-1"),
             ImmutableSet.of("test-header"),
+            ImmutableSet.of("test-param"),
             EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES),
             EnumSet.of(AUTHENTICATED)
         );
@@ -233,6 +236,7 @@ public void testSerialize() throws IOException {
             .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2"))
             .field("ignore_requests", Collections.singletonList("ignore-request-1"))
             .field("ignore_headers", Collections.singletonList("test-header"))
+            .field("ignore_url_params", Collections.singletonList("test-param"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -276,6 +280,7 @@ public void testNullSerialize() throws IOException {
             .field("ignore_users", ImmutableList.of("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
             .field("ignore_headers", Collections.emptyList())
+            .field("ignore_url_params", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
index b3d916e8ed..92ce7c9112 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
@@ -682,7 +682,7 @@ private String getTestPayload() {
             + "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"],"
             + "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"],"
             + "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true,"
-            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"], \"ignore_headers\":[\"\"]},"
+            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"], \"ignore_headers\":[\"\"], \"ignore_url_params\":[]},"
             + "\"compliance\":{"
             + "\"enabled\":true,"
             + "\"internal_config\":true,\"external_config\":true,"

From 77ffba4838915d67b6f049e5cdd2aa4d0e77fd90 Mon Sep 17 00:00:00 2001
From: Derek Ho <dxho@amazon.com>
Date: Fri, 23 Feb 2024 07:10:22 -0500
Subject: [PATCH 062/143] Use GHA `derek-ho/start-opensearch` for OpenSearch
 plugin install tests (#4063)

Signed-off-by: Derek Ho <dxho@amazon.com>
---
 .../action.yml                                | 127 ------------------
 .github/workflows/plugin_install.yml          |  21 +--
 2 files changed, 3 insertions(+), 145 deletions(-)
 delete mode 100644 .github/actions/start-opensearch-with-one-plugin/action.yml

diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml
deleted file mode 100644
index e8e0f4eb77..0000000000
--- a/.github/actions/start-opensearch-with-one-plugin/action.yml
+++ /dev/null
@@ -1,127 +0,0 @@
-name: 'Launch OpenSearch with a single plugin installed'
-description: 'Downloads latest build of OpenSearch, installs a plugin, executes a script and then starts OpenSearch on localhost:9200'
-
-inputs:
-  opensearch-version:
-    description: 'The version of OpenSearch that should be used, e.g "3.0.0"'
-    required: true
-
-  plugin-name:
-    description: 'The name of the plugin to use, such as opensearch-security'
-    required: true
-
-  setup-script-name:
-    description: 'The name of the setup script you want to run i.e. "setup" (do not include file extension). Leave empty to indicate one should not be run.'
-    required: false
-
-  admin-password:
-    description: 'The admin password uses for the cluster'
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-
-    # Configure longpath names if on Windows
-    - name: Enable Longpaths if on Windows
-      if: ${{ runner.os == 'Windows' }}
-      run: git config --system core.longpaths true
-      shell: pwsh
-
-    # Download OpenSearch
-    - name: Download OpenSearch for Windows
-      uses: peternied/download-file@v2
-      if: ${{ runner.os == 'Windows' }}
-      with:
-        url: https://artifacts.opensearch.org/snapshots/core/opensearch/${{ inputs.opensearch-version }}-SNAPSHOT/opensearch-min-${{ inputs.opensearch-version }}-SNAPSHOT-windows-x64-latest.zip
-
-
-    - name: Download OpenSearch for Linux
-      uses: peternied/download-file@v2
-      if: ${{ runner.os == 'Linux' }}
-      with:
-        url: https://artifacts.opensearch.org/snapshots/core/opensearch/${{ inputs.opensearch-version }}-SNAPSHOT/opensearch-min-${{ inputs.opensearch-version }}-SNAPSHOT-linux-x64-latest.tar.gz
-
-    # Extract downloaded zip
-    - name: Extract downloaded tar
-      if: ${{ runner.os == 'Linux' }}
-      run: |
-        tar -xzf opensearch-*.tar.gz
-        rm -f opensearch-*.tar.gz
-      shell: bash
-
-    - name: Extract downloaded zip
-      if: ${{ runner.os == 'Windows' }}
-      run: |
-        tar -xzf opensearch-min-${{ inputs.opensearch-version }}-SNAPSHOT-windows-x64-latest.zip
-        del opensearch-min-${{ inputs.opensearch-version }}-SNAPSHOT-windows-x64-latest.zip
-      shell: pwsh
-
-    # Install the plugin
-    - name: Install Plugin into OpenSearch for Linux
-      if: ${{ runner.os == 'Linux'}}
-      run: |
-        chmod +x ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/bin/opensearch-plugin
-        /bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/bin/opensearch-plugin install file:$(pwd)/opensearch-security.zip"
-      shell: bash
-
-    - name: Install Plugin into OpenSearch for Windows
-      if: ${{ runner.os == 'Windows'}}
-      run: |
-        'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip
-      shell: pwsh
-
-    # Run any configuration scripts
-    - name: Run Setup Script for Linux
-      if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }}
-      run: |
-        echo "running linux setup"
-        export OPENSEARCH_INITIAL_ADMIN_PASSWORD=${{ inputs.admin-password }}
-        chmod +x ./${{ inputs.setup-script-name }}.sh
-        ./${{ inputs.setup-script-name }}.sh
-      shell: bash
-
-    - name: Run Setup Script for Windows
-      if: ${{ runner.os == 'Windows' && inputs.setup-script-name != '' }}
-      run: |
-        echo "running windows setup"
-        $env:OPENSEARCH_INITIAL_ADMIN_PASSWORD="${{ inputs.admin-password }}"
-        .\${{ inputs.setup-script-name }}.bat
-      shell: pwsh
-
-    # Run OpenSearch
-    - name: Run OpenSearch with plugin on Linux
-      if: ${{ runner.os == 'Linux'}}
-      run: /bin/bash -c "./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/bin/opensearch &"
-      shell: bash
-
-    - name: Run OpenSearch with plugin on Windows
-      if: ${{ runner.os == 'Windows'}}
-      run: start .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch.bat
-      shell: pwsh
-
-    # Give the OpenSearch process some time to boot up before sending any requires, might need to increase the default time!
-    - name: Sleep while OpenSearch starts
-      uses: peternied/action-sleep@v1
-      with:
-        seconds: 30
-
-    # Verify that the server is operational
-    - name: Check OpenSearch Running on Linux
-      if: ${{ runner.os != 'Windows'}}
-      run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ inputs.admin-password }}' -k -v --fail-with-body
-      shell: bash
-
-    - name: Check OpenSearch Running on Windows
-      if: ${{ runner.os == 'Windows'}}
-      run: |
-        $credentialBytes = [Text.Encoding]::ASCII.GetBytes("admin:${{ inputs.admin-password }}")
-        $encodedCredentials = [Convert]::ToBase64String($credentialBytes)
-        $baseCredentials = "Basic $encodedCredentials"
-        $Headers = @{ Authorization = $baseCredentials }
-        Invoke-WebRequest -SkipCertificateCheck -Uri 'https://localhost:9200/_cat/plugins' -Headers $Headers;
-      shell: pwsh
-
-    - if: always()
-      run: cat ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/logs/opensearch.log
-      shell: bash
diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml
index b88cfb166f..fb86b915e0 100644
--- a/.github/workflows/plugin_install.yml
+++ b/.github/workflows/plugin_install.yml
@@ -39,27 +39,12 @@ jobs:
         run: mv ./build/distributions/${{ env.PLUGIN_NAME }}-*.zip ${{ env.PLUGIN_NAME }}.zip
         shell: bash
 
-      - name: Create Setup Script
-        if: ${{ runner.os == 'Linux' }}
-        run: |
-          cat > setup.sh <<'EOF'
-          chmod +x  ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh
-          /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh -t"
-          EOF
-
-      - name: Create Setup Script
-        if: ${{ runner.os == 'Windows' }}
-        run: |
-          New-Item .\setup.bat -type file
-          Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y -t"
-          Get-Content .\setup.bat
-
       - name: Run Opensearch with A Single Plugin
-        uses: ./.github/actions/start-opensearch-with-one-plugin
+        uses: derek-ho/start-opensearch@v2
         with:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
-          plugin-name: ${{ env.PLUGIN_NAME }}
-          setup-script-name: setup
+          plugins: "file:$(pwd)/${{ env.PLUGIN_NAME }}.zip"
+          security-enabled: true
           admin-password: ${{ steps.random-password.outputs.generated_name }}
 
       - name: Run sanity tests

From a843b561c1a25f97b4ae48cff7e82f0492ca4d9a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Feb 2024 13:52:30 +0100
Subject: [PATCH 063/143] Bump com.netflix.nebula.ospackage from 11.8.0 to
 11.8.1 (#4073)

Bumps com.netflix.nebula.ospackage from 11.8.0 to 11.8.1.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.netflix.nebula.ospackage&package-manager=gradle&previous-version=11.8.0&new-version=11.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 76974f469b..a8dfcda965 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,7 +64,7 @@ plugins {
     id 'maven-publish'
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.8.0"
+    id 'com.netflix.nebula.ospackage' version "11.8.1"
     id "org.gradle.test-retry" version "1.5.8"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"

From 90377a5fb6bf2bf281769e28815f58a58b99274e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Feb 2024 13:53:05 +0100
Subject: [PATCH 064/143] Bump org.scala-lang:scala-library from 2.13.12 to
 2.13.13 (#4072)

Bumps [org.scala-lang:scala-library](https://github.com/scala/scala)
from 2.13.12 to 2.13.13.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/scala/scala/commit/fcc67cd56c67851bf31019ec25ccb09d08b9561b"><code>fcc67cd</code></a>
Merge pull request <a
href="https://redirect.github.com/scala/scala/issues/10695">#10695</a>
from SethTisue/scala-dev-755</li>
<li><a
href="https://github.com/scala/scala/commit/842d69db7d0165baecf9130af94f0579b5344b4e"><code>842d69d</code></a>
fix <code>scala</code> task in our sbt build so REPL has JLine features
again</li>
<li><a
href="https://github.com/scala/scala/commit/ec6078f45f83bd0ca2491b9625220171decf4155"><code>ec6078f</code></a>
Merge pull request <a
href="https://redirect.github.com/scala/scala/issues/10694">#10694</a>
from scala/tasty/test-classpath-standalone-obj</li>
<li><a
href="https://github.com/scala/scala/commit/5936c32710240dcdef0dccc1c9bb6b89549e6d56"><code>5936c32</code></a>
Use stripSuffix over dropRight for clarity</li>
<li><a
href="https://github.com/scala/scala/commit/d9d1307ab9400117001fba9c812e2977dc83e8c8"><code>d9d1307</code></a>
Align tasty file lookup with dotty, add test case</li>
<li><a
href="https://github.com/scala/scala/commit/232521f418c1e2c535d3630b0a5b3972a06bbd4e"><code>232521f</code></a>
Merge pull request <a
href="https://redirect.github.com/scala/scala/issues/10689">#10689</a>
from scalacenter/tasty/switch-3.4.0-stable</li>
<li><a
href="https://github.com/scala/scala/commit/515883b8caa91a5f20a4403c4d19474f714f340f"><code>515883b</code></a>
Merge pull request <a
href="https://redirect.github.com/scala/scala/issues/10688">#10688</a>
from scalacenter/tasty/temp-patch-windows</li>
<li><a
href="https://github.com/scala/scala/commit/da724763ee4fe28462afd41fce6c1cf4e844b0cf"><code>da72476</code></a>
upgrade to 3.4.0 stable</li>
<li><a
href="https://github.com/scala/scala/commit/baadd958e6aafd66409e34f6f35236d71f8d5430"><code>baadd95</code></a>
Disable tasty pipelining tests on windows</li>
<li><a
href="https://github.com/scala/scala/commit/17c0c74ae078431f70bbd68e3442255ca80a23e7"><code>17c0c74</code></a>
Merge pull request <a
href="https://redirect.github.com/scala/scala/issues/10686">#10686</a>
from som-snytt/tweak/12944-hashset-issubset</li>
<li>Additional commits viewable in <a
href="https://github.com/scala/scala/compare/v2.13.12...v2.13.13">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.scala-lang:scala-library&package-manager=gradle&previous-version=2.13.12&new-version=2.13.13)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index a8dfcda965..b065fd1acf 100644
--- a/build.gradle
+++ b/build.gradle
@@ -476,7 +476,7 @@ configurations {
         resolutionStrategy {
             force 'commons-codec:commons-codec:1.16.1'
             force 'org.slf4j:slf4j-api:1.7.36'
-            force 'org.scala-lang:scala-library:2.13.12'
+            force 'org.scala-lang:scala-library:2.13.13'
             force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
             force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
             force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
@@ -702,7 +702,7 @@ dependencies {
     testRuntimeOnly ("org.springframework:spring-core:${spring_version}") {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
-    testRuntimeOnly 'org.scala-lang:scala-library:2.13.12'
+    testRuntimeOnly 'org.scala-lang:scala-library:2.13.13'
     testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.1') {

From 26b224fa1e2986431f22cf865592c4ce6fa6f49c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Feb 2024 14:06:59 +0100
Subject: [PATCH 065/143] Bump com.google.googlejavaformat:google-java-format
 from 1.19.2 to 1.20.0 (#4074)

Bumps
[com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format)
from 1.19.2 to 1.20.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/google-java-format/releases">com.google.googlejavaformat:google-java-format's
releases</a>.</em></p>
<blockquote>
<h2>v1.20.0</h2>
<p>This release includes <a
href="https://www.graalvm.org/22.0/reference-manual/native-image/">GraalVM
native-image</a> binaries for google-java-format for windows, linux, and
mac. These binaries offer improved startup performance.</p>
<p>Changes:</p>
<ul>
<li>Keep type-use annotation with type when wrapping
(03efe44d9affc989eee8623651fbdf1bcc7240dc)</li>
<li>Handle 'any' patterns (<a
href="https://redirect.github.com/google/google-java-format/issues/1037">#1037</a>)</li>
</ul>
<p>Full Changelog: <a
href="https://github.com/google/google-java-format/compare/v1.19.2...v1.20.0">https://github.com/google/google-java-format/compare/v1.19.2...v1.20.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/google-java-format/commit/38a7b73c9865270aaaa9273d5674b8ce2dd8f954"><code>38a7b73</code></a>
Release google-java-format 1.20.0</li>
<li><a
href="https://github.com/google/google-java-format/commit/92c609a43bc894e4cd69e9c037491163303d97ed"><code>92c609a</code></a>
Set <code>-march=compatibility</code> for native-image builds</li>
<li><a
href="https://github.com/google/google-java-format/commit/571c2b6ea232e295158154c9fbd6ef18f9e97942"><code>571c2b6</code></a>
Update maven native-image configuration for google-java-format</li>
<li><a
href="https://github.com/google/google-java-format/commit/910586c6390861c448ab7b69fe0fe88a803012dd"><code>910586c</code></a>
Handle <code>.exe</code> extensions for windows native-image</li>
<li><a
href="https://github.com/google/google-java-format/commit/250fa9be7ae921b80c64d3bfe046faff8f3d0009"><code>250fa9b</code></a>
Update release.yml</li>
<li><a
href="https://github.com/google/google-java-format/commit/865cdf873e13be398f6346bb54b7be5fd58c1498"><code>865cdf8</code></a>
Apply suggestions from code review</li>
<li><a
href="https://github.com/google/google-java-format/commit/0bc08ab915eaee7cb6063fe2963df4108e5b84f4"><code>0bc08ab</code></a>
Update release.yml</li>
<li><a
href="https://github.com/google/google-java-format/commit/4e9aa25d91968d6b7bd01482e06eaf12b2ff20cd"><code>4e9aa25</code></a>
Update .github/workflows/release.yml</li>
<li><a
href="https://github.com/google/google-java-format/commit/9851a393fede8821489317d54e5bf02e6dc0bf72"><code>9851a39</code></a>
Generate native-image binaries for google-java-format</li>
<li><a
href="https://github.com/google/google-java-format/commit/b9b41faf47e13692c02a517ea9ebe7d173fe7374"><code>b9b41fa</code></a>
Add Windows native build</li>
<li>Additional commits viewable in <a
href="https://github.com/google/google-java-format/compare/v1.19.2...v1.20.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.googlejavaformat:google-java-format&package-manager=gradle&previous-version=1.19.2&new-version=1.20.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index b065fd1acf..439212ab03 100644
--- a/build.gradle
+++ b/build.gradle
@@ -741,7 +741,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.19.2') {
+    implementation('com.google.googlejavaformat:google-java-format:1.20.0') {
         exclude group: 'com.google.guava'
     }
 }

From 142913e149ffe6c775e975867207b53208c955fb Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Wed, 28 Feb 2024 16:40:56 +0100
Subject: [PATCH 066/143] Add deprecate message that TLSv1 and TLSv1.1 support
 will be removed in the next major version (#4053)

### Description
Since TLSv1.1 was deprecated in 2021 (RFC
[8996](https://datatracker.ietf.org/doc/html/rfc8996)) and new
deprication message was added.

By default JDK 18 uses TLS 1.2 and latest stable 1.3

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../security/OpenSearchSecurityPlugin.java    | 28 ++++++++++
 .../security/ssl/util/SSLConfigConstants.java |  4 +-
 .../ssl/util/SSLConfigConstantsTest.java      | 55 +++++++++++++++++++
 3 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index bde984531e..688b797e85 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -310,6 +310,20 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
             return;
         }
 
+        if (settings.hasValue(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS)) {
+            verifyTLSVersion(
+                SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS,
+                settings.getAsList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS)
+            );
+        }
+
+        if (settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS)) {
+            verifyTLSVersion(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS,
+                settings.getAsList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS)
+            );
+        }
+
         if (SSLConfig.isSslOnlyMode()) {
             this.sslCertReloadEnabled = false;
             log.warn("OpenSearch Security plugin run in ssl only mode. No authentication or authorization is performed");
@@ -437,6 +451,20 @@ public List<String> run() {
         }
     }
 
+    private void verifyTLSVersion(final String settings, final List<String> configuredProtocols) {
+        for (final var tls : configuredProtocols) {
+            if (tls.equalsIgnoreCase("TLSv1") || tls.equalsIgnoreCase("TLSv1.1")) {
+                deprecationLogger.deprecate(
+                    settings,
+                    "The '{}' setting contains {} protocol version which was deprecated since 2021 (RFC 8996). "
+                        + "Support for it will be removed in the next major release.",
+                    settings,
+                    tls
+                );
+            }
+        }
+    }
+
     private String sha256(Path p) {
 
         if (!Files.isRegularFile(p, LinkOption.NOFOLLOW_LINKS)) {
diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java
index 2449146b39..a3b9348496 100644
--- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java
+++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java
@@ -101,7 +101,7 @@ public final class SSLConfigConstants {
 
     private static final String[] _SECURE_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2", "TLSv1.1" };
 
-    public static final String[] getSecureSSLProtocols(Settings settings, boolean http) {
+    public static String[] getSecureSSLProtocols(Settings settings, boolean http) {
         List<String> configuredProtocols = null;
 
         if (settings != null) {
@@ -233,7 +233,7 @@ public static final String[] getSecureSSLProtocols(Settings settings, boolean ht
     };
     // @formatter:on
 
-    public static final List<String> getSecureSSLCiphers(Settings settings, boolean http) {
+    public static List<String> getSecureSSLCiphers(Settings settings, boolean http) {
 
         List<String> configuredCiphers = null;
 
diff --git a/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java b/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java
new file mode 100644
index 0000000000..b51efeda03
--- /dev/null
+++ b/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java
@@ -0,0 +1,55 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.ssl.util;
+
+import java.util.List;
+
+import org.junit.Test;
+
+import org.opensearch.common.settings.Settings;
+
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS;
+import static org.junit.Assert.assertArrayEquals;
+
+public class SSLConfigConstantsTest {
+
+    @Test
+    public void testDefaultTLSProtocols() {
+        final var tlsDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false);
+        assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2", "TLSv1.1" }, tlsDefaultProtocols);
+    }
+
+    @Test
+    public void testDefaultSSLProtocols() {
+        final var sslDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, true);
+        assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2", "TLSv1.1" }, sslDefaultProtocols);
+    }
+
+    @Test
+    public void testCustomTLSProtocols() {
+        final var tlsDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(
+            Settings.builder().putList(SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, List.of("TLSv1", "TLSv1.1")).build(),
+            false
+        );
+        assertArrayEquals(new String[] { "TLSv1", "TLSv1.1" }, tlsDefaultProtocols);
+    }
+
+    @Test
+    public void testCustomSSLProtocols() {
+        final var sslDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(
+            Settings.builder().putList(SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, List.of("TLSv1", "TLSv1.1")).build(),
+            true
+        );
+        assertArrayEquals(new String[] { "TLSv1", "TLSv1.1" }, sslDefaultProtocols);
+    }
+
+}

From f3b5727044d041937790cc29511dbdad6016fdd0 Mon Sep 17 00:00:00 2001
From: Cam <17013462+camerondurham@users.noreply.github.com>
Date: Wed, 28 Feb 2024 08:41:28 -0700
Subject: [PATCH 067/143] Log password requirement details in demo environment
 (#4071)

Signed-off-by: Cameron Durham <u64.cam@gmail.com>
---
 .../SecuritySettingsConfigurer.java           | 21 ++++++++----
 .../SecuritySettingsConfigurerTests.java      | 33 ++++++++++++++++++-
 2 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index a68c93f03f..5b497d0f20 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -76,6 +76,7 @@ public class SecuritySettingsConfigurer {
         ".plugins-flow-framework-templates",
         ".plugins-flow-framework-state"
     );
+    static final Integer DEFAULT_PASSWORD_MIN_LENGTH = 8;
     static String ADMIN_PASSWORD = "";
     static String ADMIN_USERNAME = "admin";
 
@@ -131,7 +132,7 @@ void updateAdminPassword() {
             final PasswordValidator passwordValidator = PasswordValidator.of(
                 Settings.builder()
                     .put(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}")
-                    .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 8)
+                    .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, DEFAULT_PASSWORD_MIN_LENGTH)
                     .build()
             );
 
@@ -142,11 +143,19 @@ void updateAdminPassword() {
             }
 
             // If script execution environment is set to demo, validate custom password, else if set to test, skip validation
-            if (shouldValidatePassword
-                && !ADMIN_PASSWORD.isEmpty()
-                && passwordValidator.validate(ADMIN_USERNAME, ADMIN_PASSWORD) != RequestContentValidator.ValidationError.NONE) {
-                System.out.println("Password " + ADMIN_PASSWORD + " is weak. Please re-try with a stronger password.");
-                System.exit(-1);
+            if (shouldValidatePassword && !ADMIN_PASSWORD.isEmpty()) {
+                RequestContentValidator.ValidationError response = passwordValidator.validate(ADMIN_USERNAME, ADMIN_PASSWORD);
+                if (!RequestContentValidator.ValidationError.NONE.equals(response)) {
+                    System.out.println(
+                        String.format(
+                            "Password %s failed validation: \"%s\". Please re-try with a minimum %d character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong. Password strength can be tested here: https://lowe.github.io/tryzxcvbn",
+                            ADMIN_PASSWORD,
+                            response.message(),
+                            DEFAULT_PASSWORD_MIN_LENGTH
+                        )
+                    );
+                    System.exit(-1);
+                }
             }
 
             // if ADMIN_PASSWORD is still an empty string, it implies no custom password was provided. We exit the setup.
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
index 280d704fb8..50a65e7fa2 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -37,6 +37,9 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
+import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_INVALID_REGEX;
+import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_TOO_SHORT;
+import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.DEFAULT_PASSWORD_MIN_LENGTH;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.REST_ENABLED_ROLES;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.SYSTEM_INDICES;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.isKeyPresentInYMLFile;
@@ -55,6 +58,9 @@ public class SecuritySettingsConfigurerTests {
 
     private final String adminPasswordKey = ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD;
 
+    private static final String PASSWORD_VALIDATION_FAILURE_MESSAGE =
+        "Password %s failed validation: \"%s\". Please re-try with a minimum %d character password and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character that is strong. Password strength can be tested here: https://lowe.github.io/tryzxcvbn";
+
     private static SecuritySettingsConfigurer securitySettingsConfigurer;
 
     private static Installer installer;
@@ -125,7 +131,32 @@ public void testUpdateAdminPasswordWithWeakPassword() throws NoSuchFieldExceptio
             System.setSecurityManager(null);
         }
 
-        verifyStdOutContainsString("Password weakpassword is weak. Please re-try with a stronger password.");
+        verifyStdOutContainsString(
+            String.format(
+                PASSWORD_VALIDATION_FAILURE_MESSAGE,
+                "weakpassword",
+                INVALID_PASSWORD_INVALID_REGEX.message(),
+                DEFAULT_PASSWORD_MIN_LENGTH
+            )
+        );
+    }
+
+    @Test
+    public void testUpdateAdminPasswordWithShortPassword() throws NoSuchFieldException, IllegalAccessException {
+
+        setEnv(adminPasswordKey, "short");
+        try {
+            System.setSecurityManager(new NoExitSecurityManager());
+            securitySettingsConfigurer.updateAdminPassword();
+        } catch (SecurityException e) {
+            assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
+        } finally {
+            System.setSecurityManager(null);
+        }
+
+        verifyStdOutContainsString(
+            String.format(PASSWORD_VALIDATION_FAILURE_MESSAGE, "short", INVALID_PASSWORD_TOO_SHORT.message(), DEFAULT_PASSWORD_MIN_LENGTH)
+        );
     }
 
     @Test

From b34d3d53c704a28ea510213099a8f7b75da600d2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 4 Mar 2024 09:20:08 -0600
Subject: [PATCH 068/143] Bump ch.qos.logback:logback-classic from 1.2.13 to
 1.5.2 (#4088)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 439212ab03..06b7645f72 100644
--- a/build.gradle
+++ b/build.gradle
@@ -501,7 +501,7 @@ configurations {
             force "org.apache.httpcomponents:httpcore:4.4.16"
             force "com.google.errorprone:error_prone_annotations:2.25.0"
             force "org.checkerframework:checker-qual:3.42.0"
-            force "ch.qos.logback:logback-classic:1.2.13"
+            force "ch.qos.logback:logback-classic:1.5.2"
         }
     }
 

From ca653c705743b94114e0ac90e6ba976d5d583502 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 4 Mar 2024 09:20:26 -0600
Subject: [PATCH 069/143] Bump Wandalen/wretry.action from 1.4.4 to 1.4.5
 (#4090)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fbb4d6c266..fdbdda24ec 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v1.4.4
+        uses: Wandalen/wretry.action@v1.4.5
         with:
           attempt_limit: 5
           attempt_delay: 2000

From 548e21827b1897baf0e22044090e42486462199a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 4 Mar 2024 09:20:33 -0600
Subject: [PATCH 070/143] Bump com.fasterxml.woodstox:woodstox-core from 6.6.0
 to 6.6.1 (#4089)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 06b7645f72..8f0c1ee934 100644
--- a/build.gradle
+++ b/build.gradle
@@ -649,7 +649,7 @@ dependencies {
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.2'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
-    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.6.0'
+    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.6.1'
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"

From d235d97840a8450426f3c9d272e91f6afbd6ddce Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 5 Mar 2024 16:41:17 +0100
Subject: [PATCH 071/143] Bump kafka_version from 3.6.1 to 3.7.0 (#4087)

Bumps `kafka_version` from 3.6.1 to 3.7.0.
Updates `org.apache.kafka:kafka-clients` from 3.6.1 to 3.7.0

Updates `org.apache.kafka:kafka_2.13` from 3.6.1 to 3.7.0

Updates `org.apache.kafka:kafka-server-common` from 3.6.1 to 3.7.0

Updates `org.apache.kafka:kafka-group-coordinator` from 3.6.1 to 3.7.0

Updates `org.apache.kafka:kafka-metadata` from 3.6.1 to 3.7.0

Updates `org.apache.kafka:kafka-storage` from 3.6.1 to 3.7.0


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Craig Perkins <cwperx@amazon.com>
---
 build.gradle | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 8f0c1ee934..dae173e2d4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -25,7 +25,7 @@ buildscript {
         opensearch_build = version_tokens[0] + '.0'
 
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
-        kafka_version  = '3.6.1'
+        kafka_version  = '3.7.0'
         apache_cxf_version = '4.0.3'
         open_saml_version = '4.3.0'
         one_login_java_saml = '2.9.0'
@@ -677,6 +677,7 @@ dependencies {
     testImplementation 'org.apache.httpcomponents:fluent-hc:4.5.14'
     testImplementation "org.apache.httpcomponents.client5:httpclient5-fluent:${versions.httpclient5}"
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}"
+    testImplementation "org.apache.kafka:kafka-server:${kafka_version}"
     testImplementation "org.apache.kafka:kafka-server-common:${kafka_version}"
     testImplementation "org.apache.kafka:kafka-server-common:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-group-coordinator:${kafka_version}"

From 84c86e77a5b22a13826461a01cd339a0aac2872f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Mar 2024 07:50:20 -0400
Subject: [PATCH 072/143] Bump Wandalen/wretry.action from 1.4.5 to 1.4.8
 (#4104)

Bumps
[Wandalen/wretry.action](https://github.com/wandalen/wretry.action) from
1.4.5 to 1.4.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/62e10cbe5cd3012bc08b3b1b451bc2dd612e341a"><code>62e10cb</code></a>
version 1.4.8</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/29408fc1f4712068bdfc402d6b5b82c2194b42ea"><code>29408fc</code></a>
version 1.4.7</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/4edcc92a890e7c277c9c9d0739443f0163bfc7c1"><code>4edcc92</code></a>
Add dependency <code>lodash</code> to build</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/01e08af1eda920192e8e30c9bc3f10d957520355"><code>01e08af</code></a>
version 1.4.6</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/be8b50a15e96655c659de237224462a365d49a0c"><code>be8b50a</code></a>
Merge pull request <a
href="https://redirect.github.com/wandalen/wretry.action/issues/135">#135</a>
from dmvict/workflows</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/c1a72e5a04c8af8cf21ad27b44a232746fa4c64c"><code>c1a72e5</code></a>
Synchronize workflows with <code>js_action</code> branch, remove extra
steps</li>
<li>See full diff in <a
href="https://github.com/wandalen/wretry.action/compare/v1.4.5...v1.4.8">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Wandalen/wretry.action&package-manager=github_actions&previous-version=1.4.5&new-version=1.4.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fdbdda24ec..c2e97f8e3a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v1.4.5
+        uses: Wandalen/wretry.action@v1.4.8
         with:
           attempt_limit: 5
           attempt_delay: 2000

From ec01a669e2745ffa4e423934f17c5eb5c63a27a8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Mar 2024 07:50:44 -0400
Subject: [PATCH 073/143] Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1
 to 4.0.2 (#4105)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[jakarta.xml.bind:jakarta.xml.bind-api](https://github.com/jakartaee/jaxb-api)
from 4.0.1 to 4.0.2.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/ca43d8b962e2ef8170616741ca5dd3312ee2316b"><code>ca43d8b</code></a>
Update API version of : to 4.0.2</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/80da6a260bcc0c091eead8c7be1564ebb06b0d6b"><code>80da6a2</code></a>
Snippet fix</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/31fd9dcfd8f7d690dcabafa06e4a6a5bb68519a5"><code>31fd9dc</code></a>
fix whitespaces (tabs to spaces)</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/d2a61347126f6bdc08bf48c275b8f3b74f8d7807"><code>d2a6134</code></a>
drop obsolete travis config</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/6c400455e20c503b7e2fe23322619a52ce14b5c3"><code>6c40045</code></a>
build by 21</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/8e787dc3411a5a708039b3bff883bfee958dbe5d"><code>8e787dc</code></a>
fix typo indicated in <a
href="https://redirect.github.com/jakartaee/jaxb-api/issues/234">#234</a>
(<a
href="https://redirect.github.com/jakartaee/jaxb-api/issues/295">#295</a>)</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/b2c0e7a71a857b279f8e684d319edc5587e075f0"><code>b2c0e7a</code></a>
typos, grammar,</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/62206ad8b1dadb66e56fb8a8738aced60da4bfe5"><code>62206ad</code></a>
Apply <a href="https://github.com/snippet"><code>@​snippet</code></a> to
javadoc,</li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/2156e6a53dc1150813a79254e369caec6f6059c9"><code>2156e6a</code></a>
fix <a
href="https://redirect.github.com/jakartaee/jaxb-api/issues/242">#242</a></li>
<li><a
href="https://github.com/jakartaee/jaxb-api/commit/c87d01c5dc0f1bfae6052909b582552b2406b730"><code>c87d01c</code></a>
update legal files</li>
<li>Additional commits viewable in <a
href="https://github.com/jakartaee/jaxb-api/compare/4.0.1...4.0.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jakarta.xml.bind:jakarta.xml.bind-api&package-manager=gradle&previous-version=4.0.1&new-version=4.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index dae173e2d4..a16ac314c7 100644
--- a/build.gradle
+++ b/build.gradle
@@ -611,7 +611,7 @@ dependencies {
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
     compileOnly 'com.google.errorprone:error_prone_annotations:2.25.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
-    runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.1'
+    runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.6'
 
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'

From 941d3bb985f4c957dc19f939880ab46ae195c695 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Mar 2024 07:51:09 -0400
Subject: [PATCH 074/143] Bump com.google.googlejavaformat:google-java-format
 from 1.20.0 to 1.21.0 (#4106)

Bumps
[com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format)
from 1.20.0 to 1.21.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/google-java-format/releases">com.google.googlejavaformat:google-java-format's
releases</a>.</em></p>
<blockquote>
<h2>v1.21.0</h2>
<p>Formatting changes:</p>
<ul>
<li>Adjust indentation of text blocks
(ce3cb59a8d649359a8e6e7fcc5f2f21bb79b3df1)</li>
</ul>
<p>Bug fixes:</p>
<ul>
<li>Fix a crash with comments inside string templates
(e946e82801eb5bbd52bea00355ba20450bc0725c)</li>
<li>Native image <code>-version</code> reports
<code>HEAD-SNAPSHOT</code> instead of the correct version (<a
href="https://redirect.github.com/google/google-java-format/issues/1068">#1068</a>)</li>
<li>Improve compatibility with older glibc versions (<a
href="https://redirect.github.com/google/google-java-format/issues/1072">#1072</a>)</li>
</ul>
<p>Full Changelog: <a
href="https://github.com/google/google-java-format/compare/v1.20.0...v1.21.0">https://github.com/google/google-java-format/compare/v1.20.0...v1.21.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/google-java-format/commit/ee72f3ad23868d15c48fbf5ad2121e85a338fd28"><code>ee72f3a</code></a>
Release google-java-format 1.21.0</li>
<li><a
href="https://github.com/google/google-java-format/commit/f20d393babf0fb489a90a1d7913d7a43e5f8cff1"><code>f20d393</code></a>
Bump the version number for native image builds</li>
<li><a
href="https://github.com/google/google-java-format/commit/74c510a03f218bdae157ebf06f030afd98eafc39"><code>74c510a</code></a>
Update the IntelliJ plugin to gfj 1.20.0.</li>
<li><a
href="https://github.com/google/google-java-format/commit/cea3782400689132f3f84178a8848b9d7cb4a9e5"><code>cea3782</code></a>
Update release.yml</li>
<li><a
href="https://github.com/google/google-java-format/commit/32d14f0e5b0413e9f64dc2f9116d921ed7adec99"><code>32d14f0</code></a>
Build native on Ubuntu 20.04 instead of latest 22.04 (re. <a
href="https://redirect.github.com/google/google-java-format/issues/1072">#1072</a>).</li>
<li><a
href="https://github.com/google/google-java-format/commit/29b7f93237fbda5f4bbada2cf16e97c9917ca59d"><code>29b7f93</code></a>
Remove an un-used portion of CI YAML</li>
<li><a
href="https://github.com/google/google-java-format/commit/d8216e8c1d15d225223a308c04612d4a5eb60c09"><code>d8216e8</code></a>
Migrate google-java-format to JSpecify</li>
<li><a
href="https://github.com/google/google-java-format/commit/e946e82801eb5bbd52bea00355ba20450bc0725c"><code>e946e82</code></a>
Work around a crash on comments inside string template arguments</li>
<li><a
href="https://github.com/google/google-java-format/commit/ce3cb59a8d649359a8e6e7fcc5f2f21bb79b3df1"><code>ce3cb59</code></a>
Re-indent text blocks</li>
<li>See full diff in <a
href="https://github.com/google/google-java-format/compare/v1.20.0...v1.21.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.googlejavaformat:google-java-format&package-manager=gradle&previous-version=1.20.0&new-version=1.21.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a16ac314c7..32e6e11b4c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -742,7 +742,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.20.0') {
+    implementation('com.google.googlejavaformat:google-java-format:1.21.0') {
         exclude group: 'com.google.guava'
     }
 }

From d526c9f6c2a438c14db8b413148204510b9fe2e2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Mar 2024 07:52:00 -0400
Subject: [PATCH 075/143] Bump ch.qos.logback:logback-classic from 1.5.2 to
 1.5.3 (#4107)

Bumps
[ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from
1.5.2 to 1.5.3.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/qos-ch/logback/commits/v_1.5.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ch.qos.logback:logback-classic&package-manager=gradle&previous-version=1.5.2&new-version=1.5.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 32e6e11b4c..5b145b9412 100644
--- a/build.gradle
+++ b/build.gradle
@@ -501,7 +501,7 @@ configurations {
             force "org.apache.httpcomponents:httpcore:4.4.16"
             force "com.google.errorprone:error_prone_annotations:2.25.0"
             force "org.checkerframework:checker-qual:3.42.0"
-            force "ch.qos.logback:logback-classic:1.5.2"
+            force "ch.qos.logback:logback-classic:1.5.3"
         }
     }
 

From 65c5b69615609bd93da6495e0412e8584db12819 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 19 Mar 2024 08:51:53 -0400
Subject: [PATCH 076/143] Bump org.apache.zookeeper:zookeeper from 3.9.1. to
 3.9.2 (#4129)

### Description

Bumps org.apache.zookeeper:zookeeper from 3.9.1. to 3.9.2

Resolves WhiteSource Security check seen on byte-buddy upgrade:
https://github.com/opensearch-project/security/pull/4127/checks?check_run_id=22820167922

* Category

Maintenance

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Craig Perkins <craig5008@gmail.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 5b145b9412..e63135a98a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -706,7 +706,7 @@ dependencies {
     testRuntimeOnly 'org.scala-lang:scala-library:2.13.13'
     testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
-    testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.1') {
+    testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.2') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
         exclude(group:'ch.qos.logback', module: 'logback-core' )
     }

From 582d2cddbe3c23640370698647752b39ff58eed0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 14:08:30 +0100
Subject: [PATCH 077/143] Bump com.google.errorprone:error_prone_annotations
 from 2.25.0 to 2.26.1 (#4126)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[com.google.errorprone:error_prone_annotations](https://github.com/google/error-prone)
from 2.25.0 to 2.26.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/error-prone/releases">com.google.errorprone:error_prone_annotations's
releases</a>.</em></p>
<blockquote>
<h2>Error Prone 2.26.1</h2>
<p>This release contains all of the changes in <a
href="https://github.com/google/error-prone/releases/tag/v2.26.0">2.26.0</a>,
plus a bug fix to the module name of the annotations artifact
<code>com.google.errorprone.annotations</code> (<a
href="https://github.com/google/error-prone/commit/9d99ee76f2ca8568b69150f5df7fe845c8545d16">https://github.com/google/error-prone/commit/9d99ee76f2ca8568b69150f5df7fe845c8545d16</a>)</p>
<p>Starting in <code>2.26.x</code>, the 'annotations' artifact now
includes a <code>module-info.java</code> for Java Platform Module System
support, thanks to <a
href="https://github.com/sgammon"><code>@​sgammon</code></a> in <a
href="https://redirect.github.com/google/error-prone/issues/4311">#4311</a>.</p>
<hr />
<p><strong>Compatibility note:</strong></p>
<p>Now that the annotations artifact explicit declares a module instead
of relying on <code>Automatic-Module-Name</code>, JDK 17 and newer
perform stricter module encapsulation checks. Modularized libraries
depending on Error Prone annotations <code>2.26.x</code> and newer may
see errors like:</p>
<pre><code>error: package com.google.errorprone.annotations is not
visible
import com.google.errorprone.annotations.CheckReturnValue;
                            ^
(package com.google.errorprone.annotations is declared in module
com.google.errorprone.annotations, but module ... does not read it)
</code></pre>
<p>The fix is to add <code>requires static</code> to the module
declaration of modularized libraries that depend on Error Prone
annotations:</p>
<pre lang="diff"><code> module your.module {
...
+  requires static com.google.errorprone.annotations;
 }
</code></pre>
<hr />
<p>Full Changelog: <a
href="https://github.com/google/error-prone/compare/v2.26.0...v2.26.1">https://github.com/google/error-prone/compare/v2.26.0...v2.26.1</a></p>
<h2>Error Prone 2.26.0</h2>
<p><strong>Warning: This release contains a bug, please use <a
href="https://github.com/google/error-prone/releases/tag/v2.26.1">2.26.1</a>
or newer instead.</strong></p>
<p>Changes:</p>
<ul>
<li>The 'annotations' artifact now includes a
<code>module-info.java</code> for Java Platform Module System support,
thanks to <a
href="https://github.com/sgammon"><code>@​sgammon</code></a> in <a
href="https://redirect.github.com/google/error-prone/issues/4311">#4311</a>.</li>
<li>Disabled checks passed to <code>-XepPatchChecks</code> are now
ignored, instead of causing a crash. Thanks to <a
href="https://github.com/oxkitsune"><code>@​oxkitsune</code></a> in <a
href="https://redirect.github.com/google/error-prone/issues/4028">#4028</a>.</li>
</ul>
<p>New checks:</p>
<ul>
<li><a
href="https://errorprone.info/bugpattern/SystemConsoleNull"><code>SystemConsoleNull</code></a>:
Null-checking <code>System.console()</code> is not a reliable way to
detect if the console is connected to a terminal.</li>
<li><a
href="https://errorprone.info/bugpattern/EnumOrdinal"><code>EnumOrdinal</code></a>:
Discourage uses of <code>Enum.ordinal()</code></li>
</ul>
<p>Closed issues: <a
href="https://redirect.github.com/google/error-prone/issues/2649">#2649</a>,
<a
href="https://redirect.github.com/google/error-prone/issues/3908">#3908</a>,
<a
href="https://redirect.github.com/google/error-prone/issues/4028">#4028</a>,
<a
href="https://redirect.github.com/google/error-prone/issues/4311">#4311</a>,
<a
href="https://redirect.github.com/google/error-prone/issues/4314">#4314</a></p>
<p>Full Changelog: <a
href="https://github.com/google/error-prone/compare/v2.25.0...v2.26.0">https://github.com/google/error-prone/compare/v2.25.0...v2.26.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/google/error-prone/commit/b38057250a8a035d6b3856098145aeab1df1149f"><code>b380572</code></a>
Release Error Prone 2.26.1</li>
<li><a
href="https://github.com/google/error-prone/commit/9d99ee76f2ca8568b69150f5df7fe845c8545d16"><code>9d99ee7</code></a>
fix: module name → <code>com.google.errorprone.annotations</code></li>
<li><a
href="https://github.com/google/error-prone/commit/ea5ef6dd29022683eced044a2b0b3fa91d8b3200"><code>ea5ef6d</code></a>
Add the 'compile' goal for 'compile-java9'</li>
<li><a
href="https://github.com/google/error-prone/commit/0e9536471b6b8e7e03d29584eceb8a0e0f3240d7"><code>0e95364</code></a>
feat: add jpms definition for <code>annotations</code></li>
<li><a
href="https://github.com/google/error-prone/commit/9da2d5580e3939f97ef2e91278b330a56b5ed1fe"><code>9da2d55</code></a>
Ignore disabled checks passed to <code>-XepPatchChecks</code></li>
<li><a
href="https://github.com/google/error-prone/commit/3292632ee5f2776b57171bedef6bdb1c4c222345"><code>3292632</code></a>
Increase year range on <code>Date</code> usages.</li>
<li><a
href="https://github.com/google/error-prone/commit/ad513d5a82dc803dcc5179ffcdf7073d43430623"><code>ad513d5</code></a>
Recommend using <code>var</code> for <code>var unused = ...;</code> and
`var thrown = assertThrows(...</li>
<li><a
href="https://github.com/google/error-prone/commit/af37d35d208d37e9658038127d35afdd41325da4"><code>af37d35</code></a>
ImpossibleNullComparison: emit empty fixes.</li>
<li><a
href="https://github.com/google/error-prone/commit/297019c6706c8c27a58717f0a4269abf92af8de4"><code>297019c</code></a>
Fix some mistakes in the EnumOrdinal examples</li>
<li><a
href="https://github.com/google/error-prone/commit/f3dbb094f5105fa1f5a17c69d50a6663b414a6d5"><code>f3dbb09</code></a>
Move the EnumOrdinal.md doc to the right place (it got overwritten by
automat...</li>
<li>Additional commits viewable in <a
href="https://github.com/google/error-prone/compare/v2.25.0...v2.26.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.errorprone:error_prone_annotations&package-manager=gradle&previous-version=2.25.0&new-version=2.26.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index e63135a98a..8df9a52212 100644
--- a/build.gradle
+++ b/build.gradle
@@ -499,7 +499,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.25.0"
+            force "com.google.errorprone:error_prone_annotations:2.26.1"
             force "org.checkerframework:checker-qual:3.42.0"
             force "ch.qos.logback:logback-classic:1.5.3"
         }
@@ -609,7 +609,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.25.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.26.1'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.6'

From e2893639b32d4a7cf22fafb721cfc48c72591488 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 13:17:37 +0000
Subject: [PATCH 078/143] Bump org.eclipse.platform:org.eclipse.core.runtime
 from 3.30.0 to 3.31.0 (#4122)

Bumps
[org.eclipse.platform:org.eclipse.core.runtime](https://github.com/eclipse-platform/eclipse.platform)
from 3.30.0 to 3.31.0.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/eclipse-platform/eclipse.platform/commits">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.eclipse.platform:org.eclipse.core.runtime&package-manager=gradle&previous-version=3.30.0&new-version=3.31.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 8df9a52212..27061092f5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -494,7 +494,7 @@ configurations {
             force "org.apache.commons:commons-lang3:${versions.commonslang}"
 
             // for spotless transitive dependency CVE
-            force "org.eclipse.platform:org.eclipse.core.runtime:3.30.0"
+            force "org.eclipse.platform:org.eclipse.core.runtime:3.31.0"
 
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"

From 8ccee785d88e43d8f2090cc2d8ba728e75ed4908 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 13:18:07 +0000
Subject: [PATCH 079/143] Bump apache_cxf_version from 4.0.3 to 4.0.4 (#4124)

Bumps `apache_cxf_version` from 4.0.3 to 4.0.4.
Updates `org.apache.cxf:cxf-core` from 4.0.3 to 4.0.4

Updates `org.apache.cxf:cxf-rt-rs-json-basic` from 4.0.3 to 4.0.4

Updates `org.apache.cxf:cxf-rt-security` from 4.0.3 to 4.0.4


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 27061092f5..6513ca87d6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -26,7 +26,7 @@ buildscript {
 
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
         kafka_version  = '3.7.0'
-        apache_cxf_version = '4.0.3'
+        apache_cxf_version = '4.0.4'
         open_saml_version = '4.3.0'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.12.5'

From 6d2fb70cec1bc3b6aa6ec1e5b218668d7abb10bc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 14:18:49 +0100
Subject: [PATCH 080/143] Bump spring_version from 5.3.32 to 5.3.33 (#4125)

Bumps `spring_version` from 5.3.32 to 5.3.33.
Updates `org.springframework:spring-beans` from 5.3.32 to 5.3.33
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/spring-projects/spring-framework/releases">org.springframework:spring-beans's
releases</a>.</em></p>
<blockquote>
<h2>v5.3.33</h2>
<h2>:star: New Features</h2>
<ul>
<li>Extract reusable method for URI validations <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32442">#32442</a></li>
<li>Allow UriTemplate to be built with an empty template <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32438">#32438</a></li>
<li>Refine <code>*HttpMessageConverter#getContentLength</code> return
value null safety <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32332">#32332</a></li>
</ul>
<h2>:lady_beetle: Bug Fixes</h2>
<ul>
<li>AopUtils.getMostSpecificMethod does not return original method for
proxy-derived method anymore <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32369">#32369</a></li>
<li>Better protect against concurrent error handling for async requests
<a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32342">#32342</a></li>
<li>Restore Jetty 10 compatibility in JettyClientHttpResponse <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32337">#32337</a></li>
<li>ContentCachingResponseWrapper no longer honors Content-Type and
Content-Length <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32322">#32322</a></li>
</ul>
<h2>:notebook_with_decorative_cover: Documentation</h2>
<ul>
<li>Build KDoc against <code>5.3.x</code> Spring Framework Javadoc <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32414">#32414</a></li>
</ul>
<h2>:hammer: Dependency Upgrades</h2>
<ul>
<li>Upgrade to Reactor 2020.0.42 <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32422">#32422</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/df041ba032cceb9ca5c96214fe238b91c3f94f63"><code>df041ba</code></a>
Release v5.3.33</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb"><code>297cbae</code></a>
Extract reusable checkSchemeAndPort method</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/274fba47f3b15bc12c8d81571c68987989f812e8"><code>274fba4</code></a>
Additional unit tests for operations on empty UriTemplate</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/5dfec09edd62be011bbdbfd4e225f89b1e750311"><code>5dfec09</code></a>
Allow UriTemplate to be built with an empty template</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/5056e8cbfb2f22204a4227b335291d17f629dfcb"><code>5056e8c</code></a>
Upgrade to Reactor 2020.0.42</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/4566e8685d4baa41a6df4d6815ddc5579c4db073"><code>4566e86</code></a>
Polishing</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/1b84f970dee1cce4c4fbf16ae8a90f17c5c6b12c"><code>1b84f97</code></a>
Disable external Javadoc URLs not supported on JDK 8</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/41bc43b03377b33d8182a7aab30d34a29fba9471"><code>41bc43b</code></a>
Build KDoc against 5.3.x Spring Framework Javadoc</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/915d5bddeaf189b9b638cc3440435291390dfabd"><code>915d5bd</code></a>
Polishing</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/dc86feaeb6571bfffd594412fc409ba305aff316"><code>dc86fea</code></a>
Remove IOException that's not thrown from Javadoc</li>
<li>Additional commits viewable in <a
href="https://github.com/spring-projects/spring-framework/compare/v5.3.32...v5.3.33">compare
view</a></li>
</ul>
</details>
<br />

Updates `org.springframework:spring-core` from 5.3.32 to 5.3.33
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/spring-projects/spring-framework/releases">org.springframework:spring-core's
releases</a>.</em></p>
<blockquote>
<h2>v5.3.33</h2>
<h2>:star: New Features</h2>
<ul>
<li>Extract reusable method for URI validations <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32442">#32442</a></li>
<li>Allow UriTemplate to be built with an empty template <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32438">#32438</a></li>
<li>Refine <code>*HttpMessageConverter#getContentLength</code> return
value null safety <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32332">#32332</a></li>
</ul>
<h2>:lady_beetle: Bug Fixes</h2>
<ul>
<li>AopUtils.getMostSpecificMethod does not return original method for
proxy-derived method anymore <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32369">#32369</a></li>
<li>Better protect against concurrent error handling for async requests
<a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32342">#32342</a></li>
<li>Restore Jetty 10 compatibility in JettyClientHttpResponse <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32337">#32337</a></li>
<li>ContentCachingResponseWrapper no longer honors Content-Type and
Content-Length <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32322">#32322</a></li>
</ul>
<h2>:notebook_with_decorative_cover: Documentation</h2>
<ul>
<li>Build KDoc against <code>5.3.x</code> Spring Framework Javadoc <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32414">#32414</a></li>
</ul>
<h2>:hammer: Dependency Upgrades</h2>
<ul>
<li>Upgrade to Reactor 2020.0.42 <a
href="https://redirect.github.com/spring-projects/spring-framework/issues/32422">#32422</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/df041ba032cceb9ca5c96214fe238b91c3f94f63"><code>df041ba</code></a>
Release v5.3.33</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb"><code>297cbae</code></a>
Extract reusable checkSchemeAndPort method</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/274fba47f3b15bc12c8d81571c68987989f812e8"><code>274fba4</code></a>
Additional unit tests for operations on empty UriTemplate</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/5dfec09edd62be011bbdbfd4e225f89b1e750311"><code>5dfec09</code></a>
Allow UriTemplate to be built with an empty template</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/5056e8cbfb2f22204a4227b335291d17f629dfcb"><code>5056e8c</code></a>
Upgrade to Reactor 2020.0.42</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/4566e8685d4baa41a6df4d6815ddc5579c4db073"><code>4566e86</code></a>
Polishing</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/1b84f970dee1cce4c4fbf16ae8a90f17c5c6b12c"><code>1b84f97</code></a>
Disable external Javadoc URLs not supported on JDK 8</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/41bc43b03377b33d8182a7aab30d34a29fba9471"><code>41bc43b</code></a>
Build KDoc against 5.3.x Spring Framework Javadoc</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/915d5bddeaf189b9b638cc3440435291390dfabd"><code>915d5bd</code></a>
Polishing</li>
<li><a
href="https://github.com/spring-projects/spring-framework/commit/dc86feaeb6571bfffd594412fc409ba305aff316"><code>dc86fea</code></a>
Remove IOException that's not thrown from Javadoc</li>
<li>Additional commits viewable in <a
href="https://github.com/spring-projects/spring-framework/compare/v5.3.32...v5.3.33">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 6513ca87d6..faee33aa5c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -32,7 +32,7 @@ buildscript {
         jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'
         jaxb_version = '2.3.9'
-        spring_version = '5.3.32'
+        spring_version = '5.3.33'
 
         if (buildVersionQualifier) {
             opensearch_build += "-${buildVersionQualifier}"

From 9806699cc727489c8d46637986f7860e81ed7066 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 14:19:02 +0100
Subject: [PATCH 081/143] Bump org.awaitility:awaitility from 4.2.0 to 4.2.1
 (#4123)

Bumps
[org.awaitility:awaitility](https://github.com/awaitility/awaitility)
from 4.2.0 to 4.2.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/awaitility/awaitility/blob/master/changelog.txt">org.awaitility:awaitility's
changelog</a>.</em></p>
<blockquote>
<h2>Changelog 4.2.1 (2024-03-15)</h2>
<ul>
<li>
<p>Upgraded Kotlin to 1.9.22</p>
</li>
<li>
<p>Added extension properties forever, then, and, given to the Kotlin
extension. This allows you to do e.g.:</p>
<p>await.forever until { .. }</p>
</li>
<li>
<p>Added shortcut for enabling logging. Before you had to do e.g.</p>
<p>await()
.with()
.conditionEvaluationListener(new ConditionEvaluationLogger(log::info))
.pollInterval(ONE_HUNDRED_MILLISECONDS)
.until(logs::size, is(4));</p>
<p>You can now instead use the &quot;logging&quot; shortcut:</p>
<p>await()
.with()
.logging(log::info)
.pollInterval(ONE_HUNDRED_MILLISECONDS)
.until(logs::size, is(4));</p>
<p>or simply &quot;.logging()&quot; for &quot;System.out&quot;.</p>
<p>This shortcut has also been added globally:</p>
<p>Awaitility.setLogging(log::info);</p>
<p>or</p>
<p>Awaitility.setDefaultLogging();</p>
</li>
<li>
<p>Improved lambda detection for Java 17 and Java 21</p>
</li>
<li>
<p>Upgraded Groovy to 4.0.19</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/awaitility/awaitility/commit/ff13b724c45853c3becbec988a1447ac2508762d"><code>ff13b72</code></a>
[maven-release-plugin] prepare release awaitility-4.2.1</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/f80c2996d96c81b203f0483a55adfcc200c2963c"><code>f80c299</code></a>
[ci skip] Preparing changelog for release</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/4be5236649ef6b16e805137fa7be404ce4db3e09"><code>4be5236</code></a>
[ci skip] Fixed typo in changelog</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/e15b97560d873a7a632dc7cfaabff6d2fea92f50"><code>e15b975</code></a>
Fixed failing tests</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/7f7656e48377739cc41afdc60bf8f3c47135b196"><code>7f7656e</code></a>
Adding 17 and 21 to tests</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/32eafb69b38ff87ba4fae8b133e0ccc9ffa1a126"><code>32eafb6</code></a>
Improved lambda detection and upgraded groovy/scala</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/801293612b7a608d5e8c8ddce24b1398cdc4d2fe"><code>8012936</code></a>
Trying to fix failing test</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/b01855d944d96d072e4e760e1f81afb78d12afe7"><code>b01855d</code></a>
Revert &quot;Added java 21 tests&quot;</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/0e7dff0f0f36d50a88379ca810496ed91123aa83"><code>0e7dff0</code></a>
Revert &quot;Revert &quot;Use Duration factories in Durations.java (<a
href="https://redirect.github.com/awaitility/awaitility/issues/268">#268</a>)&quot;&quot;</li>
<li><a
href="https://github.com/awaitility/awaitility/commit/97076a9acea3b6c3a07eda72a52bfdc6a4df6200"><code>97076a9</code></a>
Added java 21 tests</li>
<li>Additional commits viewable in <a
href="https://github.com/awaitility/awaitility/compare/awaitility-4.2.0...awaitility-4.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.awaitility:awaitility&package-manager=gradle&previous-version=4.2.0&new-version=4.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index faee33aa5c..7fcd272c32 100644
--- a/build.gradle
+++ b/build.gradle
@@ -688,7 +688,7 @@ dependencies {
     testImplementation "org.springframework:spring-beans:${spring_version}"
     testImplementation 'org.junit.jupiter:junit-jupiter:5.10.2'
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.2'
-    testImplementation('org.awaitility:awaitility:4.2.0') {
+    testImplementation('org.awaitility:awaitility:4.2.1') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
     // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available
@@ -731,7 +731,7 @@ dependencies {
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
     integrationTestImplementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     integrationTestImplementation "org.bouncycastle:bcutil-jdk18on:${versions.bouncycastle}"
-    integrationTestImplementation('org.awaitility:awaitility:4.2.0') {
+    integrationTestImplementation('org.awaitility:awaitility:4.2.1') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
     integrationTestImplementation 'com.unboundid:unboundid-ldapsdk:4.0.14'

From 343fc7764afa84c6dab5022730edb43443bef64f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 13:39:33 +0000
Subject: [PATCH 082/143] Bump derek-ho/start-opensearch from 2 to 3 (#4120)

Bumps
[derek-ho/start-opensearch](https://github.com/derek-ho/start-opensearch)
from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/derek-ho/start-opensearch/releases">derek-ho/start-opensearch's
releases</a>.</em></p>
<blockquote>
<h2>Release v3</h2>
<p>Allow port flexibility</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/derek-ho/start-opensearch/commit/8ff0865d993ba02ad5cb710a4e987cbd9ba8a78a"><code>8ff0865</code></a>
Allow port flexibility (<a
href="https://redirect.github.com/derek-ho/start-opensearch/issues/4">#4</a>)</li>
<li><a
href="https://github.com/derek-ho/start-opensearch/commit/7937c245c92de8f59b140f2d28061b08e0b125a0"><code>7937c24</code></a>
Adds support for custom opensearch.yml file (<a
href="https://redirect.github.com/derek-ho/start-opensearch/issues/3">#3</a>)</li>
<li>See full diff in <a
href="https://github.com/derek-ho/start-opensearch/compare/v2...v3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=derek-ho/start-opensearch&package-manager=github_actions&previous-version=2&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/plugin_install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml
index fb86b915e0..6fa8c74beb 100644
--- a/.github/workflows/plugin_install.yml
+++ b/.github/workflows/plugin_install.yml
@@ -40,7 +40,7 @@ jobs:
         shell: bash
 
       - name: Run Opensearch with A Single Plugin
-        uses: derek-ho/start-opensearch@v2
+        uses: derek-ho/start-opensearch@v3
         with:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugins: "file:$(pwd)/${{ env.PLUGIN_NAME }}.zip"

From 32ba887290161eebbdd0788ffc02c0fb9d1b38c6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 09:41:58 -0400
Subject: [PATCH 083/143] Bump Wandalen/wretry.action from 1.4.8 to 1.4.10
 (#4121)

Bumps
[Wandalen/wretry.action](https://github.com/wandalen/wretry.action) from
1.4.8 to 1.4.10.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/1a10d4835a1506f513ad8e7488aeb474ab20055c"><code>1a10d48</code></a>
version 1.4.10</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/f1ef3f2629b067ead8e23abc5c38abaec4413d2a"><code>f1ef3f2</code></a>
version 1.4.9</li>
<li>See full diff in <a
href="https://github.com/wandalen/wretry.action/compare/v1.4.8...v1.4.10">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Wandalen/wretry.action&package-manager=github_actions&previous-version=1.4.8&new-version=1.4.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c2e97f8e3a..0595106ce7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v1.4.8
+        uses: Wandalen/wretry.action@v1.4.10
         with:
           attempt_limit: 5
           attempt_delay: 2000

From 25e2e51edecdd1a436223a2bae5fab8e975d2069 Mon Sep 17 00:00:00 2001
From: David Osorno <48450162+davidosorno@users.noreply.github.com>
Date: Tue, 19 Mar 2024 08:57:45 -0700
Subject: [PATCH 084/143] Dynamic sign in options (#3869)

### Description
**New Feature**
Allow admins to define the sign-in options that will be displayed on
OpenSearch Dashboard login page. There are couple of sign-in options
defined in [Security
documentation](https://opensearch.org/docs/latest/security/configuration/multi-auth/),
and theses options must be available in security _config.yml_ file to be
able to change them dynamically in Security Dashboard.
Furthermore, if `anonymous_auth_enabled` is true it will be available in
Security Dashboard sign-in options to allow admins enable or disable it.

*Old Behavior*
Admins have to update _opensearch_dashboards.yml_ adding or removing
sign-in options, and then restart Dashboards to be able to log in using
other sign-in option.

*New Behavior*
Admins can change sign-in options dynamically without having to restart
the Dashboards, and the changes are applied immediately. Users just need
to logout in order to see the sign-in options available.

### Issues Resolved
- Related
https://github.com/opensearch-project/security-dashboards-plugin/issues/1573

### Testing
Unit Testing, Integration Testing, and Manual Testing.

### Check List
- [x] New functionality includes testing
- [ ] New functionality has been documented
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: David Osorno <daosgu27@gmail.com>
---
 .../security/api/DashboardsInfoTest.java      | 12 ++++
 .../rest/api/MultiTenancyConfigApiAction.java | 31 +++++++++-
 .../privileges/PrivilegesEvaluator.java       |  5 ++
 .../security/rest/DashboardsInfoAction.java   |  1 +
 .../securityconf/DynamicConfigModel.java      |  3 +
 .../securityconf/DynamicConfigModelV6.java    |  6 ++
 .../securityconf/DynamicConfigModelV7.java    |  6 ++
 .../impl/DashboardSignInOption.java           | 29 +++++++++
 .../securityconf/impl/v6/ConfigV6.java        |  7 +++
 .../securityconf/impl/v7/ConfigV7.java        |  8 +++
 .../rest/api/MultiTenancyConfigApiTest.java   | 61 +++++++++++++++++++
 .../securityconf/impl/v6/ConfigV6Test.java    |  8 +++
 .../securityconf/impl/v7/ConfigV7Test.java    |  8 +++
 src/test/resources/restapi/config.yml         | 12 ++++
 .../restapi/securityconfig_nondefault.json    |  3 +-
 15 files changed, 198 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/opensearch/security/securityconf/impl/DashboardSignInOption.java

diff --git a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
index 8bfcd3b8a8..15634e8890 100644
--- a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
+++ b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
@@ -17,6 +17,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.cluster.ClusterManager;
@@ -25,6 +26,7 @@
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_MESSAGE;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_REGEX;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
@@ -53,4 +55,14 @@ public void testDashboardsInfoValidationMessage() throws Exception {
             assertThat(response.getTextFromJsonBody("/password_validation_regex"), equalTo(DEFAULT_PASSWORD_REGEX));
         }
     }
+
+    @Test
+    public void testDashboardsInfoContainsSignInOptions() throws Exception {
+
+        try (TestRestClient client = cluster.getRestClient(DASHBOARDS_USER)) {
+            TestRestClient.HttpResponse response = client.get("_plugins/_security/dashboardsinfo");
+            assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK));
+            assertThat(response.getTextArrayFromJsonBody("/sign_in_options").contains(DashboardSignInOption.BASIC.toString()), is(true));
+        }
+    }
 }
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java
index d56025aec1..2be5778956 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiAction.java
@@ -18,6 +18,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
@@ -33,8 +34,10 @@
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator.DataType;
 import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7;
+import org.opensearch.security.securityconf.impl.v7.ConfigV7.Authc;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.threadpool.ThreadPool;
 
@@ -49,6 +52,7 @@ public class MultiTenancyConfigApiAction extends AbstractApiAction {
     public static final String DEFAULT_TENANT_JSON_PROPERTY = "default_tenant";
     public static final String PRIVATE_TENANT_ENABLED_JSON_PROPERTY = "private_tenant_enabled";
     public static final String MULTITENANCY_ENABLED_JSON_PROPERTY = "multitenancy_enabled";
+    public static final String SIGN_IN_OPTIONS = "sign_in_options";
 
     private static final List<Route> ROUTES = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/tenancy/config"), new Route(PUT, "/tenancy/config"))
@@ -119,7 +123,9 @@ public Map<String, DataType> allowedKeys() {
                             PRIVATE_TENANT_ENABLED_JSON_PROPERTY,
                             DataType.BOOLEAN,
                             MULTITENANCY_ENABLED_JSON_PROPERTY,
-                            DataType.BOOLEAN
+                            DataType.BOOLEAN,
+                            SIGN_IN_OPTIONS,
+                            DataType.ARRAY
                         );
                     }
                 });
@@ -132,6 +138,7 @@ private ToXContent multitenancyContent(final ConfigV7 config) {
             .field(DEFAULT_TENANT_JSON_PROPERTY, config.dynamic.kibana.default_tenant)
             .field(PRIVATE_TENANT_ENABLED_JSON_PROPERTY, config.dynamic.kibana.private_tenant_enabled)
             .field(MULTITENANCY_ENABLED_JSON_PROPERTY, config.dynamic.kibana.multitenancy_enabled)
+            .field(SIGN_IN_OPTIONS, config.dynamic.kibana.sign_in_options)
             .endObject();
     }
 
@@ -177,6 +184,12 @@ private void updateAndValidatesValues(final ConfigV7 config, final JsonNode json
         if (Objects.nonNull(jsonContent.findValue(MULTITENANCY_ENABLED_JSON_PROPERTY))) {
             config.dynamic.kibana.multitenancy_enabled = jsonContent.findValue(MULTITENANCY_ENABLED_JSON_PROPERTY).asBoolean();
         }
+        if (jsonContent.hasNonNull(SIGN_IN_OPTIONS) && jsonContent.findValue(SIGN_IN_OPTIONS).isEmpty() == false) {
+            JsonNode newOptions = jsonContent.findValue(SIGN_IN_OPTIONS);
+            List<DashboardSignInOption> options = getNewSignInOptions(newOptions, config.dynamic.authc);
+            config.dynamic.kibana.sign_in_options = options;
+        }
+
         final String defaultTenant = Optional.ofNullable(config.dynamic.kibana.default_tenant).map(String::toLowerCase).orElse("");
 
         if (!config.dynamic.kibana.private_tenant_enabled && ConfigConstants.TENANCY_PRIVATE_TENANT_NAME.equals(defaultTenant)) {
@@ -202,4 +215,20 @@ private void updateAndValidatesValues(final ConfigV7 config, final JsonNode json
         }
     }
 
+    private List<DashboardSignInOption> getNewSignInOptions(JsonNode newOptions, Authc authc) {
+
+        Set<String> domains = authc.getDomains().keySet();
+
+        return IntStream.range(0, newOptions.size()).mapToObj(newOptions::get).map(JsonNode::asText).filter(option -> {
+            // Checking if the new sign-in options are set in backend.
+            if (option.equals(DashboardSignInOption.ANONYMOUS.toString())
+                || domains.stream().anyMatch(domain -> domain.contains(option.toLowerCase()))) {
+                return true;
+            } else {
+                throw new IllegalArgumentException(
+                    "Validation failure: " + option.toUpperCase() + " authentication provider is not available for this cluster."
+                );
+            }
+        }).map(DashboardSignInOption::valueOf).collect(Collectors.toList());
+    }
 }
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 0f8d132e3e..06e41a2aaa 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -90,6 +90,7 @@
 import org.opensearch.security.securityconf.ConfigModel;
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.securityconf.SecurityRoles;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
@@ -620,6 +621,10 @@ public String dashboardsOpenSearchRole() {
         return dcm.getDashboardsOpenSearchRole();
     }
 
+    public List<DashboardSignInOption> getSignInOptions() {
+        return dcm.getSignInOptions();
+    }
+
     private Set<String> evaluateAdditionalIndexPermissions(final ActionRequest request, final String originalAction) {
         // --- check inner bulk requests
         final Set<String> additionalPermissionsRequired = new HashSet<>();
diff --git a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
index 2b286d0c3d..070648ed92 100644
--- a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
@@ -108,6 +108,7 @@ public void accept(RestChannel channel) throws Exception {
                     builder.field("multitenancy_enabled", evaluator.multitenancyEnabled());
                     builder.field("private_tenant_enabled", evaluator.privateTenantEnabled());
                     builder.field("default_tenant", evaluator.dashboardsDefaultTenant());
+                    builder.field("sign_in_options", evaluator.getSignInOptions());
                     builder.field(
                         "password_validation_error_message",
                         client.settings().get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, DEFAULT_PASSWORD_MESSAGE)
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
index e3d10878da..064f555a75 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModel.java
@@ -52,6 +52,7 @@
 import org.opensearch.security.http.HTTPClientCertAuthenticator;
 import org.opensearch.security.http.HTTPProxyAuthenticator;
 import org.opensearch.security.http.proxy.HTTPExtendedProxyAuthenticator;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 
 public abstract class DynamicConfigModel {
 
@@ -105,6 +106,8 @@ public abstract class DynamicConfigModel {
 
     public abstract Multimap<String, ClientBlockRegistry<String>> getAuthBackendClientBlockRegistries();
 
+    public abstract List<DashboardSignInOption> getSignInOptions();
+
     public abstract Settings getDynamicOnBehalfOfSettings();
 
     protected final Map<String, String> authImplMap = new HashMap<>();
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
index b652893bdd..c7edaf938c 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV6.java
@@ -54,6 +54,7 @@
 import org.opensearch.security.auth.HTTPAuthenticator;
 import org.opensearch.security.auth.blocking.ClientBlockRegistry;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6.Authc;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6.AuthcDomain;
@@ -205,6 +206,11 @@ public Multimap<String, ClientBlockRegistry<String>> getAuthBackendClientBlockRe
         return Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries);
     }
 
+    @Override
+    public List<DashboardSignInOption> getSignInOptions() {
+        return config.dynamic.kibana.sign_in_options;
+    }
+
     @Override
     public Settings getDynamicOnBehalfOfSettings() {
         return Settings.EMPTY;
diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
index 91bb59db64..ca237bc054 100644
--- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java
@@ -60,6 +60,7 @@
 import org.opensearch.security.auth.internal.NoOpAuthenticationBackend;
 import org.opensearch.security.configuration.ClusterInfoHolder;
 import org.opensearch.security.http.OnBehalfOfAuthenticator;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7.Authc;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7.AuthcDomain;
@@ -221,6 +222,11 @@ public Multimap<String, ClientBlockRegistry<String>> getAuthBackendClientBlockRe
         return Multimaps.unmodifiableMultimap(authBackendClientBlockRegistries);
     }
 
+    @Override
+    public List<DashboardSignInOption> getSignInOptions() {
+        return config.dynamic.kibana.sign_in_options;
+    }
+
     @Override
     public Settings getDynamicOnBehalfOfSettings() {
         return Settings.builder()
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/DashboardSignInOption.java b/src/main/java/org/opensearch/security/securityconf/impl/DashboardSignInOption.java
new file mode 100644
index 0000000000..3d9fa20e97
--- /dev/null
+++ b/src/main/java/org/opensearch/security/securityconf/impl/DashboardSignInOption.java
@@ -0,0 +1,29 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.securityconf.impl;
+
+public enum DashboardSignInOption {
+    BASIC("basic"),
+    SAML("saml"),
+    OPENID("openid"),
+    ANONYMOUS("anonymous");
+
+    private String option;
+
+    DashboardSignInOption(String option) {
+        this.option = option;
+    }
+
+    public String getOption() {
+        return option;
+    }
+}
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java b/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
index c5b954675b..78758e0603 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/v6/ConfigV6.java
@@ -27,8 +27,10 @@
 
 package org.opensearch.security.securityconf.impl.v6;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 
@@ -43,6 +45,7 @@
 
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.setting.DeprecatedSettings;
 
 public class ConfigV6 {
@@ -100,6 +103,8 @@ public static class Kibana {
         public String opendistro_role = null;
         public String index = ".kibana";
         public boolean do_not_fail_on_forbidden;
+        @JsonInclude(JsonInclude.Include.NON_NULL)
+        public List<DashboardSignInOption> sign_in_options = Arrays.asList(DashboardSignInOption.BASIC);
 
         @Override
         public String toString() {
@@ -113,6 +118,8 @@ public String toString() {
                 + index
                 + ", do_not_fail_on_forbidden="
                 + do_not_fail_on_forbidden
+                + ", sign_in_options="
+                + sign_in_options
                 + "]";
         }
 
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java b/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
index 4028719379..dc9be395b1 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
@@ -27,8 +27,10 @@
 
 package org.opensearch.security.securityconf.impl.v7;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -44,6 +46,7 @@
 
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6;
 import org.opensearch.security.setting.DeprecatedSettings;
 
@@ -76,6 +79,7 @@ public ConfigV7(ConfigV6 c6) {
         dynamic.kibana.private_tenant_enabled = true;
         dynamic.kibana.default_tenant = "";
         dynamic.kibana.server_username = c6.dynamic.kibana.server_username;
+        dynamic.kibana.sign_in_options = c6.dynamic.kibana.sign_in_options;
 
         dynamic.http = new Http();
 
@@ -168,6 +172,8 @@ public static class Kibana {
         public String server_username = "kibanaserver";
         public String opendistro_role = null;
         public String index = ".kibana";
+        @JsonInclude(JsonInclude.Include.NON_NULL)
+        public List<DashboardSignInOption> sign_in_options = Arrays.asList(DashboardSignInOption.BASIC);
 
         @Override
         public String toString() {
@@ -183,6 +189,8 @@ public String toString() {
                 + opendistro_role
                 + ", index="
                 + index
+                + ", sign_in_options="
+                + sign_in_options
                 + "]";
         }
 
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java
index 8438338869..752335b802 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/MultiTenancyConfigApiTest.java
@@ -15,10 +15,13 @@
 import org.apache.http.HttpStatus;
 import org.junit.Test;
 
+import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.not;
 import static org.hamcrest.core.IsEqual.equalTo;
 import static org.hamcrest.core.StringContains.containsString;
 
@@ -54,9 +57,43 @@ private void verifyTenantUpdate(final Header... header) throws Exception {
             setPrivateTenantAsDefaultResponse.getStatusCode(),
             equalTo(HttpStatus.SC_OK)
         );
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), hasItem(DashboardSignInOption.BASIC.toString()));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), not(hasItem(DashboardSignInOption.SAML.toString())));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), not(hasItem(DashboardSignInOption.OPENID.toString())));
+
+        final HttpResponse updateDashboardSignInOptions = rh.executePutRequest(
+            "/_plugins/_security/api/tenancy/config",
+            "{\"sign_in_options\": [\"BASIC\", \"OPENID\"]}",
+            header
+        );
+        assertThat(updateDashboardSignInOptions.getBody(), updateDashboardSignInOptions.getStatusCode(), equalTo(HttpStatus.SC_OK));
+
         getDashboardsinfoResponse = rh.executeGetRequest("/_plugins/_security/dashboardsinfo", ADMIN_FULL_ACCESS_USER);
         assertThat(getDashboardsinfoResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
         assertThat(getDashboardsinfoResponse.findValueInJson("default_tenant"), equalTo("Private"));
+
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), hasItem((DashboardSignInOption.BASIC.toString())));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), hasItem((DashboardSignInOption.OPENID.toString())));
+
+        final HttpResponse updateUnavailableSignInOption = rh.executePutRequest(
+            "/_plugins/_security/api/tenancy/config",
+            "{\"sign_in_options\": [\"BASIC\", \"SAML\"]}",
+            header
+        );
+        assertThat(updateUnavailableSignInOption.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
+        assertThat(
+            updateUnavailableSignInOption.findValueInJson("error.reason"),
+            containsString("Validation failure: SAML authentication provider is not available for this cluster.")
+        );
+
+        // Ensuring the sign in options array has not been modified due to the Bad Request response.
+        getDashboardsinfoResponse = rh.executeGetRequest("/_plugins/_security/dashboardsinfo", ADMIN_FULL_ACCESS_USER);
+        assertThat(getDashboardsinfoResponse.getStatusCode(), equalTo(HttpStatus.SC_OK));
+
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options").size(), equalTo(2));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), hasItem(DashboardSignInOption.BASIC.toString()));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), hasItem(DashboardSignInOption.OPENID.toString()));
+        assertThat(getDashboardsinfoResponse.findArrayInJson("sign_in_options"), not(hasItem(DashboardSignInOption.SAML.toString())));
     }
 
     @Test
@@ -148,6 +185,30 @@ private void verifyTenantUpdateFailed(final Header... header) throws Exception {
             setRandomStringAsDefaultTenant.findValueInJson("error.reason"),
             containsString("Default tenant should be selected from one of the available tenants.")
         );
+
+        final HttpResponse signInOptionsNonArrayValue = rh.executePutRequest(
+            "/_plugins/_security/api/tenancy/config",
+            "{\"sign_in_options\": \"BASIC\"}",
+            header
+        );
+        assertThat(signInOptionsNonArrayValue.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
+        assertThat(
+            signInOptionsNonArrayValue.getBody(),
+            signInOptionsNonArrayValue.findValueInJson("reason"),
+            containsString("Wrong datatype")
+        );
+
+        final HttpResponse invalidSignInOption = rh.executePutRequest(
+            "/_plugins/_security/api/tenancy/config",
+            "{\"sign_in_options\": [\"INVALID_OPTION\"]}",
+            header
+        );
+        assertThat(invalidSignInOption.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
+        assertThat(
+            invalidSignInOption.getBody(),
+            invalidSignInOption.findValueInJson("error.reason"),
+            containsString("authentication provider is not available for this cluster")
+        );
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/securityconf/impl/v6/ConfigV6Test.java b/src/test/java/org/opensearch/security/securityconf/impl/v6/ConfigV6Test.java
index 2983fc6064..a780b0066f 100644
--- a/src/test/java/org/opensearch/security/securityconf/impl/v6/ConfigV6Test.java
+++ b/src/test/java/org/opensearch/security/securityconf/impl/v6/ConfigV6Test.java
@@ -20,6 +20,10 @@
 
 import org.opensearch.security.DefaultObjectMapper;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
 @RunWith(Parameterized.class)
 public class ConfigV6Test {
     private final boolean omitDefaults;
@@ -31,6 +35,9 @@ public static Iterable<Boolean> omitDefaults() {
 
     public void assertEquals(ConfigV6.Kibana expected, JsonNode node) {
         Assert.assertEquals(expected.multitenancy_enabled, node.get("multitenancy_enabled").asBoolean());
+        assertThat(node.get("sign_in_options").isArray(), is(true));
+        assertThat(node.get("sign_in_options").toString(), containsString(expected.sign_in_options.get(0).toString()));
+
         if (expected.server_username == null) {
             Assert.assertNull(node.get("server_username"));
         } else {
@@ -57,6 +64,7 @@ public void assertEquals(ConfigV6.Kibana expected, JsonNode node) {
 
     private void assertEquals(ConfigV6.Kibana expected, ConfigV6.Kibana actual) {
         Assert.assertEquals(expected.multitenancy_enabled, actual.multitenancy_enabled);
+        assertThat(expected.sign_in_options, is(actual.sign_in_options));
         if (expected.server_username == null) {
             // null is restored to default instead of null
             Assert.assertEquals(new ConfigV6.Kibana().server_username, actual.server_username);
diff --git a/src/test/java/org/opensearch/security/securityconf/impl/v7/ConfigV7Test.java b/src/test/java/org/opensearch/security/securityconf/impl/v7/ConfigV7Test.java
index 542ce878bd..246247c6d9 100644
--- a/src/test/java/org/opensearch/security/securityconf/impl/v7/ConfigV7Test.java
+++ b/src/test/java/org/opensearch/security/securityconf/impl/v7/ConfigV7Test.java
@@ -20,6 +20,10 @@
 
 import org.opensearch.security.DefaultObjectMapper;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
 @RunWith(Parameterized.class)
 public class ConfigV7Test {
     private final boolean omitDefaults;
@@ -31,6 +35,9 @@ public static Iterable<Boolean> omitDefaults() {
 
     public void assertEquals(ConfigV7.Kibana expected, JsonNode node) {
         Assert.assertEquals(expected.multitenancy_enabled, node.get("multitenancy_enabled").asBoolean());
+        assertThat(node.get("sign_in_options").isArray(), is(true));
+        assertThat(node.get("sign_in_options").toString(), containsString(expected.sign_in_options.get(0).toString()));
+
         if (expected.server_username == null) {
             Assert.assertNull(node.get("server_username"));
         } else {
@@ -51,6 +58,7 @@ public void assertEquals(ConfigV7.Kibana expected, JsonNode node) {
 
     private void assertEquals(ConfigV7.Kibana expected, ConfigV7.Kibana actual) {
         Assert.assertEquals(expected.multitenancy_enabled, actual.multitenancy_enabled);
+        assertThat(expected.sign_in_options, is(actual.sign_in_options));
         if (expected.server_username == null) {
             // null is restored to default instead of null
             Assert.assertEquals(new ConfigV7.Kibana().server_username, actual.server_username);
diff --git a/src/test/resources/restapi/config.yml b/src/test/resources/restapi/config.yml
index 2ed865657a..7a7d3d0e98 100644
--- a/src/test/resources/restapi/config.yml
+++ b/src/test/resources/restapi/config.yml
@@ -21,6 +21,18 @@ config:
         internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
         remoteIpHeader: "x-forwarded-for"
     authc:
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 4
+        http_authenticator:
+          type: openid
+          challenge: false
+          config: {}
+        authentication_backend:
+          type: "noop"
+          config: {}
+        description: "Migrated from v6"
       authentication_domain_kerb:
         http_enabled: false
         transport_enabled: false
diff --git a/src/test/resources/restapi/securityconfig_nondefault.json b/src/test/resources/restapi/securityconfig_nondefault.json
index 2482e99674..aae6948b01 100644
--- a/src/test/resources/restapi/securityconfig_nondefault.json
+++ b/src/test/resources/restapi/securityconfig_nondefault.json
@@ -9,7 +9,8 @@
       "private_tenant_enabled" : true,
       "default_tenant" : "",
       "server_username" : "kibanaserver",
-      "index" : ".kibana"
+      "index" : ".kibana",
+      "sign_in_options":["BASIC"]
     },
     "http" : {
       "anonymous_auth_enabled" : false,

From 91efc3b3f063624c661967806a42fdc3943a06aa Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com>
Date: Tue, 19 Mar 2024 11:58:59 -0400
Subject: [PATCH 085/143] Updates admin password string only if correct hash is
 present (#4100)

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 .../security/tools/democonfig/Installer.java  |  5 +-
 .../SecuritySettingsConfigurer.java           | 71 +++++++++-------
 .../SecuritySettingsConfigurerTests.java      | 81 +++++++++++++++++--
 3 files changed, 120 insertions(+), 37 deletions(-)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
index 864607a9c6..f1ee81f84e 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java
@@ -14,6 +14,7 @@
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileReader;
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -97,7 +98,7 @@ public static Installer getInstance() {
      * Installs the demo security configuration
      * @param options the options passed to the script
      */
-    public void installDemoConfiguration(String[] options) {
+    public void installDemoConfiguration(String[] options) throws IOException {
         readOptions(options);
         printScriptHeaders();
         gatherUserInputs();
@@ -108,7 +109,7 @@ public void installDemoConfiguration(String[] options) {
         finishScriptExecution();
     }
 
-    public static void main(String[] options) {
+    public static void main(String[] options) throws IOException {
         Installer installer = Installer.getInstance();
         installer.buildOptions();
         installer.installDemoConfiguration(options);
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index 5b497d0f20..92a7915114 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -12,24 +12,22 @@
 package org.opensearch.security.tools.democonfig;
 
 import java.io.BufferedReader;
-import java.io.BufferedWriter;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileReader;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
+import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.JsonNode;
+import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.Strings;
-import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
 import org.opensearch.security.support.ConfigConstants;
@@ -38,6 +36,7 @@
 import org.yaml.snakeyaml.DumperOptions;
 import org.yaml.snakeyaml.Yaml;
 
+import static org.opensearch.security.DefaultObjectMapper.YAML_MAPPER;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX;
 
@@ -81,6 +80,7 @@ public class SecuritySettingsConfigurer {
     static String ADMIN_USERNAME = "admin";
 
     private final Installer installer;
+    static final String DEFAULT_ADMIN_PASSWORD = "admin";
 
     public SecuritySettingsConfigurer(Installer installer) {
         this.installer = installer;
@@ -92,7 +92,7 @@ public SecuritySettingsConfigurer(Installer installer) {
      * 2. Sets the custom admin password (Generates one if none is provided)
      * 3. Write the security config to opensearch.yml
      */
-    public void configureSecuritySettings() {
+    public void configureSecuritySettings() throws IOException {
         checkIfSecurityPluginIsAlreadyConfigured();
         updateAdminPassword();
         writeSecurityConfigToOpenSearchYML();
@@ -125,9 +125,17 @@ void checkIfSecurityPluginIsAlreadyConfigured() {
     /**
      * Replaces the admin password in internal_users.yml with the custom or generated password
      */
-    void updateAdminPassword() {
+    void updateAdminPassword() throws IOException {
         String INTERNAL_USERS_FILE_PATH = installer.OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator + "internal_users.yml";
         boolean shouldValidatePassword = installer.environment.equals(ExecutionEnvironment.DEMO);
+
+        // check if the password `admin` is present, if not skip updating admin password
+        if (!isAdminPasswordSetToAdmin(INTERNAL_USERS_FILE_PATH)) {
+            System.out.println("Admin password seems to be custom configured. Skipping update to admin password.");
+            return;
+        }
+
+        // if hashed value for default password "admin" is found, update it with the custom password.
         try {
             final PasswordValidator passwordValidator = PasswordValidator.of(
                 Settings.builder()
@@ -169,17 +177,29 @@ void updateAdminPassword() {
                 System.exit(-1);
             }
 
-            // Print an update to the logs
-            System.out.println("Admin password set successfully.");
-
+            // Update the custom password in internal_users.yml file
             writePasswordToInternalUsersFile(ADMIN_PASSWORD, INTERNAL_USERS_FILE_PATH);
 
+            System.out.println("Admin password set successfully.");
+
         } catch (IOException e) {
             System.out.println("Exception updating the admin password : " + e.getMessage());
             System.exit(-1);
         }
     }
 
+    /**
+     * Check if the password for admin user was already updated. (Possibly via a custom internal_users.yml)
+     * @param internalUsersFile Path to internal_users.yml file
+     * @return true if password was already updated, false otherwise
+     * @throws IOException if there was an error while reading the file
+     */
+    private boolean isAdminPasswordSetToAdmin(String internalUsersFile) throws IOException {
+        JsonNode internalUsers = YAML_MAPPER.readTree(new FileInputStream(internalUsersFile));
+        return internalUsers.has("admin")
+            && OpenBSDBCrypt.checkPassword(internalUsers.get("admin").get("hash").asText(), DEFAULT_ADMIN_PASSWORD.toCharArray());
+    }
+
     /**
      * Generate password hash and update it in the internal_users.yml file
      * @param adminPassword the password to be hashed and updated
@@ -190,31 +210,24 @@ void writePasswordToInternalUsersFile(String adminPassword, String internalUsers
         String hashedAdminPassword = Hasher.hash(adminPassword.toCharArray());
 
         if (hashedAdminPassword.isEmpty()) {
-            System.out.println("Hash the admin password failure, see console for details");
+            System.out.println("Failure while hashing the admin password, see console for details.");
             System.exit(-1);
         }
 
-        Path tempFilePath = Paths.get(internalUsersFile + ".tmp");
-        Path internalUsersPath = Paths.get(internalUsersFile);
-
-        try (
-            BufferedReader reader = new BufferedReader(new FileReader(internalUsersFile, StandardCharsets.UTF_8));
-            BufferedWriter writer = new BufferedWriter(new FileWriter(tempFilePath.toFile(), StandardCharsets.UTF_8))
-        ) {
-            String line;
-            while ((line = reader.readLine()) != null) {
-                if (line.matches(" *hash: *\"\\$2a\\$12\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"")) {
-                    line = line.replace(
-                        "\"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"",
-                        "\"" + hashedAdminPassword + "\""
-                    );
-                }
-                writer.write(line + System.lineSeparator());
+        try {
+            var map = YAML_MAPPER.readValue(new File(internalUsersFile), new TypeReference<Map<String, LinkedHashMap<String, Object>>>() {
+            });
+            var admin = map.get("admin");
+            if (admin != null) {
+                // Replace the password since the default password was found via the check: isAdminPasswordSetToAdmin(..)
+                admin.put("hash", hashedAdminPassword);
             }
+
+            // Write the updated map back to the internal_users.yml file
+            YAML_MAPPER.writeValue(new File(internalUsersFile), map);
         } catch (IOException e) {
             throw new IOException("Unable to update the internal users file with the hashed password.");
         }
-        Files.move(tempFilePath, internalUsersPath, java.nio.file.StandardCopyOption.REPLACE_EXISTING);
     }
 
     /**
@@ -329,7 +342,7 @@ static boolean isNodeMaxLocalStorageNodesAlreadyPresent(String filePath) {
     static boolean isKeyPresentInYMLFile(String filePath, String key) throws IOException {
         JsonNode node;
         try {
-            node = DefaultObjectMapper.YAML_MAPPER.readTree(new File(filePath));
+            node = YAML_MAPPER.readTree(new File(filePath));
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
index 50a65e7fa2..f4b56e6f76 100644
--- a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
+++ b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java
@@ -21,16 +21,22 @@
 import java.io.PrintStream;
 import java.lang.reflect.Field;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang3.RandomStringUtils;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.tools.Hasher;
 import org.opensearch.security.tools.democonfig.util.NoExitSecurityManager;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -39,6 +45,7 @@
 import static org.hamcrest.Matchers.is;
 import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_INVALID_REGEX;
 import static org.opensearch.security.dlic.rest.validation.RequestContentValidator.ValidationError.INVALID_PASSWORD_TOO_SHORT;
+import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.DEFAULT_ADMIN_PASSWORD;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.DEFAULT_PASSWORD_MIN_LENGTH;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.REST_ENABLED_ROLES;
 import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.SYSTEM_INDICES;
@@ -66,13 +73,14 @@ public class SecuritySettingsConfigurerTests {
     private static Installer installer;
 
     @Before
-    public void setUp() {
+    public void setUp() throws IOException {
         System.setOut(new PrintStream(outContent));
         System.setErr(new PrintStream(outContent));
         installer = Installer.getInstance();
         installer.buildOptions();
         securitySettingsConfigurer = new SecuritySettingsConfigurer(installer);
         setUpConf();
+        setUpInternalUsersYML();
     }
 
     @After
@@ -87,7 +95,7 @@ public void tearDown() throws NoSuchFieldException, IllegalAccessException {
     }
 
     @Test
-    public void testUpdateAdminPasswordWithCustomPassword() throws NoSuchFieldException, IllegalAccessException {
+    public void testUpdateAdminPasswordWithCustomPassword() throws NoSuchFieldException, IllegalAccessException, IOException {
         String customPassword = "myStrongPassword123";
         setEnv(adminPasswordKey, customPassword);
 
@@ -104,7 +112,7 @@ public void testUpdateAdminPassword_noPasswordSupplied() {
         try {
             System.setSecurityManager(new NoExitSecurityManager());
             securitySettingsConfigurer.updateAdminPassword();
-        } catch (SecurityException e) {
+        } catch (SecurityException | IOException e) {
             assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
         } finally {
             System.setSecurityManager(null);
@@ -125,7 +133,7 @@ public void testUpdateAdminPasswordWithWeakPassword() throws NoSuchFieldExceptio
         try {
             System.setSecurityManager(new NoExitSecurityManager());
             securitySettingsConfigurer.updateAdminPassword();
-        } catch (SecurityException e) {
+        } catch (SecurityException | IOException e) {
             assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
         } finally {
             System.setSecurityManager(null);
@@ -148,7 +156,7 @@ public void testUpdateAdminPasswordWithShortPassword() throws NoSuchFieldExcepti
         try {
             System.setSecurityManager(new NoExitSecurityManager());
             securitySettingsConfigurer.updateAdminPassword();
-        } catch (SecurityException e) {
+        } catch (SecurityException | IOException e) {
             assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
         } finally {
             System.setSecurityManager(null);
@@ -160,7 +168,8 @@ public void testUpdateAdminPasswordWithShortPassword() throws NoSuchFieldExcepti
     }
 
     @Test
-    public void testUpdateAdminPasswordWithWeakPassword_skipPasswordValidation() throws NoSuchFieldException, IllegalAccessException {
+    public void testUpdateAdminPasswordWithWeakPassword_skipPasswordValidation() throws NoSuchFieldException, IllegalAccessException,
+        IOException {
         setEnv(adminPasswordKey, "weakpassword");
         installer.environment = ExecutionEnvironment.TEST;
         securitySettingsConfigurer.updateAdminPassword();
@@ -170,6 +179,49 @@ public void testUpdateAdminPasswordWithWeakPassword_skipPasswordValidation() thr
         verifyStdOutContainsString("Admin password set successfully.");
     }
 
+    @Test
+    public void testUpdateAdminPasswordWithCustomInternalUsersYML() throws IOException {
+        String internalUsersFile = installer.OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator + "internal_users.yml";
+        Path internalUsersFilePath = Paths.get(internalUsersFile);
+
+        List<String> newContent = Arrays.asList(
+            "_meta:",
+            "  type: \"internalusers\"",
+            "  config_version: 2",
+            "admin:",
+            "  hash: " + Hasher.hash(RandomStringUtils.randomAlphanumeric(16).toCharArray()),
+            "  backend_roles:",
+            "  - \"admin\""
+        );
+        // overwriting existing content
+        Files.write(internalUsersFilePath, newContent, StandardCharsets.UTF_8);
+
+        securitySettingsConfigurer.updateAdminPassword();
+
+        verifyStdOutContainsString("Admin password seems to be custom configured. Skipping update to admin password.");
+    }
+
+    @Test
+    public void testUpdateAdminPasswordWithDefaultInternalUsersYml() {
+
+        SecuritySettingsConfigurer.ADMIN_PASSWORD = ""; // to ensure 0 flaky-ness
+        try {
+            System.setSecurityManager(new NoExitSecurityManager());
+            securitySettingsConfigurer.updateAdminPassword();
+        } catch (SecurityException | IOException e) {
+            assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing."));
+        } finally {
+            System.setSecurityManager(null);
+        }
+
+        verifyStdOutContainsString(
+            String.format(
+                "No custom admin password found. Please provide a password via the environment variable %s.",
+                ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD
+            )
+        );
+    }
+
     @Test
     public void testSecurityPluginAlreadyConfigured() {
         securitySettingsConfigurer.writeSecurityConfigToOpenSearchYML();
@@ -353,4 +405,21 @@ void setUpConf() {
     private void verifyStdOutContainsString(String s) {
         assertThat(outContent.toString(), containsString(s));
     }
+
+    private void setUpInternalUsersYML() throws IOException {
+        String internalUsersFile = installer.OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator + "internal_users.yml";
+        Path internalUsersFilePath = Paths.get(internalUsersFile);
+        List<String> defaultContent = Arrays.asList(
+            "_meta:",
+            "  type: \"internalusers\"",
+            "  config_version: 2",
+            "admin:",
+            "  hash: " + Hasher.hash(DEFAULT_ADMIN_PASSWORD.toCharArray()),
+            "  reserved: " + true,
+            "  backend_roles:",
+            "  - \"admin\"",
+            "  description: Demo admin user"
+        );
+        Files.write(internalUsersFilePath, defaultContent, StandardCharsets.UTF_8);
+    }
 }

From 633ff9b30cd34acfb81a264fc49b3d716dd89c64 Mon Sep 17 00:00:00 2001
From: Sicheng Song <sicheng.song@outlook.com>
Date: Tue, 19 Mar 2024 16:10:55 -0700
Subject: [PATCH 086/143] Add query assistant role and new ml system indices
 (#4141)

Signed-off-by: Sicheng Song <sicheng.song@outlook.com>
---
 config/roles.yml                                         | 9 +++++++++
 .../tools/democonfig/SecuritySettingsConfigurer.java     | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/config/roles.yml b/config/roles.yml
index efa83ed02e..e90a4e62a6 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -271,6 +271,15 @@ cross_cluster_search_remote_full_access:
         - 'indices:admin/shards/search_shards'
         - 'indices:data/read/search'
 
+# Allow users to operate query assistant
+ml_query_assistant_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opensearch/ml/execute'
+    - 'cluster:admin/opensearch/ml/memory/conversation/create'
+    - 'cluster:admin/opensearch/ml/memory/interaction/create'
+    - 'cluster:admin/opensearch/ml/predict'
+
 # Allow users to read ML stats/models/tasks
 ml_read_access:
   reserved: true
diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index 92a7915114..e66215ac9a 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -47,8 +47,10 @@ public class SecuritySettingsConfigurer {
 
     static final List<String> REST_ENABLED_ROLES = List.of("all_access", "security_rest_api_access");
     static final List<String> SYSTEM_INDICES = List.of(
+        ".plugins-ml-agent",
         ".plugins-ml-config",
         ".plugins-ml-connector",
+        ".plugins-ml-controller",
         ".plugins-ml-model-group",
         ".plugins-ml-model",
         ".plugins-ml-task",

From fa877babe3dac13c30bcc2bcbe4d484bcdb6101f Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Wed, 20 Mar 2024 12:05:06 -0500
Subject: [PATCH 087/143] [Feature] Check for and perform upgrades on security
 configurations (#4102)

### Description
This adds a new API that allows for checking and updating configurations
from the default configurations on disk. Initial feature supports only
Roles.

#### Response when no upgrade is available
```
GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : false
}
```
#### Response when a new role is available
```
GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : true,
  "upgradeActions" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ]
    }
  }
}
```
#### Response when a new role + existing role were updated
```
GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : true,
  "upgradeActions" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ],
      "modify" : [ "flow_framework_read_access" ]
    }
  }
}
```
#### Perform an upgrade
```
POST _plugins/_security/api/_upgrade_perform
200 {
  "status" : "OK",
  "upgrades" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ],
      "modify" : [ "flow_framework_read_access" ]
    }
  }
}
```

#### Perform an upgrade when unneeded
```
POST _plugins/_security/api/_upgrade_perform
400 {
   "status": "BAD_REQUEST",
   "message": "Unable to upgrade, no differences found in 'roles' config"
}
```

### Issues Resolved
- https://github.com/opensearch-project/security/issues/2316

### Testing
New unit test and integration test cases

### Check List
- [X] New functionality includes testing
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Andrey Pleskach <ples@aiven.io>
Signed-off-by: Peter Nied <peternied@hotmail.com>
---
 .../security/DefaultConfigurationTests.java   | 100 ++++-
 src/integrationTest/resources/roles.yml       |  18 +
 .../ConfigurationRepository.java              |  13 +-
 .../dlic/rest/api/AbstractApiAction.java      |  54 ++-
 .../dlic/rest/api/ConfigUpgradeApiAction.java | 400 ++++++++++++++++++
 .../dlic/rest/api/SecurityRestApiActions.java |   3 +-
 .../validation/RequestContentValidator.java   |   4 +-
 .../rest/validation/ValidationResult.java     |  19 +-
 .../security/securityconf/impl/CType.java     |  59 ++-
 .../api/AbstractApiActionValidationTest.java  |   4 +-
 .../api/ConfigUpgradeApiActionUnitTest.java   | 291 +++++++++++++
 .../InternalUsersApiActionValidationTest.java |  20 +-
 12 files changed, 929 insertions(+), 56 deletions(-)
 create mode 100644 src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java
 create mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiActionUnitTest.java

diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java
index 8bb5b96145..eb028c74e4 100644
--- a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java
@@ -11,10 +11,13 @@
 
 import java.io.IOException;
 import java.nio.file.Path;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.commons.io.FileUtils;
 import org.awaitility.Awaitility;
 import org.junit.AfterClass;
@@ -22,6 +25,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import org.opensearch.test.framework.TestSecurityConfig.User;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -32,16 +36,16 @@
 import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasKey;
+import static org.hamcrest.Matchers.not;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
 public class DefaultConfigurationTests {
 
     private final static Path configurationFolder = ConfigurationFiles.createConfigurationDirectory();
-    public static final String ADMIN_USER_NAME = "admin";
-    public static final String DEFAULT_PASSWORD = "secret";
-    public static final String NEW_USER = "new-user";
-    public static final String LIMITED_USER = "limited-user";
+    private static final User ADMIN_USER = new User("admin");
+    private static final User NEW_USER = new User("new-user");
+    private static final User LIMITED_USER = new User("limited-user");
 
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
@@ -64,15 +68,95 @@ public static void cleanConfigurationDirectory() throws IOException {
 
     @Test
     public void shouldLoadDefaultConfiguration() {
-        try (TestRestClient client = cluster.getRestClient(NEW_USER, DEFAULT_PASSWORD)) {
+        try (TestRestClient client = cluster.getRestClient(NEW_USER)) {
             Awaitility.await().alias("Load default configuration").until(() -> client.getAuthInfo().getStatusCode(), equalTo(200));
         }
-        try (TestRestClient client = cluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
-            client.confirmCorrectCredentials(ADMIN_USER_NAME);
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
+            client.confirmCorrectCredentials(ADMIN_USER.getName());
             HttpResponse response = client.get("_plugins/_security/api/internalusers");
             response.assertStatusCode(200);
             Map<String, Object> users = response.getBodyAs(Map.class);
-            assertThat(users, allOf(aMapWithSize(3), hasKey(ADMIN_USER_NAME), hasKey(NEW_USER), hasKey(LIMITED_USER)));
+            assertThat(
+                users,
+                allOf(aMapWithSize(3), hasKey(ADMIN_USER.getName()), hasKey(NEW_USER.getName()), hasKey(LIMITED_USER.getName()))
+            );
         }
     }
+
+    @Test
+    public void securityRolesUgrade() throws Exception {
+        try (var client = cluster.getRestClient(ADMIN_USER)) {
+            // Setup: Make sure the config is ready before starting modifications
+            Awaitility.await().alias("Load default configuration").until(() -> client.getAuthInfo().getStatusCode(), equalTo(200));
+
+            // Setup: Collect default roles after cluster start
+            final var expectedRoles = client.get("_plugins/_security/api/roles/");
+            final var expectedRoleNames = extractFieldNames(expectedRoles.getBodyAs(JsonNode.class));
+
+            // Verify: Before any changes, nothing to upgrade
+            final var upgradeCheck = client.get("_plugins/_security/api/_upgrade_check");
+            upgradeCheck.assertStatusCode(200);
+            assertThat(upgradeCheck.getBooleanFromJsonBody("/upgradeAvailable"), equalTo(false));
+
+            // Action: Select a role that is part of the defaults and delete that role
+            final var roleToDelete = "flow_framework_full_access";
+            client.delete("_plugins/_security/api/roles/" + roleToDelete).assertStatusCode(200);
+
+            // Action: Select a role that is part of the defaults and alter that role with removal, edits, and additions
+            final var roleToAlter = "flow_framework_read_access";
+            final var originalRoleConfig = client.get("_plugins/_security/api/roles/" + roleToAlter).getBodyAs(JsonNode.class);
+            final var alteredRoleReponse = client.patch("_plugins/_security/api/roles/" + roleToAlter, "[\n" + //
+                "  {\n" + //
+                "    \"op\": \"replace\",\n" + //
+                "    \"path\": \"/cluster_permissions\",\n" + //
+                "    \"value\": [\"a\", \"b\", \"c\"]\n" + //
+                "  },\n" + //
+                "  {\n" + //
+                "    \"op\": \"add\",\n" + //
+                "    \"path\": \"/index_permissions\",\n" + //
+                "    \"value\": [ {\n" + //
+                "        \"index_patterns\": [\"*\"],\n" + //
+                "        \"allowed_actions\": [\"*\"]\n" + //
+                "      }\n" + //
+                "    ]\n" + //
+                "  }\n" + //
+                "]");
+            alteredRoleReponse.assertStatusCode(200);
+            final var alteredRoleJson = alteredRoleReponse.getBodyAs(JsonNode.class);
+            assertThat(originalRoleConfig, not(equalTo(alteredRoleJson)));
+
+            // Verify: Confirm that the upgrade check detects the changes associated with both role resources
+            final var upgradeCheckAfterChanges = client.get("_plugins/_security/api/_upgrade_check");
+            upgradeCheckAfterChanges.assertStatusCode(200);
+            assertThat(
+                upgradeCheckAfterChanges.getTextArrayFromJsonBody("/upgradeActions/roles/add"),
+                equalTo(List.of("flow_framework_full_access"))
+            );
+            assertThat(
+                upgradeCheckAfterChanges.getTextArrayFromJsonBody("/upgradeActions/roles/modify"),
+                equalTo(List.of("flow_framework_read_access"))
+            );
+
+            // Action: Perform the upgrade to the roles configuration
+            final var performUpgrade = client.post("_plugins/_security/api/_upgrade_perform");
+            performUpgrade.assertStatusCode(200);
+            assertThat(performUpgrade.getTextArrayFromJsonBody("/upgrades/roles/add"), equalTo(List.of("flow_framework_full_access")));
+            assertThat(performUpgrade.getTextArrayFromJsonBody("/upgrades/roles/modify"), equalTo(List.of("flow_framework_read_access")));
+
+            // Verify: Same roles as the original state - the deleted role has been restored
+            final var afterUpgradeRoles = client.get("_plugins/_security/api/roles/");
+            final var afterUpgradeRolesNames = extractFieldNames(afterUpgradeRoles.getBodyAs(JsonNode.class));
+            assertThat(afterUpgradeRolesNames, equalTo(expectedRoleNames));
+
+            // Verify: Altered role was restored to its expected state
+            final var afterUpgradeAlteredRoleConfig = client.get("_plugins/_security/api/roles/" + roleToAlter).getBodyAs(JsonNode.class);
+            assertThat(originalRoleConfig, equalTo(afterUpgradeAlteredRoleConfig));
+        }
+    }
+
+    private Set<String> extractFieldNames(final JsonNode json) {
+        final var set = new HashSet<String>();
+        json.fieldNames().forEachRemaining(set::add);
+        return set;
+    }
 }
diff --git a/src/integrationTest/resources/roles.yml b/src/integrationTest/resources/roles.yml
index 02de9bf3d5..2ea7548ad6 100644
--- a/src/integrationTest/resources/roles.yml
+++ b/src/integrationTest/resources/roles.yml
@@ -17,3 +17,21 @@ user_limited-user__limited-role:
       allowed_actions:
         - "indices:data/read/get"
         - "indices:data/read/search"
+flow_framework_full_access:
+  cluster_permissions:
+    - 'cluster:admin/opensearch/flow_framework/*'
+    - 'cluster_monitor'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:admin/aliases/get'
+        - 'indices:admin/mappings/get'
+        - 'indices_monitor'
+flow_framework_read_access:
+  cluster_permissions:
+    - 'cluster:admin/opensearch/flow_framework/workflow/get'
+    - 'cluster:admin/opensearch/flow_framework/workflow/search'
+    - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
+    - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
+    - 'cluster:admin/opensearch/flow_framework/workflow_step/get'
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
index dfbeb16cb3..353286fc4a 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
@@ -123,6 +123,14 @@ private ConfigurationRepository(
         configCache = CacheBuilder.newBuilder().build();
     }
 
+    public String getConfigDirectory() {
+        String lookupDir = System.getProperty("security.default_init.dir");
+        final String cd = lookupDir != null
+            ? (lookupDir + "/")
+            : new Environment(settings, configPath).configDir().toAbsolutePath().toString() + "/opensearch-security/";
+        return cd;
+    }
+
     private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
         try {
             LOGGER.info("Background init thread started. Install default config?: " + installDefaultConfig);
@@ -135,10 +143,7 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
             if (installDefaultConfig) {
 
                 try {
-                    String lookupDir = System.getProperty("security.default_init.dir");
-                    final String cd = lookupDir != null
-                        ? (lookupDir + "/")
-                        : new Environment(settings, configPath).configDir().toAbsolutePath().toString() + "/opensearch-security/";
+                    final String cd = getConfigDirectory();
                     File confFile = new File(cd + "config.yml");
                     if (confFile.exists()) {
                         final ThreadContext threadContext = threadPool.getThreadContext();
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
index ef8a00d700..a38d618da0 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
@@ -35,13 +35,16 @@
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.CheckedSupplier;
+import org.opensearch.common.action.ActionFuture;
 import org.opensearch.common.util.concurrent.ThreadContext.StoredContext;
-import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentHelper;
 import org.opensearch.index.engine.VersionConflictEngineException;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.BytesRestResponse;
@@ -226,7 +229,7 @@ protected final ValidationResult<SecurityConfiguration> patchEntity(
         );
     }
 
-    protected final ValidationResult<SecurityConfiguration> patchEntities(
+    protected ValidationResult<SecurityConfiguration> patchEntities(
         final RestRequest request,
         final JsonNode patchContent,
         final SecurityConfiguration securityConfiguration
@@ -336,7 +339,7 @@ final void saveOrUpdateConfiguration(
         final SecurityDynamicConfiguration<?> configuration,
         final OnSucessActionListener<IndexResponse> onSucessActionListener
     ) {
-        saveAndUpdateConfigs(securityApiDependencies.securityIndexName(), client, getConfigType(), configuration, onSucessActionListener);
+        saveAndUpdateConfigsAsync(securityApiDependencies, client, getConfigType(), configuration, onSucessActionListener);
     }
 
     protected final String nameParam(final RestRequest request) {
@@ -367,7 +370,7 @@ protected final ValidationResult<SecurityConfiguration> loadConfiguration(final
         );
     }
 
-    protected final ValidationResult<SecurityDynamicConfiguration<?>> loadConfiguration(
+    protected ValidationResult<SecurityDynamicConfiguration<?>> loadConfiguration(
         final CType cType,
         boolean omitSensitiveData,
         final boolean logComplianceEvent
@@ -485,30 +488,45 @@ public final void onFailure(Exception e) {
 
     }
 
-    public static void saveAndUpdateConfigs(
-        final String indexName,
+    public static ActionFuture<IndexResponse> saveAndUpdateConfigs(
+        final SecurityApiDependencies dependencies,
+        final Client client,
+        final CType cType,
+        final SecurityDynamicConfiguration<?> configuration
+    ) {
+        final var request = createIndexRequestForConfig(dependencies, cType, configuration);
+        return client.index(request);
+    }
+
+    public static void saveAndUpdateConfigsAsync(
+        final SecurityApiDependencies dependencies,
         final Client client,
         final CType cType,
         final SecurityDynamicConfiguration<?> configuration,
         final ActionListener<IndexResponse> actionListener
     ) {
-        final IndexRequest ir = new IndexRequest(indexName);
-        final String id = cType.toLCString();
+        final var ir = createIndexRequestForConfig(dependencies, cType, configuration);
+        client.index(ir, new ConfigUpdatingActionListener<>(new String[] { cType.toLCString() }, client, actionListener));
+    }
 
+    private static IndexRequest createIndexRequestForConfig(
+        final SecurityApiDependencies dependencies,
+        final CType cType,
+        final SecurityDynamicConfiguration<?> configuration
+    ) {
         configuration.removeStatic();
-
+        final BytesReference content;
         try {
-            client.index(
-                ir.id(id)
-                    .setRefreshPolicy(RefreshPolicy.IMMEDIATE)
-                    .setIfSeqNo(configuration.getSeqNo())
-                    .setIfPrimaryTerm(configuration.getPrimaryTerm())
-                    .source(id, XContentHelper.toXContent(configuration, XContentType.JSON, false)),
-                new ConfigUpdatingActionListener<>(new String[] { id }, client, actionListener)
-            );
-        } catch (IOException e) {
+            content = XContentHelper.toXContent(configuration, XContentType.JSON, ToXContent.EMPTY_PARAMS, false);
+        } catch (final IOException e) {
             throw ExceptionsHelper.convertToOpenSearchException(e);
         }
+
+        return new IndexRequest(dependencies.securityIndexName()).id(cType.toLCString())
+            .setRefreshPolicy(RefreshPolicy.IMMEDIATE)
+            .setIfSeqNo(configuration.getSeqNo())
+            .setIfPrimaryTerm(configuration.getPrimaryTerm())
+            .source(cType.toLCString(), content);
     }
 
     protected static class ConfigUpdatingActionListener<Response> implements ActionListener<Response> {
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java
new file mode 100644
index 0000000000..f295ab8c1c
--- /dev/null
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiAction.java
@@ -0,0 +1,400 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.dlic.rest.api;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.client.Client;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.collect.Tuple;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.rest.BytesRestResponse;
+import org.opensearch.rest.RestChannel;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.RestRequest.Method;
+import org.opensearch.security.configuration.ConfigurationRepository;
+import org.opensearch.security.dlic.rest.support.Utils;
+import org.opensearch.security.dlic.rest.validation.EndpointValidator;
+import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
+import org.opensearch.security.dlic.rest.validation.RequestContentValidator.DataType;
+import org.opensearch.security.dlic.rest.validation.ValidationResult;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.support.ConfigHelper;
+import org.opensearch.threadpool.ThreadPool;
+
+import com.flipkart.zjsonpatch.DiffFlags;
+import com.flipkart.zjsonpatch.JsonDiff;
+
+import static org.opensearch.security.dlic.rest.api.Responses.badRequestMessage;
+import static org.opensearch.security.dlic.rest.api.Responses.response;
+import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
+import static org.opensearch.security.dlic.rest.support.Utils.withIOException;
+
+public class ConfigUpgradeApiAction extends AbstractApiAction {
+
+    private final static Logger LOGGER = LogManager.getLogger(ConfigUpgradeApiAction.class);
+
+    private final static Set<CType> SUPPORTED_CTYPES = ImmutableSet.of(CType.ROLES);
+
+    private final static String REQUEST_PARAM_CONFIGS_KEY = "configs";
+
+    private static final List<Route> routes = addRoutesPrefix(
+        ImmutableList.of(new Route(Method.GET, "/_upgrade_check"), new Route(Method.POST, "/_upgrade_perform"))
+    );
+
+    @Inject
+    public ConfigUpgradeApiAction(
+        final ClusterService clusterService,
+        final ThreadPool threadPool,
+        final SecurityApiDependencies securityApiDependencies
+    ) {
+        super(Endpoint.CONFIG, clusterService, threadPool, securityApiDependencies);
+        this.requestHandlersBuilder.configureRequestHandlers(rhb -> {
+            rhb.allMethodsNotImplemented().add(Method.GET, this::canUpgrade).add(Method.POST, this::performUpgrade);
+        });
+    }
+
+    void canUpgrade(final RestChannel channel, final RestRequest request, final Client client) throws IOException {
+        getAndValidateConfigurationsToUpgrade(request).map(this::configurationDifferences).valid(differencesList -> {
+            final var allConfigItemChanges = differencesList.stream()
+                .map(kvp -> new ConfigItemChanges(kvp.v1(), kvp.v2()))
+                .collect(Collectors.toList());
+
+            final var upgradeAvailable = allConfigItemChanges.stream().anyMatch(ConfigItemChanges::hasChanges);
+
+            final ObjectNode response = JsonNodeFactory.instance.objectNode();
+            response.put("status", "OK");
+            response.put("upgradeAvailable", upgradeAvailable);
+
+            if (upgradeAvailable) {
+                final ObjectNode differences = JsonNodeFactory.instance.objectNode();
+                allConfigItemChanges.forEach(configItemChanges -> configItemChanges.addToNode(differences));
+                response.set("upgradeActions", differences);
+            }
+            channel.sendResponse(new BytesRestResponse(RestStatus.OK, XContentType.JSON.mediaType(), response.toPrettyString()));
+        }).error((status, toXContent) -> response(channel, status, toXContent));
+    }
+
+    void performUpgrade(final RestChannel channel, final RestRequest request, final Client client) throws IOException {
+        getAndValidateConfigurationsToUpgrade(request).map(this::configurationDifferences)
+            .map(this::verifyHasDifferences)
+            .map(diffs -> applyDifferences(request, client, diffs))
+            .valid(updatedConfigs -> {
+                final var response = JsonNodeFactory.instance.objectNode();
+                response.put("status", "OK");
+
+                final var allUpdates = JsonNodeFactory.instance.objectNode();
+                updatedConfigs.forEach(configItemChanges -> configItemChanges.addToNode(allUpdates));
+                response.set("upgrades", allUpdates);
+
+                channel.sendResponse(new BytesRestResponse(RestStatus.OK, XContentType.JSON.mediaType(), response.toPrettyString()));
+            })
+            .error((status, toXContent) -> response(channel, status, toXContent));
+    }
+
+    private ValidationResult<List<ConfigItemChanges>> applyDifferences(
+        final RestRequest request,
+        final Client client,
+        final List<Tuple<CType, JsonNode>> differencesToUpdate
+    ) {
+        try {
+            final var updatedResources = new ArrayList<ValidationResult<ConfigItemChanges>>();
+            for (final Tuple<CType, JsonNode> difference : differencesToUpdate) {
+                updatedResources.add(
+                    loadConfiguration(difference.v1(), false, false).map(
+                        configuration -> patchEntities(request, difference.v2(), SecurityConfiguration.of(null, configuration)).map(
+                            patchResults -> {
+                                final var response = saveAndUpdateConfigs(
+                                    securityApiDependencies,
+                                    client,
+                                    difference.v1(),
+                                    patchResults.configuration()
+                                );
+                                return ValidationResult.success(response.actionGet());
+                            }
+                        ).map(indexResponse -> {
+
+                            final var itemsGroupedByOperation = new ConfigItemChanges(difference.v1(), difference.v2());
+                            return ValidationResult.success(itemsGroupedByOperation);
+                        })
+                    )
+                );
+            }
+
+            return ValidationResult.merge(updatedResources);
+        } catch (final Exception ioe) {
+            LOGGER.debug("Error while applying differences", ioe);
+            return ValidationResult.error(
+                RestStatus.BAD_REQUEST,
+                badRequestMessage("Error applying configuration, see the log file to troubleshoot.")
+            );
+        }
+
+    }
+
+    ValidationResult<List<Tuple<CType, JsonNode>>> verifyHasDifferences(List<Tuple<CType, JsonNode>> diffs) {
+        if (diffs.isEmpty()) {
+            return ValidationResult.error(RestStatus.BAD_REQUEST, badRequestMessage("Unable to upgrade, no differences found"));
+        }
+
+        for (final var diff : diffs) {
+            if (diff.v2().size() == 0) {
+                return ValidationResult.error(
+                    RestStatus.BAD_REQUEST,
+                    badRequestMessage("Unable to upgrade, no differences found in '" + diff.v1().toLCString() + "' config")
+                );
+            }
+        }
+        return ValidationResult.success(diffs);
+    }
+
+    private ValidationResult<List<Tuple<CType, JsonNode>>> configurationDifferences(final Set<CType> configurations) {
+        try {
+            final var differences = new ArrayList<ValidationResult<Tuple<CType, JsonNode>>>();
+            for (final var configuration : configurations) {
+                differences.add(computeDifferenceToUpdate(configuration));
+            }
+            return ValidationResult.merge(differences);
+        } catch (final UncheckedIOException ioe) {
+            LOGGER.error("Error while processing differences", ioe.getCause());
+            return ValidationResult.error(
+                RestStatus.BAD_REQUEST,
+                badRequestMessage("Error processing configuration, see the log file to troubleshoot.")
+            );
+        }
+    }
+
+    ValidationResult<Tuple<CType, JsonNode>> computeDifferenceToUpdate(final CType configType) {
+        return withIOException(() -> loadConfiguration(configType, false, false).map(activeRoles -> {
+            final var activeRolesJson = Utils.convertJsonToJackson(activeRoles, true);
+            final var defaultRolesJson = loadConfigFileAsJson(configType);
+            final var rawDiff = JsonDiff.asJson(activeRolesJson, defaultRolesJson, EnumSet.of(DiffFlags.OMIT_VALUE_ON_REMOVE));
+            return ValidationResult.success(new Tuple<>(configType, filterRemoveOperations(rawDiff)));
+        }));
+    }
+
+    private ValidationResult<Set<CType>> getAndValidateConfigurationsToUpgrade(final RestRequest request) {
+        final String[] configs = request.paramAsStringArray(REQUEST_PARAM_CONFIGS_KEY, null);
+
+        final Set<CType> configurations;
+        try {
+            configurations = Optional.ofNullable(configs).map(CType::fromStringValues).orElse(SUPPORTED_CTYPES);
+        } catch (final IllegalArgumentException iae) {
+            return ValidationResult.error(
+                RestStatus.BAD_REQUEST,
+                badRequestMessage("Found invalid configuration option, valid options are: " + CType.lcStringValues())
+            );
+        }
+
+        if (!configurations.stream().allMatch(SUPPORTED_CTYPES::contains)) {
+            // Remove all supported configurations
+            configurations.removeAll(SUPPORTED_CTYPES);
+            return ValidationResult.error(
+                RestStatus.BAD_REQUEST,
+                badRequestMessage("Unsupported configurations for upgrade, " + configurations)
+            );
+        }
+
+        return ValidationResult.success(configurations);
+    }
+
+    private JsonNode filterRemoveOperations(final JsonNode diff) {
+        final ArrayNode filteredDiff = JsonNodeFactory.instance.arrayNode();
+        diff.forEach(node -> {
+            if (!isRemoveOperation(node)) {
+                filteredDiff.add(node);
+                return;
+            } else {
+                if (!hasRootLevelPath(node)) {
+                    filteredDiff.add(node);
+                }
+            }
+        });
+        return filteredDiff;
+    }
+
+    private static String pathRoot(final JsonNode node) {
+        return node.get("path").asText().split("/")[1];
+    }
+
+    private static boolean hasRootLevelPath(final JsonNode node) {
+        final var jsonPath = node.get("path").asText();
+        return jsonPath.charAt(0) == '/' && !jsonPath.substring(1).contains("/");
+    }
+
+    private static boolean isRemoveOperation(final JsonNode node) {
+        return node.get("op").asText().equals("remove");
+    }
+
+    private <T> SecurityDynamicConfiguration<T> loadYamlFile(final String filepath, final CType cType) throws IOException {
+        return ConfigHelper.fromYamlFile(filepath, cType, ConfigurationRepository.DEFAULT_CONFIG_VERSION, 0, 0);
+    }
+
+    JsonNode loadConfigFileAsJson(final CType cType) throws IOException {
+        final var cd = securityApiDependencies.configurationRepository().getConfigDirectory();
+        final var filepath = cType.configFile(Path.of(cd)).toString();
+        try {
+            return AccessController.doPrivileged((PrivilegedExceptionAction<JsonNode>) () -> {
+                final var loadedConfiguration = loadYamlFile(filepath, cType);
+                return Utils.convertJsonToJackson(loadedConfiguration, true);
+            });
+        } catch (final PrivilegedActionException e) {
+            LOGGER.error("Error when loading configuration from file", e);
+            throw (IOException) e.getCause();
+        }
+    }
+
+    @Override
+    public List<Route> routes() {
+        return routes;
+    }
+
+    @Override
+    protected CType getConfigType() {
+        throw new UnsupportedOperationException("This class supports multiple configuration types");
+    }
+
+    @Override
+    protected EndpointValidator createEndpointValidator() {
+        return new EndpointValidator() {
+
+            @Override
+            public Endpoint endpoint() {
+                return endpoint;
+            }
+
+            @Override
+            public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() {
+                return securityApiDependencies.restApiAdminPrivilegesEvaluator();
+            }
+
+            @Override
+            public ValidationResult<SecurityConfiguration> entityReserved(SecurityConfiguration securityConfiguration) {
+                // Allow modification of reserved entities
+                return ValidationResult.success(securityConfiguration);
+            }
+
+            @Override
+            public ValidationResult<SecurityConfiguration> entityHidden(SecurityConfiguration securityConfiguration) {
+                // Allow modification of hidden entities
+                return ValidationResult.success(securityConfiguration);
+            }
+
+            @Override
+            public RequestContentValidator createRequestContentValidator(final Object... params) {
+                return new ConfigUpgradeContentValidator(new RequestContentValidator.ValidationContext() {
+                    @Override
+                    public Object[] params() {
+                        return params;
+                    }
+
+                    @Override
+                    public Settings settings() {
+                        return securityApiDependencies.settings();
+                    }
+
+                    @Override
+                    public Map<String, DataType> allowedKeys() {
+                        return Map.of(REQUEST_PARAM_CONFIGS_KEY, DataType.ARRAY);
+                    }
+                });
+            }
+        };
+    }
+
+    /** More permissions validation that default ContentValidator  */
+    static class ConfigUpgradeContentValidator extends RequestContentValidator {
+
+        protected ConfigUpgradeContentValidator(final ValidationContext validationContext) {
+            super(validationContext);
+        }
+
+        @Override
+        public ValidationResult<JsonNode> validate(final RestRequest request, final JsonNode jsonContent) throws IOException {
+            return validateContentSize(jsonContent);
+        }
+    }
+
+    /** Tranforms config changes from a raw PATCH into simplier view */
+    static class ConfigItemChanges {
+
+        private final CType config;
+        private final Map<String, List<String>> itemsGroupedByOperation;
+
+        public ConfigItemChanges(final CType config, final JsonNode differences) {
+            this.config = config;
+            this.itemsGroupedByOperation = classifyChanges(differences);
+        }
+
+        public boolean hasChanges() {
+            return !itemsGroupedByOperation.isEmpty();
+        }
+
+        /** Adds the config item changes to the json node */
+        public void addToNode(final ObjectNode node) {
+            final var allOperations = JsonNodeFactory.instance.objectNode();
+            itemsGroupedByOperation.forEach((operation, items) -> {
+                final var arrayNode = allOperations.putArray(operation);
+                items.forEach(arrayNode::add);
+            });
+            node.set(config.toLCString(), allOperations);
+        }
+
+        /**
+         * Classifies the changes to this config into groupings by the type of change, for
+         * multiple changes types on the same item they are groupped as 'modify'
+         */
+        private static Map<String, List<String>> classifyChanges(final JsonNode differences) {
+            final var items = new HashMap<String, String>();
+            differences.forEach(node -> {
+                final var item = pathRoot(node);
+                final var operation = node.get("op").asText();
+                if (items.containsKey(item) && !items.get(item).equals(operation)) {
+                    items.put(item, "modify");
+                } else {
+                    items.put(item, operation);
+                }
+            });
+
+            final var itemsGroupedByOperation = items.entrySet()
+                .stream()
+                .collect(Collectors.groupingBy(Map.Entry::getValue, Collectors.mapping(Map.Entry::getKey, Collectors.toList())));
+            return itemsGroupedByOperation;
+        }
+    }
+}
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java
index b0d46f8774..f38cf0580d 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityRestApiActions.java
@@ -95,7 +95,8 @@ public static Collection<RestHandler> getHandler(
             new AllowlistApiAction(Endpoint.ALLOWLIST, clusterService, threadPool, securityApiDependencies),
             new AuditApiAction(clusterService, threadPool, securityApiDependencies),
             new MultiTenancyConfigApiAction(clusterService, threadPool, securityApiDependencies),
-            new SecuritySSLCertsApiAction(clusterService, threadPool, securityKeyStore, certificatesReloadEnabled, securityApiDependencies)
+            new SecuritySSLCertsApiAction(clusterService, threadPool, securityKeyStore, certificatesReloadEnabled, securityApiDependencies),
+            new ConfigUpgradeApiAction(clusterService, threadPool, securityApiDependencies)
         );
     }
 
diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/RequestContentValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/RequestContentValidator.java
index 452bdd72e4..4d9faf096c 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/validation/RequestContentValidator.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/validation/RequestContentValidator.java
@@ -142,7 +142,7 @@ private ValidationResult<JsonNode> parseRequestContent(final RestRequest request
         }
     }
 
-    private ValidationResult<JsonNode> validateContentSize(final JsonNode jsonContent) {
+    protected ValidationResult<JsonNode> validateContentSize(final JsonNode jsonContent) {
         if (jsonContent.isEmpty()) {
             this.validationError = ValidationError.PAYLOAD_MANDATORY;
             return ValidationResult.error(RestStatus.BAD_REQUEST, this);
@@ -150,7 +150,7 @@ private ValidationResult<JsonNode> validateContentSize(final JsonNode jsonConten
         return ValidationResult.success(jsonContent);
     }
 
-    private ValidationResult<JsonNode> validateJsonKeys(final JsonNode jsonContent) {
+    protected ValidationResult<JsonNode> validateJsonKeys(final JsonNode jsonContent) {
         final Set<String> requestedKeys = new HashSet<>();
         jsonContent.fieldNames().forEachRemaining(requestedKeys::add);
         // mandatory settings, one of ...
diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/ValidationResult.java b/src/main/java/org/opensearch/security/dlic/rest/validation/ValidationResult.java
index ea782ea504..921ed4675d 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/validation/ValidationResult.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/validation/ValidationResult.java
@@ -12,7 +12,9 @@
 package org.opensearch.security.dlic.rest.validation;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Objects;
+import java.util.stream.Collectors;
 
 import org.opensearch.common.CheckedBiConsumer;
 import org.opensearch.common.CheckedConsumer;
@@ -50,6 +52,22 @@ public static <L> ValidationResult<L> error(final RestStatus status, final ToXCo
         return new ValidationResult<>(status, errorMessage);
     }
 
+    /**
+     * Transforms a list of validation results into a single validation result of that lists contents.
+     * If any of the validation results are not valid, the first is returned as the error.
+     */
+    public static <L> ValidationResult<List<L>> merge(final List<ValidationResult<L>> results) {
+        if (results.stream().allMatch(ValidationResult::isValid)) {
+            return success(results.stream().map(result -> result.content).collect(Collectors.toList()));
+        }
+
+        return results.stream()
+            .filter(result -> !result.isValid())
+            .map(failedResult -> new ValidationResult<List<L>>(failedResult.status, failedResult.errorMessage))
+            .findFirst()
+            .get();
+    }
+
     public <L> ValidationResult<L> map(final CheckedFunction<C, ValidationResult<L>, IOException> mapper) throws IOException {
         if (content != null) {
             return Objects.requireNonNull(mapper).apply(content);
@@ -82,5 +100,4 @@ public boolean isValid() {
     public ToXContent errorMessage() {
         return errorMessage;
     }
-
 }
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/CType.java b/src/main/java/org/opensearch/security/securityconf/impl/CType.java
index 4e5e2de496..23158e5850 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/CType.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/CType.java
@@ -27,14 +27,17 @@
 
 package org.opensearch.security.securityconf.impl;
 
+import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
+import com.google.common.collect.ImmutableMap;
+
 import org.opensearch.security.auditlog.config.AuditConfig;
 import org.opensearch.security.securityconf.impl.v6.ActionGroupsV6;
 import org.opensearch.security.securityconf.impl.v6.ConfigV6;
@@ -50,21 +53,39 @@
 
 public enum CType {
 
-    INTERNALUSERS(toMap(1, InternalUserV6.class, 2, InternalUserV7.class)),
-    ACTIONGROUPS(toMap(0, List.class, 1, ActionGroupsV6.class, 2, ActionGroupsV7.class)),
-    CONFIG(toMap(1, ConfigV6.class, 2, ConfigV7.class)),
-    ROLES(toMap(1, RoleV6.class, 2, RoleV7.class)),
-    ROLESMAPPING(toMap(1, RoleMappingsV6.class, 2, RoleMappingsV7.class)),
-    TENANTS(toMap(2, TenantV7.class)),
-    NODESDN(toMap(1, NodesDn.class, 2, NodesDn.class)),
-    WHITELIST(toMap(1, WhitelistingSettings.class, 2, WhitelistingSettings.class)),
-    ALLOWLIST(toMap(1, AllowlistingSettings.class, 2, AllowlistingSettings.class)),
-    AUDIT(toMap(1, AuditConfig.class, 2, AuditConfig.class));
+    ACTIONGROUPS(toMap(0, List.class, 1, ActionGroupsV6.class, 2, ActionGroupsV7.class), "action_groups.yml", false),
+    ALLOWLIST(toMap(1, AllowlistingSettings.class, 2, AllowlistingSettings.class), "allowlist.yml", true),
+    AUDIT(toMap(1, AuditConfig.class, 2, AuditConfig.class), "audit.yml", true),
+    CONFIG(toMap(1, ConfigV6.class, 2, ConfigV7.class), "config.yml", false),
+    INTERNALUSERS(toMap(1, InternalUserV6.class, 2, InternalUserV7.class), "internal_users.yml", false),
+    NODESDN(toMap(1, NodesDn.class, 2, NodesDn.class), "nodes_dn.yml", true),
+    ROLES(toMap(1, RoleV6.class, 2, RoleV7.class), "roles.yml", false),
+    ROLESMAPPING(toMap(1, RoleMappingsV6.class, 2, RoleMappingsV7.class), "roles_mapping.yml", false),
+    TENANTS(toMap(2, TenantV7.class), "tenants.yml", false),
+    WHITELIST(toMap(1, WhitelistingSettings.class, 2, WhitelistingSettings.class), "whitelist.yml", true);
+
+    public static final List<CType> REQUIRED_CONFIG_FILES = Arrays.stream(CType.values())
+        .filter(Predicate.not(CType::emptyIfMissing))
+        .collect(Collectors.toList());
+
+    public static final List<CType> NOT_REQUIRED_CONFIG_FILES = Arrays.stream(CType.values())
+        .filter(CType::emptyIfMissing)
+        .collect(Collectors.toList());
+
+    private final Map<Integer, Class<?>> implementations;
+
+    private final String configFileName;
 
-    private Map<Integer, Class<?>> implementations;
+    private final boolean emptyIfMissing;
 
-    private CType(Map<Integer, Class<?>> implementations) {
+    private CType(Map<Integer, Class<?>> implementations, final String configFileName, final boolean emptyIfMissing) {
         this.implementations = implementations;
+        this.configFileName = configFileName;
+        this.emptyIfMissing = emptyIfMissing;
+    }
+
+    public boolean emptyIfMissing() {
+        return emptyIfMissing;
     }
 
     public Map<Integer, Class<?>> getImplementationClass() {
@@ -80,18 +101,22 @@ public String toLCString() {
     }
 
     public static Set<String> lcStringValues() {
-        return Arrays.stream(CType.values()).map(c -> c.toLCString()).collect(Collectors.toSet());
+        return Arrays.stream(CType.values()).map(CType::toLCString).collect(Collectors.toSet());
     }
 
     public static Set<CType> fromStringValues(String[] strings) {
-        return Arrays.stream(strings).map(c -> CType.fromString(c)).collect(Collectors.toSet());
+        return Arrays.stream(strings).map(CType::fromString).collect(Collectors.toSet());
+    }
+
+    public Path configFile(final Path configDir) {
+        return configDir.resolve(this.configFileName);
     }
 
     private static Map<Integer, Class<?>> toMap(Object... objects) {
-        final Map<Integer, Class<?>> map = new HashMap<Integer, Class<?>>();
+        final ImmutableMap.Builder<Integer, Class<?>> map = ImmutableMap.builder();
         for (int i = 0; i < objects.length; i = i + 2) {
             map.put((Integer) objects[i], (Class<?>) objects[i + 1]);
         }
-        return Collections.unmodifiableMap(map);
+        return map.build();
     }
 }
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java
index f2df09549f..4b2e9e4417 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractApiActionValidationTest.java
@@ -116,10 +116,12 @@ protected CType getConfigType() {
 
     }
 
-    protected JsonNode xContentToJsonNode(final ToXContent toXContent) throws IOException {
+    protected JsonNode xContentToJsonNode(final ToXContent toXContent) {
         try (final var xContentBuilder = XContentFactory.jsonBuilder()) {
             toXContent.toXContent(xContentBuilder, ToXContent.EMPTY_PARAMS);
             return DefaultObjectMapper.readTree(xContentBuilder.toString());
+        } catch (final IOException ioe) {
+            throw new RuntimeException(ioe);
         }
     }
 
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiActionUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiActionUnitTest.java
new file mode 100644
index 0000000000..36407cfbc4
--- /dev/null
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiActionUnitTest.java
@@ -0,0 +1,291 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.dlic.rest.api;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.function.Consumer;
+
+import com.google.common.collect.ImmutableList;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.opensearch.action.index.IndexResponse;
+import org.opensearch.client.Client;
+import org.opensearch.common.action.ActionFuture;
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.rest.RestChannel;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.RestResponse;
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.dlic.rest.support.Utils;
+import org.opensearch.security.dlic.rest.validation.ValidationResult;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+
+import org.mockito.Mock;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
+public class ConfigUpgradeApiActionUnitTest extends AbstractApiActionValidationTest {
+
+    @Mock
+    private Client client;
+
+    @Mock
+    private RestChannel restChannel;
+
+    @Mock
+    private RestRequest restRequest;
+
+    private ConfigUpgradeApiAction configUpgradeApiAction;
+
+    @Before
+    public void setUp() throws IOException {
+        setupRolesConfiguration();
+        doReturn(XContentFactory.jsonBuilder()).when(restChannel).newBuilder();
+
+        final var actionFuture = mock(ActionFuture.class);
+        doReturn(mock(IndexResponse.class)).when(actionFuture).actionGet();
+        doReturn(actionFuture).when(client).index(any());
+
+        configUpgradeApiAction = spy(new ConfigUpgradeApiAction(clusterService, threadPool, securityApiDependencies));
+
+        final var objectMapper = DefaultObjectMapper.objectMapper;
+        final var config = objectMapper.createObjectNode();
+        config.set("_meta", objectMapper.createObjectNode().put("type", CType.ROLES.toLCString()).put("config_version", 2));
+        config.set("kibana_read_only", objectMapper.createObjectNode().put("reserved", true));
+        final var newRole = objectMapper.createObjectNode();
+        newRole.put("reserved", true);
+        newRole.putArray("cluster_permissions").add("test-permission-1").add("test-permission-2");
+        config.set("new_role", newRole);
+
+        doReturn(config).when(configUpgradeApiAction).loadConfigFileAsJson(any());
+    }
+
+    @Test
+    public void testCanUpgrade_ErrorLoadingConfig() throws Exception {
+        // Setup
+        doThrow(new IOException("abc")).when(configUpgradeApiAction).loadConfigFileAsJson(any());
+
+        // Execute
+        configUpgradeApiAction.canUpgrade(restChannel, restRequest, client);
+
+        // Assert
+        verify(restChannel).sendResponse(verifyResponseBody(body -> assertThat(body, containsString("see the log file to troubleshoot"))));
+    }
+
+    @Test
+    public void testPerformUpgrade_ErrorLoadingConfig() throws Exception {
+        // Setup
+        doThrow(new IOException("abc")).when(configUpgradeApiAction).loadConfigFileAsJson(any());
+
+        // Execute
+        configUpgradeApiAction.performUpgrade(restChannel, restRequest, client);
+
+        // Assert
+        verify(restChannel).sendResponse(verifyResponseBody(body -> assertThat(body, containsString("see the log file to troubleshoot"))));
+    }
+
+    @Test
+    public void testPerformUpgrade_ErrorApplyConfig() throws Exception {
+        // Setup
+        doThrow(new RuntimeException("abc")).when(configUpgradeApiAction).patchEntities(any(), any(), any());
+
+        // Execute
+        configUpgradeApiAction.performUpgrade(restChannel, restRequest, client);
+
+        // Assert
+        verify(restChannel).sendResponse(verifyResponseBody(body -> assertThat(body, containsString("see the log file to troubleshoot"))));
+    }
+
+    @Test
+    public void testPerformUpgrade_NoDifferences() throws Exception {
+        // Setup
+        final var rolesCopy = rolesConfiguration.deepClone();
+        rolesCopy.removeStatic(); // Statics are added by code, not by config files, they should be omitted
+        final var rolesJsonNode = Utils.convertJsonToJackson(rolesCopy, true);
+        doReturn(rolesJsonNode).when(configUpgradeApiAction).loadConfigFileAsJson(any());
+
+        // Execute
+        configUpgradeApiAction.performUpgrade(restChannel, restRequest, client);
+
+        // Verify
+        verify(restChannel).sendResponse(verifyResponseBody(body -> assertThat(body, containsString("no differences found"))));
+    }
+
+    @Test
+    public void testPerformUpgrade_WithDifferences() throws Exception {
+        // Execute
+        configUpgradeApiAction.performUpgrade(restChannel, restRequest, client);
+
+        // Verify
+        verify(restChannel).sendResponse(argThat(response -> {
+            final var rawResponseBody = response.content().utf8ToString();
+            final var newlineNormalizedBody = rawResponseBody.replace("\r\n", "\n");
+            assertThat(newlineNormalizedBody, equalTo("{\n" + //
+                "  \"status\" : \"OK\",\n" + //
+                "  \"upgrades\" : {\n" + //
+                "    \"roles\" : {\n" + //
+                "      \"add\" : [ \"new_role\" ]\n" + //
+                "    }\n" + //
+                "  }\n" + //
+                "}"));
+            return true;
+        }));
+    }
+
+    @Test
+    public void testConfigurationDifferences_OperationBash() throws IOException {
+        final var testCases = new ImmutableList.Builder<ConfigUpgradeApiActionUnitTest.OperationTestCase>();
+
+        testCases.add(
+            new OperationTestCase("Missing entry", source -> {}, updated -> updated.put("a", "1"), List.of(List.of("add", "/a", "1")))
+        );
+
+        testCases.add(
+            new OperationTestCase(
+                "Same object",
+                source -> source.set("a", objectMapper.createObjectNode()),
+                updated -> updated.set("a", objectMapper.createObjectNode()),
+                List.of()
+            )
+        );
+
+        testCases.add(
+            new OperationTestCase("Missing object", source -> source.set("a", objectMapper.createObjectNode()), updated -> {}, List.of())
+        );
+
+        testCases.add(new OperationTestCase("Moved and identical object", source -> {
+            source.set("a", objectMapper.createObjectNode());
+            source.set("b", objectMapper.createObjectNode());
+            source.set("c", objectMapper.createObjectNode());
+        }, updated -> {
+            updated.set("a", objectMapper.createObjectNode());
+            updated.set("c", objectMapper.createObjectNode());
+            updated.set("b", objectMapper.createObjectNode());
+        }, List.of()));
+
+        testCases.add(new OperationTestCase("Moved and different object", source -> {
+            source.set("a", objectMapper.createObjectNode());
+            source.set("b", objectMapper.createObjectNode());
+            source.set("c", objectMapper.createObjectNode());
+        }, updated -> {
+            updated.set("a", objectMapper.createObjectNode());
+            updated.set("c", objectMapper.createObjectNode().put("d", "1"));
+            updated.set("b", objectMapper.createObjectNode());
+        }, List.of(List.of("add", "/c/d", "1"))));
+
+        testCases.add(new OperationTestCase("Removed field object", source -> {
+            source.set("a", objectMapper.createObjectNode().put("hidden", true));
+            source.set("b", objectMapper.createObjectNode());
+        }, updated -> {
+            updated.set("a", objectMapper.createObjectNode());
+            updated.set("b", objectMapper.createObjectNode());
+        }, List.of(List.of("remove", "/a/hidden", "<NULL>"))));
+
+        testCases.add(new OperationTestCase("Removed field object", source -> {
+            final var roleA = objectMapper.createObjectNode();
+            roleA.putArray("cluster_permissions").add("1").add("2").add("3");
+            source.set("a", roleA);
+        }, updated -> {
+            final var roleA = objectMapper.createObjectNode();
+            roleA.putArray("cluster_permissions").add("2").add("11").add("3").add("44");
+            updated.set("a", roleA);
+        },
+            List.of(
+                List.of("remove", "/a/cluster_permissions/0", "<NULL>"),
+                List.of("add", "/a/cluster_permissions/1", "11"),
+                List.of("add", "/a/cluster_permissions/3", "44")
+            )
+        ));
+
+        for (final var tc : testCases.build()) {
+            // Setup
+            final var source = objectMapper.createObjectNode();
+            source.set("_meta", objectMapper.createObjectNode().put("type", CType.ROLES.toLCString()).put("config_version", 2));
+            tc.sourceChanges.accept(source);
+            final var updated = objectMapper.createObjectNode();
+            tc.updates.accept(updated);
+
+            var sourceAsConfig = SecurityDynamicConfiguration.fromJson(objectMapper.writeValueAsString(source), CType.ROLES, 2, 1, 1);
+
+            doReturn(ValidationResult.success(sourceAsConfig)).when(configUpgradeApiAction)
+                .loadConfiguration(any(), anyBoolean(), anyBoolean());
+            doReturn(updated).when(configUpgradeApiAction).loadConfigFileAsJson(any());
+
+            // Execute
+            var result = configUpgradeApiAction.computeDifferenceToUpdate(CType.ACTIONGROUPS);
+
+            // Verify
+            result.valid(differences -> {
+                assertThat(differences.v1(), equalTo(CType.ACTIONGROUPS));
+                assertThat(tc.name + ": Number of operations", differences.v2().size(), equalTo(tc.expectedResults.size()));
+                final var expectedResultsIterator = tc.expectedResults.iterator();
+                differences.v2().forEach(operation -> {
+                    final List<String> expected = expectedResultsIterator.next();
+                    assertThat(
+                        tc.name + ": Operation type" + operation.toPrettyString(),
+                        operation.get("op").asText(),
+                        equalTo(expected.get(0))
+                    );
+                    assertThat(tc.name + ": Path" + operation.toPrettyString(), operation.get("path").asText(), equalTo(expected.get(1)));
+                    assertThat(
+                        tc.name + ": Value " + operation.toPrettyString(),
+                        operation.has("value") ? operation.get("value").asText("<NULL>") : "<NULL>",
+                        equalTo(expected.get(2))
+                    );
+                });
+            });
+        }
+    }
+
+    static class OperationTestCase {
+        final String name;
+        final Consumer<ObjectNode> sourceChanges;
+        final Consumer<ObjectNode> updates;
+        final List<List<String>> expectedResults;
+
+        OperationTestCase(
+            final String name,
+            final Consumer<ObjectNode> sourceChanges,
+            final Consumer<ObjectNode> updates,
+            final List<List<String>> expectedResults
+        ) {
+            this.name = name;
+            this.sourceChanges = sourceChanges;
+            this.updates = updates;
+            this.expectedResults = expectedResults;
+        }
+
+    }
+
+    private RestResponse verifyResponseBody(final Consumer<String> test) {
+        return argThat(response -> {
+            final String content = response.content().utf8ToString();
+            test.accept(content);
+            return true;
+        });
+    }
+
+}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/InternalUsersApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/InternalUsersApiActionValidationTest.java
index 773d356246..2af598f5d5 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/InternalUsersApiActionValidationTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/InternalUsersApiActionValidationTest.java
@@ -22,6 +22,7 @@
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.dlic.rest.validation.ValidationResult;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.securityconf.impl.v7.InternalUserV7;
@@ -32,9 +33,13 @@
 import org.mockito.Mock;
 import org.mockito.Mockito;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 import static org.mockito.Mockito.when;
 
 public class InternalUsersApiActionValidationTest extends AbstractApiActionValidationTest {
@@ -145,19 +150,26 @@ public void validateSecurityRolesWithMutableRolesMappingConfig() throws Exceptio
         // should ok to set regular role with mutable role mapping
         var userJson = objectMapper.createObjectNode().set("opendistro_security_roles", objectMapper.createArrayNode().add("regular_role"));
         var result = internalUsersApiAction.validateSecurityRoles(SecurityConfiguration.of(userJson, "some_user", configuration));
-        assertTrue(result.isValid());
+        assertValidationResultIsValid(result);
         // should be ok to set reserved role with mutable role mapping
         userJson = objectMapper.createObjectNode().set("opendistro_security_roles", objectMapper.createArrayNode().add("kibana_read_only"));
         result = internalUsersApiAction.validateSecurityRoles(SecurityConfiguration.of(userJson, "some_user", configuration));
-        assertTrue(result.isValid());
+        assertValidationResultIsValid(result);
         // should be ok to set static role with mutable role mapping
         userJson = objectMapper.createObjectNode().set("opendistro_security_roles", objectMapper.createArrayNode().add("all_access"));
         result = internalUsersApiAction.validateSecurityRoles(SecurityConfiguration.of(userJson, "some_user", configuration));
-        assertTrue(result.isValid());
+        assertValidationResultIsValid(result);
         // should not be ok to set hidden role with mutable role mapping
         userJson = objectMapper.createObjectNode().set("opendistro_security_roles", objectMapper.createArrayNode().add("some_hidden_role"));
         result = internalUsersApiAction.validateSecurityRoles(SecurityConfiguration.of(userJson, "some_user", configuration));
-        assertFalse(result.isValid());
+        final var errorMessage = xContentToJsonNode(result.errorMessage()).toPrettyString();
+        assertThat(errorMessage, allOf(containsString("NOT_FOUND"), containsString("Resource 'some_hidden_role' is not available.")));
+    }
+
+    <T> void assertValidationResultIsValid(final ValidationResult<T> result) {
+        if (!result.isValid()) {
+            fail("Expected valid result, error message: " + xContentToJsonNode(result.errorMessage()).toPrettyString());
+        }
     }
 
     @Test

From dd119e59dc157d19f2c5836b3af055d931f566e2 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 20 Mar 2024 13:16:51 -0400
Subject: [PATCH 088/143] 2.13 Release notes  (#4140)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 ...nsearch-security.release-notes-2.13.0.0.md | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 release-notes/opensearch-security.release-notes-2.13.0.0.md

diff --git a/release-notes/opensearch-security.release-notes-2.13.0.0.md b/release-notes/opensearch-security.release-notes-2.13.0.0.md
new file mode 100644
index 0000000000..42ccd8fff0
--- /dev/null
+++ b/release-notes/opensearch-security.release-notes-2.13.0.0.md
@@ -0,0 +1,30 @@
+## 2024-03-19 Version 2.13.0.0
+
+Compatible with OpenSearch 2.13.0
+
+### Enhancements
+* Admin role for Query insights plugin ([#4022](https://github.com/opensearch-project/security/pull/4022))
+* Add query assistant role and new ml system indices ([#4143](https://github.com/opensearch-project/security/pull/4143))
+* Redact sensitive configuration values when retrieving security configuration ([#4028](https://github.com/opensearch-project/security/pull/4028))
+* v2.12 update roles.yml with new API for experimental alerting plugin feature ([#4035](https://github.com/opensearch-project/security/pull/4035))
+* Add deprecate message that TLSv1 and TLSv1.1 support will be removed in the next major version ([#4083](https://github.com/opensearch-project/security/pull/4083))
+* Log password requirement details in demo environment ([#4082](https://github.com/opensearch-project/security/pull/4082))
+* Redact sensitive URL parameters from audit logging ([#4070](https://github.com/opensearch-project/security/pull/4070))
+* Fix unconsumed parameter exception when authenticating with jwtUrlParameter ([#4065](https://github.com/opensearch-project/security/pull/4065))
+* Regenerates root-ca, kirk and esnode certificates to address already expired root ca certificate ([#4066](https://github.com/opensearch-project/security/pull/4066))
+* Add exclude_roles configuration parameter to LDAP authorization backend ([#4043](https://github.com/opensearch-project/security/pull/4043))
+
+### Maintenance
+* Add exlusion for logback-core to resolve CVE-2023-6378 ([#4050](https://github.com/opensearch-project/security/pull/4050))
+* Bump com.netflix.nebula.ospackage from 11.7.0 to 11.8.1 ([#4041](https://github.com/opensearch-project/security/pull/4041), [#4075](https://github.com/opensearch-project/security/pull/4075))
+* Bump Wandalen/wretry.action from 1.3.0 to 1.4.10 ([#4042](https://github.com/opensearch-project/security/pull/4042), [#4092](https://github.com/opensearch-project/security/pull/4092), [#4108](https://github.com/opensearch-project/security/pull/4108), [#4135](https://github.com/opensearch-project/security/pull/4135))
+* Bump spring_version from 5.3.31 to 5.3.33 ([#4058](https://github.com/opensearch-project/security/pull/4058), [#4131](https://github.com/opensearch-project/security/pull/4131))
+* Bump org.scala-lang:scala-library from 2.13.12 to 2.13.13 ([#4076](https://github.com/opensearch-project/security/pull/4076))
+* Bump com.google.googlejavaformat:google-java-format from 1.19.1 to 1.21.0 ([#4078](https://github.com/opensearch-project/security/pull/4078), [#4110](https://github.com/opensearch-project/security/pull/4110))
+* Bump ch.qos.logback:logback-classic from 1.2.13 to 1.5.3 ([#4091](https://github.com/opensearch-project/security/pull/4091), [#4111](https://github.com/opensearch-project/security/pull/4111))
+* Bump com.fasterxml.woodstox:woodstox-core from 6.6.0 to 6.6.1 ([#4093](https://github.com/opensearch-project/security/pull/4093))
+* Bump kafka_version from 3.5.1 to 3.7.0 ([#4095](https://github.com/opensearch-project/security/pull/4095))
+* Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 ([#4109](https://github.com/opensearch-project/security/pull/4109))
+* Bump org.apache.zookeeper:zookeeper from 3.9.1. to 3.9.2 ([#4130](https://github.com/opensearch-project/security/pull/4130))
+* Bump org.awaitility:awaitility from 4.2.0 to 4.2.1 ([#4133](https://github.com/opensearch-project/security/pull/4133))
+* Bump com.google.errorprone:error_prone_annotations from 2.25.0 to 2.26.1 ([#4132](https://github.com/opensearch-project/security/pull/4132))

From 6f79d094b80983f36b1b52d4703093f2583ec61e Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 22 Mar 2024 09:33:57 -0400
Subject: [PATCH 089/143] Update Log4JSink Default from sgaudit to audit and
 add test for default values (#4146)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../org/opensearch/security/auditlog/sink/Log4JSink.java    | 2 +-
 .../opensearch/security/auditlog/sink/SinkProviderTest.java | 6 ++++++
 .../auditlog/endpoints/sink/configuration_all_variants.yml  | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/sink/Log4JSink.java b/src/main/java/org/opensearch/security/auditlog/sink/Log4JSink.java
index f01043fa21..cf535e48b1 100644
--- a/src/main/java/org/opensearch/security/auditlog/sink/Log4JSink.java
+++ b/src/main/java/org/opensearch/security/auditlog/sink/Log4JSink.java
@@ -27,7 +27,7 @@ public final class Log4JSink extends AuditLogSink {
 
     public Log4JSink(final String name, final Settings settings, final String settingsPrefix, AuditLogSink fallbackSink) {
         super(name, settings, settingsPrefix, fallbackSink);
-        loggerName = settings.get(settingsPrefix + ".log4j.logger_name", "sgaudit");
+        loggerName = settings.get(settingsPrefix + ".log4j.logger_name", "audit");
         auditLogger = LogManager.getLogger(loggerName);
         logLevel = Level.toLevel(settings.get(settingsPrefix + ".log4j.level", "INFO").toUpperCase());
         enabled = auditLogger.isEnabled(logLevel);
diff --git a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java
index 5e3203261f..af8204a5c7 100644
--- a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTest.java
@@ -88,6 +88,12 @@ public void testConfiguration() throws Exception {
         Assert.assertEquals("loggername", lsink.loggerName);
         Assert.assertEquals(Level.DEBUG, lsink.logLevel);
 
+        sink = provider.getSink("endpoint13");
+        Assert.assertEquals(Log4JSink.class, sink.getClass());
+        lsink = (Log4JSink) sink;
+        Assert.assertEquals("audit", lsink.loggerName);
+        Assert.assertEquals(Level.INFO, lsink.logLevel);
+
     }
 
     @Test
diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml b/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml
index f1c8620e88..82565ee3ec 100644
--- a/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml
+++ b/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml
@@ -45,3 +45,5 @@ plugins.security:
         config:
           log4j.logger_name: loggername
           log4j.level: invalid
+      endpoint13:
+        type: log4j

From 03db12b9dc1b9c81272e34b1e78ecd0d0ad925d9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Mar 2024 16:15:34 +0000
Subject: [PATCH 090/143] Bump net.shibboleth.utilities:java-support from 8.4.0
 to 8.4.1 (#4163)

Bumps net.shibboleth.utilities:java-support from 8.4.0 to 8.4.1.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=net.shibboleth.utilities:java-support&package-manager=gradle&previous-version=8.4.0&new-version=8.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 7fcd272c32..f74d51d371 100644
--- a/build.gradle
+++ b/build.gradle
@@ -617,7 +617,7 @@ dependencies {
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'
 
     //OpenSAML
-    implementation 'net.shibboleth.utilities:java-support:8.4.0'
+    implementation 'net.shibboleth.utilities:java-support:8.4.1'
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
     implementation "org.opensaml:opensaml-core:${open_saml_version}"

From f2e9b3ef357cdd4b1572c7e7f23a731ba476bff7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Mar 2024 16:16:07 +0000
Subject: [PATCH 091/143] Bump open_saml_version from 4.3.0 to 4.3.1 (#4161)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps `open_saml_version` from 4.3.0 to 4.3.1.
Updates `org.opensaml:opensaml-core` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-security-impl` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-security-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-xmlsec-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-xmlsec-impl` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-saml-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-saml-impl` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-messaging-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-profile-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-soap-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-soap-impl` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-storage-api` from 4.3.0 to 4.3.1

Updates `org.opensaml:opensaml-messaging-impl` from 4.3.0 to 4.3.1


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index f74d51d371..97b4409c13 100644
--- a/build.gradle
+++ b/build.gradle
@@ -27,7 +27,7 @@ buildscript {
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
         kafka_version  = '3.7.0'
         apache_cxf_version = '4.0.4'
-        open_saml_version = '4.3.0'
+        open_saml_version = '4.3.1'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'

From bb1b90044955547c1addeec41602ee39c247b55d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Mar 2024 16:16:42 +0000
Subject: [PATCH 092/143] Bump net.minidev:accessors-smart from 2.5.0 to 2.5.1
 (#4162)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[net.minidev:accessors-smart](https://github.com/netplex/json-smart-v2)
from 2.5.0 to 2.5.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/netplex/json-smart-v2/releases">net.minidev:accessors-smart's
releases</a>.</em></p>
<blockquote>
<h2>V 2.5.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump junit.version from 5.9.3 to 5.10.0 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/158">netplex/json-smart-v2#158</a></li>
<li>Bump junit.version from 5.9.3 to 5.10.0 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/157">netplex/json-smart-v2#157</a></li>
<li>Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.5.0 to
3.6.2 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/166">netplex/json-smart-v2#166</a></li>
<li>Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.5.0 to
3.6.2 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/165">netplex/json-smart-v2#165</a></li>
<li>Bump junit.version from 5.10.0 to 5.10.1 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/164">netplex/json-smart-v2#164</a></li>
<li>Bump junit.version from 5.10.0 to 5.10.1 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/163">netplex/json-smart-v2#163</a></li>
<li>chore: Update github id from Shoothzj to shoothzj by <a
href="https://github.com/shoothzj"><code>@​shoothzj</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/168">netplex/json-smart-v2#168</a></li>
<li>Bump asm version from 9.3 to 9.6 by <a
href="https://github.com/shoothzj"><code>@​shoothzj</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/167">netplex/json-smart-v2#167</a></li>
<li>Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.2 to
3.6.3 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/169">netplex/json-smart-v2#169</a></li>
<li>Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.2 to
3.6.3 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/170">netplex/json-smart-v2#170</a></li>
<li>Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to
3.12.0 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/172">netplex/json-smart-v2#172</a></li>
<li>Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to
3.12.0 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/171">netplex/json-smart-v2#171</a></li>
<li>Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.0 to
3.12.1 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/174">netplex/json-smart-v2#174</a></li>
<li>Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.0 to
3.12.1 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/173">netplex/json-smart-v2#173</a></li>
<li>Fix OSGi import package version for net.minidev.asm. by <a
href="https://github.com/msqr"><code>@​msqr</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/180">netplex/json-smart-v2#180</a></li>
<li>Bump junit.version from 5.10.1 to 5.10.2 in /json-smart-action by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/179">netplex/json-smart-v2#179</a></li>
<li>Bump junit.version from 5.10.1 to 5.10.2 in /json-smart by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/178">netplex/json-smart-v2#178</a></li>
<li>Bump version from 2.5.0 to 2.5.1 by <a
href="https://github.com/shoothzj"><code>@​shoothzj</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/181">netplex/json-smart-v2#181</a></li>
<li>docs: add change log for version 2.5.1 by <a
href="https://github.com/shoothzj"><code>@​shoothzj</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/182">netplex/json-smart-v2#182</a></li>
<li>Update 2024 by <a
href="https://github.com/UrielCh"><code>@​UrielCh</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/183">netplex/json-smart-v2#183</a></li>
<li>add somme doc to remove deployement warnings by <a
href="https://github.com/UrielCh"><code>@​UrielCh</code></a> in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/184">netplex/json-smart-v2#184</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/msqr"><code>@​msqr</code></a> made their
first contribution in <a
href="https://redirect.github.com/netplex/json-smart-v2/pull/180">netplex/json-smart-v2#180</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/netplex/json-smart-v2/compare/2.5.0...2.5.1">https://github.com/netplex/json-smart-v2/compare/2.5.0...2.5.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/8346cf476ae583ab13d9e69360c3f095c2cdfed0"><code>8346cf4</code></a>
add somme doc to remove deployement warnings (<a
href="https://redirect.github.com/netplex/json-smart-v2/issues/184">#184</a>)</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/def22d8e6e6f744deea11e8b37edf4b276a1abd6"><code>def22d8</code></a>
add some jsdoc</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/123e907aade32d819f7f964739c7e367d305f0f8"><code>123e907</code></a>
add jsdoc</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/e62420efabc344cf9986cd8aa940d7e4e203d6a3"><code>e62420e</code></a>
rollback KEY 53BE126D</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/dfe974fbcb072f71b96abeb327fef828af8834e2"><code>dfe974f</code></a>
Merge pull request <a
href="https://redirect.github.com/netplex/json-smart-v2/issues/183">#183</a>
from netplex/update2024</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/a7547259e6445b370b59533e7948fd65365e69af"><code>a754725</code></a>
Test JDK 16</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/24e8ffd3448d40014ced8cbba370339f9b0ced20"><code>24e8ffd</code></a>
restor Test JAPAN for java 8</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/c30be8ed248ddb1512f76b19ced05a9c0c75792b"><code>c30be8e</code></a>
add new space in tests</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/6e8eeb87987e678ccf9b6d6e7b2b1d7df8da9553"><code>6e8eeb8</code></a>
ignore testDateJAPAN for JDK 8</li>
<li><a
href="https://github.com/netplex/json-smart-v2/commit/5bcf9ece87d5792bc89a496317f03db90b655a8b"><code>5bcf9ec</code></a>
update test</li>
<li>Additional commits viewable in <a
href="https://github.com/netplex/json-smart-v2/compare/2.5.0...2.5.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=net.minidev:accessors-smart&package-manager=gradle&previous-version=2.5.0&new-version=2.5.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 97b4409c13..187f0483bf 100644
--- a/build.gradle
+++ b/build.gradle
@@ -599,7 +599,7 @@ dependencies {
 
     implementation "org.apache.kafka:kafka-clients:${kafka_version}"
 
-    runtimeOnly 'net.minidev:accessors-smart:2.5.0'
+    runtimeOnly 'net.minidev:accessors-smart:2.5.1'
 
     runtimeOnly "org.apache.cxf:cxf-core:${apache_cxf_version}"
     implementation "org.apache.cxf:cxf-rt-rs-json-basic:${apache_cxf_version}"

From c64d0aa66654e43886377c648811d07d0840af9b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Mar 2024 16:19:19 +0000
Subject: [PATCH 093/143] Bump org.ow2.asm:asm from 9.6 to 9.7 (#4164)

Bumps org.ow2.asm:asm from 9.6 to 9.7.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.ow2.asm:asm&package-manager=gradle&previous-version=9.6&new-version=9.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 187f0483bf..ea392a8eac 100644
--- a/build.gradle
+++ b/build.gradle
@@ -612,7 +612,7 @@ dependencies {
     compileOnly 'com.google.errorprone:error_prone_annotations:2.26.1'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
-    runtimeOnly 'org.ow2.asm:asm:9.6'
+    runtimeOnly 'org.ow2.asm:asm:9.7'
 
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'
 

From a731e62f8a52420645473c8279081ae46bfb86b2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Mar 2024 18:06:33 +0100
Subject: [PATCH 094/143] Bump Wandalen/wretry.action from 1.4.10 to 2.1.0
 (#4165)

Bumps
[Wandalen/wretry.action](https://github.com/wandalen/wretry.action) from
1.4.10 to 2.1.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/f062299947903c6e425ff67d6a93f52066e4ee1c"><code>f062299</code></a>
version 2.1.0</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/19008142d64d4f21bc1dc5e08afe27cbfd45434b"><code>1900814</code></a>
Merge pull request <a
href="https://redirect.github.com/wandalen/wretry.action/issues/144">#144</a>
from dmvict/master</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/1903bdeb25dcc917d9991188b8e1daef7a1f9883"><code>1903bde</code></a>
Extend action, add option <code>github_token</code> to work with private
actions</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/4ca71ac27896a6670a57267cf3ddec528278c86f"><code>4ca71ac</code></a>
version 2.0.0</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/aa380708d0b1fbe4021d1fbf35ac329b248a9395"><code>aa38070</code></a>
Merge pull request <a
href="https://redirect.github.com/wandalen/wretry.action/issues/142">#142</a>
from dmvict/master</li>
<li><a
href="https://github.com/Wandalen/wretry.action/commit/86e0a3a7c120f18a92e0cb8b0e4bc3750ccf4337"><code>86e0a3a</code></a>
Improve <code>Readme.md</code>, fix some mistakes, add comments</li>
<li>See full diff in <a
href="https://github.com/wandalen/wretry.action/compare/v1.4.10...v2.1.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Wandalen/wretry.action&package-manager=github_actions&previous-version=1.4.10&new-version=2.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0595106ce7..68e966f56e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v1.4.10
+        uses: Wandalen/wretry.action@v2.1.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

From e2a06f001154d558c4c717c2a2bc54b9f57d1654 Mon Sep 17 00:00:00 2001
From: Andriy Redko <andriy.redko@aiven.io>
Date: Tue, 26 Mar 2024 15:24:51 -0400
Subject: [PATCH 095/143] Switch to built-in security transports from core
 (#4119)

### Description
The security plugin does not need to provide the secure transports
anymore but SecureSettingsFactory so the core transport modules will be
able to configure those.

### Issues Resolved
Closes https://github.com/opensearch-project/security/issues/4118

Is this a backport? If so, please add backport PR # and/or commits #

### Testing
[Please provide details of testing done: unit testing, integration
testing and manual testing]

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
---
 .../security/OpenSearchSecurityPlugin.java    |  47 ++-
 .../security/filter/SecurityRestFilter.java   |   8 +-
 ...rt.java => NonSslHttpServerTransport.java} |   8 +-
 ...rt.java => SecureHttpServerTransport.java} |  35 +-
 .../ssl/OpenSearchSecureSettingsFactory.java  |  74 +++++
 .../ssl/OpenSearchSecuritySSLPlugin.java      | 126 +++++--
 .../netty/Netty4ConditionalDecompressor.java  |   4 +-
 .../Netty4HttpRequestHeaderVerifier.java      |  10 +-
 .../SecuritySSLNettyHttpServerTransport.java  | 168 ----------
 .../ssl/transport/DualModeSSLHandler.java     |  89 -----
 .../transport/SecuritySSLNettyTransport.java  | 308 ------------------
 .../ssl/OpenSearchSecuritySSLPluginTest.java  | 246 ++++++++++++++
 .../transport/DualModeSSLHandlerTests.java    | 120 -------
 .../SecuritySSLNettyTransportTests.java       | 201 ------------
 14 files changed, 487 insertions(+), 957 deletions(-)
 rename src/main/java/org/opensearch/security/http/{SecurityNonSslHttpServerTransport.java => NonSslHttpServerTransport.java} (90%)
 rename src/main/java/org/opensearch/security/http/{SecurityHttpServerTransport.java => SecureHttpServerTransport.java} (74%)
 create mode 100644 src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
 delete mode 100644 src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java
 delete mode 100644 src/main/java/org/opensearch/security/ssl/transport/DualModeSSLHandler.java
 delete mode 100644 src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
 create mode 100644 src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
 delete mode 100644 src/test/java/org/opensearch/security/ssl/transport/DualModeSSLHandlerTests.java
 delete mode 100644 src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 688b797e85..ac32da1d1b 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -46,6 +46,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.BiFunction;
@@ -114,6 +115,8 @@
 import org.opensearch.plugins.ExtensionAwarePlugin;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
+import org.opensearch.plugins.SecureSettingsFactory;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestHandler;
@@ -150,8 +153,8 @@
 import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.http.SecurityHttpServerTransport;
-import org.opensearch.security.http.SecurityNonSslHttpServerTransport;
+import org.opensearch.security.http.NonSslHttpServerTransport;
+import org.opensearch.security.http.SecureHttpServerTransport;
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.identity.SecurityTokenManager;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
@@ -167,11 +170,11 @@
 import org.opensearch.security.securityconf.DynamicConfigFactory;
 import org.opensearch.security.setting.OpensearchDynamicSetting;
 import org.opensearch.security.setting.TransportPassiveAuthSetting;
+import org.opensearch.security.ssl.OpenSearchSecureSettingsFactory;
 import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.SslExceptionHandler;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
-import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.GuardedSearchOperationWrapper;
@@ -199,6 +202,7 @@
 import org.opensearch.transport.TransportRequestOptions;
 import org.opensearch.transport.TransportResponseHandler;
 import org.opensearch.transport.TransportService;
+import org.opensearch.transport.netty4.ssl.SecureNetty4Transport;
 import org.opensearch.watcher.ResourceWatcherService;
 
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
@@ -858,25 +862,27 @@ public <T extends TransportResponse> void sendRequest(
     }
 
     @Override
-    public Map<String, Supplier<Transport>> getTransports(
+    public Map<String, Supplier<Transport>> getSecureTransports(
         Settings settings,
         ThreadPool threadPool,
         PageCacheRecycler pageCacheRecycler,
         CircuitBreakerService circuitBreakerService,
         NamedWriteableRegistry namedWriteableRegistry,
         NetworkService networkService,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
         Map<String, Supplier<Transport>> transports = new HashMap<String, Supplier<Transport>>();
 
         if (SSLConfig.isSslOnlyMode()) {
-            return super.getTransports(
+            return super.getSecureTransports(
                 settings,
                 threadPool,
                 pageCacheRecycler,
                 circuitBreakerService,
                 namedWriteableRegistry,
                 networkService,
+                secureTransportSettingsProvider,
                 tracer
             );
         }
@@ -884,18 +890,16 @@ public Map<String, Supplier<Transport>> getTransports(
         if (transportSSLEnabled) {
             transports.put(
                 "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
-                () -> new SecuritySSLNettyTransport(
-                    settings,
+                () -> new SecureNetty4Transport(
+                    migrateSettings(settings),
                     Version.CURRENT,
                     threadPool,
                     networkService,
                     pageCacheRecycler,
                     namedWriteableRegistry,
                     circuitBreakerService,
-                    sks,
-                    evaluateSslExceptionHandler(),
                     sharedGroupFactory,
-                    SSLConfig,
+                    secureTransportSettingsProvider,
                     tracer
                 )
             );
@@ -904,7 +908,7 @@ public Map<String, Supplier<Transport>> getTransports(
     }
 
     @Override
-    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
+    public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
         Settings settings,
         ThreadPool threadPool,
         BigArrays bigArrays,
@@ -914,11 +918,12 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NetworkService networkService,
         Dispatcher dispatcher,
         ClusterSettings clusterSettings,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
 
         if (SSLConfig.isSslOnlyMode()) {
-            return super.getHttpTransports(
+            return super.getSecureHttpTransports(
                 settings,
                 threadPool,
                 bigArrays,
@@ -928,6 +933,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 networkService,
                 dispatcher,
                 clusterSettings,
+                secureTransportSettingsProvider,
                 tracer
             );
         }
@@ -943,17 +949,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                     evaluateSslExceptionHandler()
                 );
                 // TODO close odshst
-                final SecurityHttpServerTransport odshst = new SecurityHttpServerTransport(
-                    settings,
+                final SecureHttpServerTransport odshst = new SecureHttpServerTransport(
+                    migrateSettings(settings),
                     networkService,
                     bigArrays,
                     threadPool,
-                    sks,
-                    evaluateSslExceptionHandler(),
                     xContentRegistry,
                     validatingDispatcher,
                     clusterSettings,
                     sharedGroupFactory,
+                    secureTransportSettingsProvider,
                     tracer,
                     securityRestHandler
                 );
@@ -962,8 +967,8 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
             } else if (!client) {
                 return Collections.singletonMap(
                     "org.opensearch.security.http.SecurityHttpServerTransport",
-                    () -> new SecurityNonSslHttpServerTransport(
-                        settings,
+                    () -> new NonSslHttpServerTransport(
+                        migrateSettings(settings),
                         networkService,
                         bigArrays,
                         threadPool,
@@ -971,6 +976,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                         dispatcher,
                         clusterSettings,
                         sharedGroupFactory,
+                        secureTransportSettingsProvider,
                         tracer,
                         securityRestHandler
                     )
@@ -2005,6 +2011,11 @@ public SecurityTokenManager getTokenManager() {
         return tokenManager;
     }
 
+    @Override
+    public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
+        return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, sslExceptionHandler));
+    }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
index b649b8d71f..8ccaa3041c 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -69,10 +69,10 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-import static org.opensearch.security.http.SecurityHttpServerTransport.CONTEXT_TO_RESTORE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
-import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
+import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
+import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
+import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
+import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;
 
 public class SecurityRestFilter {
 
diff --git a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java b/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
similarity index 90%
rename from src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java
rename to src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
index f37ebb48e8..c97d872aca 100644
--- a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
@@ -33,6 +33,8 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.http.HttpHandlingSettings;
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
 import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
@@ -44,11 +46,11 @@
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelInboundHandlerAdapter;
 
-public class SecurityNonSslHttpServerTransport extends Netty4HttpServerTransport {
+public class NonSslHttpServerTransport extends SecureNetty4HttpServerTransport {
 
     private final ChannelInboundHandlerAdapter headerVerifier;
 
-    public SecurityNonSslHttpServerTransport(
+    public NonSslHttpServerTransport(
         final Settings settings,
         final NetworkService networkService,
         final BigArrays bigArrays,
@@ -57,6 +59,7 @@ public SecurityNonSslHttpServerTransport(
         final Dispatcher dispatcher,
         final ClusterSettings clusterSettings,
         final SharedGroupFactory sharedGroupFactory,
+        final SecureTransportSettingsProvider secureTransportSettingsProvider,
         final Tracer tracer,
         final SecurityRestFilter restFilter
     ) {
@@ -69,6 +72,7 @@ public SecurityNonSslHttpServerTransport(
             dispatcher,
             clusterSettings,
             sharedGroupFactory,
+            secureTransportSettingsProvider,
             tracer
         );
         headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
diff --git a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java
similarity index 74%
rename from src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
rename to src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java
index eb75f898f4..170f39ffd6 100644
--- a/src/main/java/org/opensearch/security/http/SecurityHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java
@@ -34,19 +34,21 @@
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.security.filter.SecurityResponse;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.SslExceptionHandler;
-import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
+import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
+import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
+import io.netty.channel.ChannelInboundHandlerAdapter;
 import io.netty.util.AttributeKey;
 
-public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTransport {
+public class SecureHttpServerTransport extends SecureNetty4HttpServerTransport {
 
     public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
     public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
@@ -56,17 +58,18 @@ public class SecurityHttpServerTransport extends SecuritySSLNettyHttpServerTrans
     public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
     public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");
 
-    public SecurityHttpServerTransport(
+    private final ChannelInboundHandlerAdapter headerVerifier;
+
+    public SecureHttpServerTransport(
         final Settings settings,
         final NetworkService networkService,
         final BigArrays bigArrays,
         final ThreadPool threadPool,
-        final SecurityKeyStore odsks,
-        final SslExceptionHandler sslExceptionHandler,
         final NamedXContentRegistry namedXContentRegistry,
         final ValidatingDispatcher dispatcher,
         final ClusterSettings clusterSettings,
         SharedGroupFactory sharedGroupFactory,
+        final SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer,
         SecurityRestFilter restFilter
     ) {
@@ -75,14 +78,24 @@ public SecurityHttpServerTransport(
             networkService,
             bigArrays,
             threadPool,
-            odsks,
             namedXContentRegistry,
             dispatcher,
-            sslExceptionHandler,
             clusterSettings,
             sharedGroupFactory,
-            tracer,
-            restFilter
+            secureTransportSettingsProvider,
+            tracer
         );
+
+        headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
+    }
+
+    @Override
+    protected ChannelInboundHandlerAdapter createHeaderVerifier() {
+        return headerVerifier;
+    }
+
+    @Override
+    protected ChannelInboundHandlerAdapter createDecompressor() {
+        return new Netty4ConditionalDecompressor();
     }
 }
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
new file mode 100644
index 0000000000..d85f490d0c
--- /dev/null
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
@@ -0,0 +1,74 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.ssl;
+
+import java.util.Optional;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+
+import org.opensearch.common.settings.Settings;
+import org.opensearch.http.HttpServerTransport;
+import org.opensearch.plugins.SecureSettingsFactory;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
+import org.opensearch.transport.TcpTransport;
+
+public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory {
+    private final Settings settings;
+    private final SecurityKeyStore sks;
+    private final SslExceptionHandler sslExceptionHandler;
+
+    public OpenSearchSecureSettingsFactory(Settings settings, SecurityKeyStore sks, SslExceptionHandler sslExceptionHandler) {
+        this.settings = settings;
+        this.sks = sks;
+        this.sslExceptionHandler = sslExceptionHandler;
+    }
+
+    @Override
+    public Optional<SecureTransportSettingsProvider> getSecureTransportSettingsProvider(Settings settings) {
+        return Optional.of(new SecureTransportSettingsProvider() {
+            @Override
+            public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+                return Optional.of(new ServerExceptionHandler() {
+                    @Override
+                    public void onError(Throwable t) {
+                        sslExceptionHandler.logError(t, true);
+                    }
+                });
+            }
+
+            @Override
+            public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
+                return Optional.of(new ServerExceptionHandler() {
+                    @Override
+                    public void onError(Throwable t) {
+                        sslExceptionHandler.logError(t, false);
+                    }
+                });
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+                return Optional.of(sks.createHTTPSSLEngine());
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
+                return Optional.of(sks.createServerTransportSSLEngine());
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
+                return Optional.of(sks.createClientTransportSSLEngine(hostname, port));
+            }
+        });
+    }
+}
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index e6e4e85b33..3acbce21cf 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -27,6 +27,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.function.Function;
 import java.util.function.Supplier;
 
@@ -62,6 +63,8 @@
 import org.opensearch.http.HttpServerTransport.Dispatcher;
 import org.opensearch.plugins.NetworkPlugin;
 import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SecureSettingsFactory;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.plugins.SystemIndexPlugin;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
@@ -70,20 +73,21 @@
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.NonValidatingObjectMapper;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport;
+import org.opensearch.security.http.SecureHttpServerTransport;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.security.ssl.rest.SecuritySSLInfoAction;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
 import org.opensearch.security.ssl.transport.SSLConfig;
-import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.transport.SecuritySSLTransportInterceptor;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
+import org.opensearch.security.support.SecuritySettings;
 import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 import org.opensearch.transport.Transport;
 import org.opensearch.transport.TransportInterceptor;
+import org.opensearch.transport.netty4.ssl.SecureNetty4Transport;
 import org.opensearch.watcher.ResourceWatcherService;
 
 import io.netty.handler.ssl.OpenSsl;
@@ -91,6 +95,21 @@
 
 //For ES5 this class has only effect when SSL only plugin is installed
 public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPlugin, NetworkPlugin {
+    private static final Setting<Boolean> SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(
+        SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
+        true,
+        Property.NodeScope,
+        Property.Filtered,
+        Property.Deprecated
+    );
+
+    private static final Setting<Boolean> SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = Setting.boolSetting(
+        SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME,
+        true,
+        Property.NodeScope,
+        Property.Filtered,
+        Property.Deprecated
+    );
 
     private static boolean USE_NETTY_DEFAULT_ALLOCATOR = Booleans.parseBoolean(
         System.getProperty("opensearch.unsafe.use_netty_default_allocator"),
@@ -237,7 +256,7 @@ public Object run() {
     }
 
     @Override
-    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
+    public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
         Settings settings,
         ThreadPool threadPool,
         BigArrays bigArrays,
@@ -247,6 +266,7 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
         NetworkService networkService,
         Dispatcher dispatcher,
         ClusterSettings clusterSettings,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
 
@@ -259,17 +279,16 @@ public Map<String, Supplier<HttpServerTransport>> getHttpTransports(
                 configPath,
                 NOOP_SSL_EXCEPTION_HANDLER
             );
-            final SecuritySSLNettyHttpServerTransport sgsnht = new SecuritySSLNettyHttpServerTransport(
-                settings,
+            final SecureHttpServerTransport sgsnht = new SecureHttpServerTransport(
+                migrateSettings(settings),
                 networkService,
                 bigArrays,
                 threadPool,
-                sks,
                 xContentRegistry,
                 validatingDispatcher,
-                NOOP_SSL_EXCEPTION_HANDLER,
                 clusterSettings,
                 sharedGroupFactory,
+                secureTransportSettingsProvider,
                 tracer,
                 securityRestHandler
             );
@@ -313,13 +332,14 @@ public List<TransportInterceptor> getTransportInterceptors(NamedWriteableRegistr
     }
 
     @Override
-    public Map<String, Supplier<Transport>> getTransports(
+    public Map<String, Supplier<Transport>> getSecureTransports(
         Settings settings,
         ThreadPool threadPool,
         PageCacheRecycler pageCacheRecycler,
         CircuitBreakerService circuitBreakerService,
         NamedWriteableRegistry namedWriteableRegistry,
         NetworkService networkService,
+        SecureTransportSettingsProvider secureTransportSettingsProvider,
         Tracer tracer
     ) {
 
@@ -327,18 +347,16 @@ public Map<String, Supplier<Transport>> getTransports(
         if (transportSSLEnabled) {
             transports.put(
                 "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport",
-                () -> new SecuritySSLNettyTransport(
-                    settings,
+                () -> new SecureNetty4Transport(
+                    migrateSettings(settings),
                     Version.CURRENT,
                     threadPool,
                     networkService,
                     pageCacheRecycler,
                     namedWriteableRegistry,
                     circuitBreakerService,
-                    sks,
-                    NOOP_SSL_EXCEPTION_HANDLER,
                     sharedGroupFactory,
-                    SSLConfig,
+                    secureTransportSettingsProvider,
                     tracer
                 )
             );
@@ -436,22 +454,13 @@ public List<Setting<?>> getSettings() {
                 Property.Filtered
             )
         );
-        settings.add(
-            Setting.boolSetting(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
-                true,
-                Property.NodeScope,
-                Property.Filtered
-            )
-        );
-        settings.add(
-            Setting.boolSetting(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME,
-                true,
-                Property.NodeScope,
-                Property.Filtered
-            )
-        );
+        if (!settings.stream().anyMatch(s -> s.getKey().equalsIgnoreCase(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY))) {
+            settings.add(SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION);
+        }
+        if (!settings.stream()
+            .anyMatch(s -> s.getKey().equalsIgnoreCase(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY))) {
+            settings.add(SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME);
+        }
         settings.add(
             Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)
         );
@@ -664,4 +673,63 @@ public List<String> getSettingsFilter() {
         settingsFilter.add("plugins.security.*");
         return settingsFilter;
     }
+
+    @Override
+    public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
+        return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, NOOP_SSL_EXCEPTION_HANDLER));
+    }
+
+    protected Settings migrateSettings(Settings settings) {
+        final Settings.Builder builder = Settings.builder().put(settings);
+
+        if (!NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED.exists(settings)) {
+            builder.put(NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY, SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings));
+        } else {
+            if (SecuritySettings.SSL_DUAL_MODE_SETTING.exists(settings)) {
+                throw new OpenSearchException(
+                    "Only one of the settings ["
+                        + NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY
+                        + ", "
+                        + SecuritySettings.SSL_DUAL_MODE_SETTING.getKey()
+                        + " (deprecated)] could be specified but not both"
+                );
+            }
+        }
+
+        if (!NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.exists(settings)) {
+            builder.put(
+                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY,
+                SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(settings)
+            );
+        } else {
+            if (SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.exists(settings)) {
+                throw new OpenSearchException(
+                    "Only one of the settings ["
+                        + NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY
+                        + ", "
+                        + SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.getKey()
+                        + " (deprecated)] could be specified but not both"
+                );
+            }
+        }
+
+        if (!NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.exists(settings)) {
+            builder.put(
+                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY,
+                SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.get(settings)
+            );
+        } else {
+            if (SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.exists(settings)) {
+                throw new OpenSearchException(
+                    "Only one of the settings ["
+                        + NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
+                        + ", "
+                        + SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.getKey()
+                        + " (deprecated)] could be specified but not both"
+                );
+            }
+        }
+
+        return builder.build();
+    }
 }
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
index f133d997f9..8b2d4bb1d2 100644
--- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
+++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
@@ -13,8 +13,8 @@
 import io.netty.channel.embedded.EmbeddedChannel;
 import io.netty.handler.codec.http.HttpContentDecompressor;
 
-import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.SHOULD_DECOMPRESS;
+import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
+import static org.opensearch.security.http.SecureHttpServerTransport.SHOULD_DECOMPRESS;
 
 public class Netty4ConditionalDecompressor extends HttpContentDecompressor {
 
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
index e6dec0c213..052f1961e2 100644
--- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
+++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
@@ -32,11 +32,11 @@
 import io.netty.handler.codec.http.HttpRequest;
 import io.netty.util.ReferenceCountUtil;
 
-import static org.opensearch.security.http.SecurityHttpServerTransport.CONTEXT_TO_RESTORE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecurityHttpServerTransport.IS_AUTHENTICATED;
-import static org.opensearch.security.http.SecurityHttpServerTransport.SHOULD_DECOMPRESS;
-import static org.opensearch.security.http.SecurityHttpServerTransport.UNCONSUMED_PARAMS;
+import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
+import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
+import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
+import static org.opensearch.security.http.SecureHttpServerTransport.SHOULD_DECOMPRESS;
+import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;
 
 @Sharable
 public class Netty4HttpRequestHeaderVerifier extends SimpleChannelInboundHandler<DefaultHttpRequest> {
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java
deleted file mode 100644
index fc2f31b2b0..0000000000
--- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java
+++ /dev/null
@@ -1,168 +0,0 @@
-/*
- * Copyright 2015-2017 floragunn GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-package org.opensearch.security.ssl.http.netty;
-
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import org.opensearch.common.network.NetworkService;
-import org.opensearch.common.settings.ClusterSettings;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.BigArrays;
-import org.opensearch.core.xcontent.NamedXContentRegistry;
-import org.opensearch.http.HttpChannel;
-import org.opensearch.http.HttpHandlingSettings;
-import org.opensearch.http.netty4.Netty4HttpChannel;
-import org.opensearch.http.netty4.Netty4HttpServerTransport;
-import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.SslExceptionHandler;
-import org.opensearch.telemetry.tracing.Tracer;
-import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.SharedGroupFactory;
-
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelInboundHandlerAdapter;
-import io.netty.handler.codec.DecoderException;
-import io.netty.handler.ssl.ApplicationProtocolNames;
-import io.netty.handler.ssl.ApplicationProtocolNegotiationHandler;
-import io.netty.handler.ssl.SslHandler;
-
-public class SecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport {
-    private static final Logger logger = LogManager.getLogger(SecuritySSLNettyHttpServerTransport.class);
-    private final SecurityKeyStore sks;
-    private final SslExceptionHandler errorHandler;
-    private final ChannelInboundHandlerAdapter headerVerifier;
-
-    public SecuritySSLNettyHttpServerTransport(
-        final Settings settings,
-        final NetworkService networkService,
-        final BigArrays bigArrays,
-        final ThreadPool threadPool,
-        final SecurityKeyStore sks,
-        final NamedXContentRegistry namedXContentRegistry,
-        final ValidatingDispatcher dispatcher,
-        final SslExceptionHandler errorHandler,
-        ClusterSettings clusterSettings,
-        SharedGroupFactory sharedGroupFactory,
-        Tracer tracer,
-        SecurityRestFilter restFilter
-    ) {
-        super(
-            settings,
-            networkService,
-            bigArrays,
-            threadPool,
-            namedXContentRegistry,
-            dispatcher,
-            clusterSettings,
-            sharedGroupFactory,
-            tracer
-        );
-        this.sks = sks;
-        this.errorHandler = errorHandler;
-        headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
-    }
-
-    @Override
-    public ChannelHandler configureServerChannelHandler() {
-        return new SSLHttpChannelHandler(this, handlingSettings, sks);
-    }
-
-    @Override
-    public void onException(HttpChannel channel, Exception cause0) {
-        Throwable cause = cause0;
-
-        if (cause0 instanceof DecoderException && cause0 != null) {
-            cause = cause0.getCause();
-        }
-
-        errorHandler.logError(cause, true);
-        logger.error("Exception during establishing a SSL connection: " + cause, cause);
-
-        super.onException(channel, cause0);
-    }
-
-    protected class SSLHttpChannelHandler extends Netty4HttpServerTransport.HttpChannelHandler {
-        /**
-         * Application negotiation handler to select either HTTP 1.1 or HTTP 2 protocol, based
-         * on client/server ALPN negotiations.
-         */
-        private class Http2OrHttpHandler extends ApplicationProtocolNegotiationHandler {
-            protected Http2OrHttpHandler() {
-                super(ApplicationProtocolNames.HTTP_1_1);
-            }
-
-            @Override
-            protected void configurePipeline(ChannelHandlerContext ctx, String protocol) throws Exception {
-                if (ApplicationProtocolNames.HTTP_2.equals(protocol)) {
-                    configureDefaultHttp2Pipeline(ctx.pipeline());
-                } else if (ApplicationProtocolNames.HTTP_1_1.equals(protocol)) {
-                    configureDefaultHttpPipeline(ctx.pipeline());
-                } else {
-                    throw new IllegalStateException("Unknown application protocol: " + protocol);
-                }
-            }
-
-            @Override
-            public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
-                super.exceptionCaught(ctx, cause);
-                Netty4HttpChannel channel = ctx.channel().attr(HTTP_CHANNEL_KEY).get();
-                if (channel != null) {
-                    if (cause instanceof Error) {
-                        onException(channel, new Exception(cause));
-                    } else {
-                        onException(channel, (Exception) cause);
-                    }
-                }
-            }
-        }
-
-        protected SSLHttpChannelHandler(
-            Netty4HttpServerTransport transport,
-            final HttpHandlingSettings handlingSettings,
-            final SecurityKeyStore odsks
-        ) {
-            super(transport, handlingSettings);
-        }
-
-        @Override
-        protected void initChannel(Channel ch) throws Exception {
-            super.initChannel(ch);
-            final SslHandler sslHandler = new SslHandler(SecuritySSLNettyHttpServerTransport.this.sks.createHTTPSSLEngine());
-            ch.pipeline().addFirst("ssl_http", sslHandler);
-        }
-
-        @Override
-        protected void configurePipeline(Channel ch) {
-            ch.pipeline().addLast(new Http2OrHttpHandler());
-        }
-    }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createHeaderVerifier() {
-        return headerVerifier;
-    }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createDecompressor() {
-        return new Netty4ConditionalDecompressor();
-    }
-}
diff --git a/src/main/java/org/opensearch/security/ssl/transport/DualModeSSLHandler.java b/src/main/java/org/opensearch/security/ssl/transport/DualModeSSLHandler.java
deleted file mode 100644
index a7961f864b..0000000000
--- a/src/main/java/org/opensearch/security/ssl/transport/DualModeSSLHandler.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-package org.opensearch.security.ssl.transport;
-
-import java.nio.charset.StandardCharsets;
-import java.util.List;
-import javax.net.ssl.SSLException;
-
-import com.google.common.annotations.VisibleForTesting;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.util.SSLConnectionTestUtil;
-import org.opensearch.security.ssl.util.TLSUtil;
-
-import io.netty.buffer.ByteBuf;
-import io.netty.buffer.Unpooled;
-import io.netty.channel.ChannelFutureListener;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelPipeline;
-import io.netty.handler.codec.ByteToMessageDecoder;
-import io.netty.handler.ssl.SslHandler;
-
-/**
- * Modifies the current pipeline dynamically to enable TLS
- */
-public class DualModeSSLHandler extends ByteToMessageDecoder {
-
-    private static final Logger logger = LogManager.getLogger(DualModeSSLHandler.class);
-    private final SecurityKeyStore securityKeyStore;
-
-    private final SslHandler providedSSLHandler;
-
-    public DualModeSSLHandler(SecurityKeyStore securityKeyStore) {
-        this(securityKeyStore, null);
-    }
-
-    @VisibleForTesting
-    protected DualModeSSLHandler(SecurityKeyStore securityKeyStore, SslHandler providedSSLHandler) {
-        this.securityKeyStore = securityKeyStore;
-        this.providedSSLHandler = providedSSLHandler;
-    }
-
-    @Override
-    protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) throws Exception {
-        // Will use the first six bytes to detect a protocol.
-        if (in.readableBytes() < 6) {
-            return;
-        }
-        int offset = in.readerIndex();
-        if (in.getCharSequence(offset, 6, StandardCharsets.UTF_8).equals(SSLConnectionTestUtil.DUAL_MODE_CLIENT_HELLO_MSG)) {
-            logger.debug("Received DualSSL Client Hello message");
-            ByteBuf responseBuffer = Unpooled.buffer(6);
-            responseBuffer.writeCharSequence(SSLConnectionTestUtil.DUAL_MODE_SERVER_HELLO_MSG, StandardCharsets.UTF_8);
-            ctx.writeAndFlush(responseBuffer).addListener(ChannelFutureListener.CLOSE);
-            return;
-        }
-
-        if (TLSUtil.isTLS(in)) {
-            logger.debug("Identified request as SSL request");
-            enableSsl(ctx);
-        } else {
-            logger.debug("Identified request as non SSL request, running in HTTP mode as dual mode is enabled");
-            ctx.pipeline().remove(this);
-        }
-    }
-
-    private void enableSsl(ChannelHandlerContext ctx) throws SSLException {
-        SslHandler sslHandler;
-        if (providedSSLHandler != null) {
-            sslHandler = providedSSLHandler;
-        } else {
-            sslHandler = new SslHandler(securityKeyStore.createServerTransportSSLEngine());
-        }
-        ChannelPipeline p = ctx.pipeline();
-        p.addAfter("port_unification_handler", "ssl_server", sslHandler);
-        p.remove(this);
-        logger.debug("Removed port unification handler and added SSL handler as incoming request is SSL");
-    }
-}
diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
deleted file mode 100644
index 5be3424528..0000000000
--- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Copyright 2015-2017 floragunn GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.ssl.transport;
-
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLException;
-
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import org.opensearch.ExceptionsHelper;
-import org.opensearch.OpenSearchSecurityException;
-import org.opensearch.Version;
-import org.opensearch.cluster.node.DiscoveryNode;
-import org.opensearch.common.network.NetworkService;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.PageCacheRecycler;
-import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
-import org.opensearch.core.indices.breaker.CircuitBreakerService;
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.SslExceptionHandler;
-import org.opensearch.security.ssl.util.SSLConfigConstants;
-import org.opensearch.security.ssl.util.SSLConnectionTestResult;
-import org.opensearch.security.ssl.util.SSLConnectionTestUtil;
-import org.opensearch.telemetry.tracing.Tracer;
-import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.SharedGroupFactory;
-import org.opensearch.transport.TcpChannel;
-import org.opensearch.transport.netty4.Netty4Transport;
-
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelOutboundHandlerAdapter;
-import io.netty.channel.ChannelPromise;
-import io.netty.handler.codec.DecoderException;
-import io.netty.handler.ssl.SslHandler;
-
-public class SecuritySSLNettyTransport extends Netty4Transport {
-
-    private static final Logger logger = LogManager.getLogger(SecuritySSLNettyTransport.class);
-    private final SecurityKeyStore ossks;
-    private final SslExceptionHandler errorHandler;
-    private final SSLConfig SSLConfig;
-
-    public SecuritySSLNettyTransport(
-        final Settings settings,
-        final Version version,
-        final ThreadPool threadPool,
-        final NetworkService networkService,
-        final PageCacheRecycler pageCacheRecycler,
-        final NamedWriteableRegistry namedWriteableRegistry,
-        final CircuitBreakerService circuitBreakerService,
-        final SecurityKeyStore ossks,
-        final SslExceptionHandler errorHandler,
-        SharedGroupFactory sharedGroupFactory,
-        final SSLConfig SSLConfig,
-        final Tracer tracer
-    ) {
-        super(
-            settings,
-            version,
-            threadPool,
-            networkService,
-            pageCacheRecycler,
-            namedWriteableRegistry,
-            circuitBreakerService,
-            sharedGroupFactory,
-            tracer
-        );
-
-        this.ossks = ossks;
-        this.errorHandler = errorHandler;
-        this.SSLConfig = SSLConfig;
-    }
-
-    // This allows for testing log messages
-    Logger getLogger() {
-        return logger;
-    }
-
-    @Override
-    public void onException(TcpChannel channel, Exception e) {
-
-        Throwable cause = e;
-
-        if (e instanceof DecoderException && e != null) {
-            cause = e.getCause();
-        }
-
-        errorHandler.logError(cause, false);
-        getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
-
-        if (channel == null || !channel.isOpen()) {
-            throw new OpenSearchSecurityException("The provided TCP channel is invalid.", e);
-        }
-        super.onException(channel, e);
-    }
-
-    @Override
-    protected ChannelHandler getServerChannelInitializer(String name) {
-        return new SSLServerChannelInitializer(name);
-    }
-
-    @Override
-    protected ChannelHandler getClientChannelInitializer(DiscoveryNode node) {
-        return new SSLClientChannelInitializer(node);
-    }
-
-    protected class SSLServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
-
-        public SSLServerChannelInitializer(String name) {
-            super(name);
-        }
-
-        @Override
-        protected void initChannel(Channel ch) throws Exception {
-            super.initChannel(ch);
-
-            boolean dualModeEnabled = SSLConfig.isDualModeEnabled();
-            if (dualModeEnabled) {
-                logger.info("SSL Dual mode enabled, using port unification handler");
-                final ChannelHandler portUnificationHandler = new DualModeSSLHandler(ossks);
-                ch.pipeline().addFirst("port_unification_handler", portUnificationHandler);
-            } else {
-                final SslHandler sslHandler = new SslHandler(ossks.createServerTransportSSLEngine());
-                ch.pipeline().addFirst("ssl_server", sslHandler);
-            }
-        }
-
-        @Override
-        public final void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
-            if (cause instanceof DecoderException && cause != null) {
-                cause = cause.getCause();
-            }
-
-            errorHandler.logError(cause, false);
-            getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
-
-            super.exceptionCaught(ctx, cause);
-        }
-    }
-
-    protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
-        private final Logger log = LogManager.getLogger(this.getClass());
-        private final SecurityKeyStore sks;
-        private final boolean hostnameVerificationEnabled;
-        private final boolean hostnameVerificationResovleHostName;
-        private final SslExceptionHandler errorHandler;
-
-        private ClientSSLHandler(
-            final SecurityKeyStore sks,
-            final boolean hostnameVerificationEnabled,
-            final boolean hostnameVerificationResovleHostName,
-            final SslExceptionHandler errorHandler
-        ) {
-            this.sks = sks;
-            this.hostnameVerificationEnabled = hostnameVerificationEnabled;
-            this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName;
-            this.errorHandler = errorHandler;
-        }
-
-        @Override
-        public final void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
-            if (cause instanceof DecoderException && cause != null) {
-                cause = cause.getCause();
-            }
-
-            errorHandler.logError(cause, false);
-            logger.error("Exception during establishing a SSL connection: " + cause, cause);
-
-            super.exceptionCaught(ctx, cause);
-        }
-
-        @Override
-        public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, SocketAddress localAddress, ChannelPromise promise)
-            throws Exception {
-            SSLEngine engine = null;
-            try {
-                if (hostnameVerificationEnabled) {
-                    final InetSocketAddress inetSocketAddress = (InetSocketAddress) remoteAddress;
-                    String hostname = null;
-                    if (hostnameVerificationResovleHostName) {
-                        hostname = inetSocketAddress.getHostName();
-                    } else {
-                        hostname = inetSocketAddress.getHostString();
-                    }
-
-                    if (log.isDebugEnabled()) {
-                        log.debug(
-                            "Hostname of peer is {} ({}/{}) with hostnameVerificationResovleHostName: {}",
-                            hostname,
-                            inetSocketAddress.getHostName(),
-                            inetSocketAddress.getHostString(),
-                            hostnameVerificationResovleHostName
-                        );
-                    }
-
-                    engine = sks.createClientTransportSSLEngine(hostname, inetSocketAddress.getPort());
-                } else {
-                    engine = sks.createClientTransportSSLEngine(null, -1);
-                }
-            } catch (final SSLException e) {
-                throw ExceptionsHelper.convertToOpenSearchException(e);
-            }
-            final SslHandler sslHandler = new SslHandler(engine);
-            ctx.pipeline().replace(this, "ssl_client", sslHandler);
-            super.connect(ctx, remoteAddress, localAddress, promise);
-        }
-    }
-
-    protected class SSLClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
-        private final boolean hostnameVerificationEnabled;
-        private final boolean hostnameVerificationResovleHostName;
-        private final DiscoveryNode node;
-        private SSLConnectionTestResult connectionTestResult;
-
-        @SuppressWarnings("removal")
-        public SSLClientChannelInitializer(DiscoveryNode node) {
-            this.node = node;
-            hostnameVerificationEnabled = settings.getAsBoolean(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
-                true
-            );
-            hostnameVerificationResovleHostName = settings.getAsBoolean(
-                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME,
-                true
-            );
-
-            connectionTestResult = SSLConnectionTestResult.SSL_AVAILABLE;
-            if (SSLConfig.isDualModeEnabled()) {
-                SSLConnectionTestUtil sslConnectionTestUtil = new SSLConnectionTestUtil(
-                    node.getAddress().getAddress(),
-                    node.getAddress().getPort()
-                );
-                connectionTestResult = AccessController.doPrivileged(
-                    (PrivilegedAction<SSLConnectionTestResult>) sslConnectionTestUtil::testConnection
-                );
-            }
-        }
-
-        @Override
-        protected void initChannel(Channel ch) throws Exception {
-            super.initChannel(ch);
-
-            if (connectionTestResult == SSLConnectionTestResult.OPENSEARCH_PING_FAILED) {
-                logger.error(
-                    "SSL dual mode is enabled but dual mode handshake and OpenSearch ping has failed during client connection setup, closing channel"
-                );
-                ch.close();
-                return;
-            }
-
-            if (connectionTestResult == SSLConnectionTestResult.SSL_AVAILABLE) {
-                logger.debug("Connection to {} needs to be ssl, adding ssl handler to the client channel ", node.getHostName());
-                ch.pipeline()
-                    .addFirst(
-                        "client_ssl_handler",
-                        new ClientSSLHandler(ossks, hostnameVerificationEnabled, hostnameVerificationResovleHostName, errorHandler)
-                    );
-            } else {
-                logger.debug("Connection to {} needs to be non ssl", node.getHostName());
-            }
-        }
-
-        @Override
-        public final void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
-            if (cause instanceof DecoderException && cause != null) {
-                cause = cause.getCause();
-            }
-
-            errorHandler.logError(cause, false);
-            getLogger().error("Exception during establishing a SSL connection: " + cause, cause);
-
-            super.exceptionCaught(ctx, cause);
-        }
-    }
-}
diff --git a/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
new file mode 100644
index 0000000000..03488fe17c
--- /dev/null
+++ b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
@@ -0,0 +1,246 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.security.ssl;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Supplier;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import org.opensearch.OpenSearchException;
+import org.opensearch.common.collect.Tuple;
+import org.opensearch.common.network.NetworkModule;
+import org.opensearch.common.settings.ClusterSettings;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.http.HttpServerTransport;
+import org.opensearch.plugins.SecureTransportSettingsProvider;
+import org.opensearch.security.ssl.util.SSLConfigConstants;
+import org.opensearch.security.support.SecuritySettings;
+import org.opensearch.security.test.AbstractSecurityUnitTest;
+import org.opensearch.security.test.helper.file.FileHelper;
+import org.opensearch.telemetry.tracing.noop.NoopTracer;
+import org.opensearch.transport.TcpTransport;
+import org.opensearch.transport.Transport;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.collection.IsMapContaining.hasKey;
+import static org.junit.Assert.assertThrows;
+
+public class OpenSearchSecuritySSLPluginTest extends AbstractSecurityUnitTest {
+    private Settings settings;
+    private SecureTransportSettingsProvider secureTransportSettingsProvider;
+    private ClusterSettings clusterSettings;
+
+    @Before
+    public void setUp() {
+        settings = Settings.builder()
+            .put(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH,
+                FileHelper.getAbsoluteFilePathFromClassPath("ssl/kirk-keystore.jks")
+            )
+            .put(
+                SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH,
+                FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")
+            )
+            .put(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH,
+                FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")
+            )
+            .put(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH,
+                FileHelper.getAbsoluteFilePathFromClassPath("ssl/kirk-keystore.jks")
+            )
+            .put(
+                SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH,
+                FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")
+            )
+            .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true)
+            .put(OpenSearchSecuritySSLPlugin.CLIENT_TYPE, "node")
+            .build();
+
+        secureTransportSettingsProvider = new SecureTransportSettingsProvider() {
+            @Override
+            public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+                return Optional.empty();
+            }
+
+            @Override
+            public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
+                return Optional.empty();
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+                return Optional.empty();
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
+                return Optional.empty();
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
+                return Optional.empty();
+            }
+        };
+
+        clusterSettings = new ClusterSettings(Settings.EMPTY, ClusterSettings.BUILT_IN_CLUSTER_SETTINGS);
+    }
+
+    @Test
+    public void testRegisterSecureHttpTransport() throws IOException {
+        try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(settings, null, false)) {
+            final Map<String, Supplier<HttpServerTransport>> transports = plugin.getSecureHttpTransports(
+                settings,
+                MOCK_POOL,
+                null,
+                null,
+                null,
+                null,
+                null,
+                null,
+                clusterSettings,
+                secureTransportSettingsProvider,
+                NoopTracer.INSTANCE
+            );
+            assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport"));
+        }
+    }
+
+    @Test
+    public void testRegisterSecureTransport() throws IOException {
+        try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(settings, null, false)) {
+            final Map<String, Supplier<Transport>> transports = plugin.getSecureTransports(
+                settings,
+                MOCK_POOL,
+                null,
+                null,
+                null,
+                null,
+                secureTransportSettingsProvider,
+                NoopTracer.INSTANCE
+            );
+            assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"));
+        }
+    }
+
+    @Test
+    public void testRegisterSecureTransportWithDeprecatedSecuirtyPluginSettings() throws IOException {
+        final Settings deprecated = Settings.builder()
+            .put(settings)
+            .put(SecuritySettings.SSL_DUAL_MODE_SETTING.getKey(), true)
+            .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false)
+            .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
+            .build();
+
+        try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(deprecated, null, false)) {
+            final Map<String, Supplier<Transport>> transports = plugin.getSecureTransports(
+                deprecated,
+                MOCK_POOL,
+                null,
+                null,
+                null,
+                null,
+                secureTransportSettingsProvider,
+                NoopTracer.INSTANCE
+            );
+            assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"));
+            assertThat(transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport").get(), not(nullValue()));
+        }
+    }
+
+    @Test
+    public void testRegisterSecureTransportWithNetworkModuleSettings() throws IOException {
+        final Settings migrated = Settings.builder()
+            .put(settings)
+            .put(NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY, true)
+            .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY, false)
+            .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
+            .build();
+
+        try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(migrated, null, false)) {
+            final Map<String, Supplier<Transport>> transports = plugin.getSecureTransports(
+                migrated,
+                MOCK_POOL,
+                null,
+                null,
+                null,
+                null,
+                secureTransportSettingsProvider,
+                NoopTracer.INSTANCE
+            );
+            assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"));
+            assertThat(transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport").get(), not(nullValue()));
+        }
+    }
+
+    @Test
+    public void testRegisterSecureTransportWithDuplicateSettings() throws IOException {
+        final Collection<Tuple<String, String>> duplicates = List.of(
+            Tuple.tuple(SecuritySettings.SSL_DUAL_MODE_SETTING.getKey(), NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY),
+            Tuple.tuple(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME,
+                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY
+            ),
+            Tuple.tuple(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION,
+                NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY
+            )
+        );
+
+        for (final Tuple<String, String> duplicate : duplicates) {
+            final Settings migrated = Settings.builder()
+                .put(settings)
+                .put(duplicate.v1(), true)
+                .put(NetworkModule.TRANSPORT_SSL_DUAL_MODE_ENABLED_KEY, true)
+                .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME_KEY, false)
+                .put(NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_KEY, false)
+                .build();
+
+            try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(migrated, null, false)) {
+                final Map<String, Supplier<Transport>> transports = plugin.getSecureTransports(
+                    migrated,
+                    MOCK_POOL,
+                    null,
+                    null,
+                    null,
+                    null,
+                    secureTransportSettingsProvider,
+                    NoopTracer.INSTANCE
+                );
+                assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"));
+                final OpenSearchException ex = assertThrows(
+                    OpenSearchException.class,
+                    transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport")::get
+                );
+                assertThat(
+                    ex.getMessage(),
+                    containsString(
+                        "Only one of the settings ["
+                            + duplicate.v2()
+                            + ", "
+                            + duplicate.v1()
+                            + " (deprecated)] could be specified but not both"
+                    )
+                );
+            }
+        }
+    }
+}
diff --git a/src/test/java/org/opensearch/security/ssl/transport/DualModeSSLHandlerTests.java b/src/test/java/org/opensearch/security/ssl/transport/DualModeSSLHandlerTests.java
deleted file mode 100644
index e71e77d414..0000000000
--- a/src/test/java/org/opensearch/security/ssl/transport/DualModeSSLHandlerTests.java
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-package org.opensearch.security.ssl.transport;
-
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.util.SSLConnectionTestUtil;
-
-import io.netty.buffer.ByteBuf;
-import io.netty.buffer.ByteBufAllocator;
-import io.netty.channel.ChannelFuture;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelPipeline;
-import io.netty.handler.ssl.SslHandler;
-import org.mockito.ArgumentCaptor;
-import org.mockito.Mockito;
-
-import static org.opensearch.transport.NettyAllocator.getAllocator;
-
-public class DualModeSSLHandlerTests {
-
-    public static final int TLS_MAJOR_VERSION = 3;
-    public static final int TLS_MINOR_VERSION = 0;
-    private static final ByteBufAllocator ALLOCATOR = getAllocator();
-
-    private SecurityKeyStore securityKeyStore;
-    private ChannelPipeline pipeline;
-    private ChannelHandlerContext ctx;
-    private SslHandler sslHandler;
-
-    @Before
-    public void setup() {
-        pipeline = Mockito.mock(ChannelPipeline.class);
-        ctx = Mockito.mock(ChannelHandlerContext.class);
-        Mockito.when(ctx.pipeline()).thenReturn(pipeline);
-
-        securityKeyStore = Mockito.mock(SecurityKeyStore.class);
-        sslHandler = Mockito.mock(SslHandler.class);
-    }
-
-    @Test
-    public void testInvalidMessage() throws Exception {
-        DualModeSSLHandler handler = new DualModeSSLHandler(securityKeyStore);
-
-        handler.decode(ctx, ALLOCATOR.buffer(4), null);
-        // ensure pipeline is not fetched and manipulated
-        Mockito.verify(ctx, Mockito.times(0)).pipeline();
-    }
-
-    @Test
-    public void testValidTLSMessage() throws Exception {
-        DualModeSSLHandler handler = new DualModeSSLHandler(securityKeyStore, sslHandler);
-
-        ByteBuf buffer = ALLOCATOR.buffer(6);
-        buffer.writeByte(20);
-        buffer.writeByte(TLS_MAJOR_VERSION);
-        buffer.writeByte(TLS_MINOR_VERSION);
-        buffer.writeByte(100);
-        buffer.writeByte(0);
-        buffer.writeByte(0);
-
-        handler.decode(ctx, buffer, null);
-        // ensure ssl handler is added
-        Mockito.verify(ctx, Mockito.times(1)).pipeline();
-        Mockito.verify(pipeline, Mockito.times(1)).addAfter("port_unification_handler", "ssl_server", sslHandler);
-        Mockito.verify(pipeline, Mockito.times(1)).remove(handler);
-    }
-
-    @Test
-    public void testNonTLSMessage() throws Exception {
-        DualModeSSLHandler handler = new DualModeSSLHandler(securityKeyStore, sslHandler);
-
-        ByteBuf buffer = ALLOCATOR.buffer(6);
-
-        for (int i = 0; i < 6; i++) {
-            buffer.writeByte(1);
-        }
-
-        handler.decode(ctx, buffer, null);
-        // ensure ssl handler is added
-        Mockito.verify(ctx, Mockito.times(1)).pipeline();
-        Mockito.verify(pipeline, Mockito.times(0)).addAfter("port_unification_handler", "ssl_server", sslHandler);
-        Mockito.verify(pipeline, Mockito.times(1)).remove(handler);
-    }
-
-    @Test
-    public void testDualModeClientHelloMessage() throws Exception {
-        ChannelFuture channelFuture = Mockito.mock(ChannelFuture.class);
-        Mockito.when(ctx.writeAndFlush(Mockito.any())).thenReturn(channelFuture);
-        Mockito.when(channelFuture.addListener(Mockito.any())).thenReturn(channelFuture);
-
-        ByteBuf buffer = ALLOCATOR.buffer(6);
-        buffer.writeCharSequence(SSLConnectionTestUtil.DUAL_MODE_CLIENT_HELLO_MSG, StandardCharsets.UTF_8);
-
-        DualModeSSLHandler handler = new DualModeSSLHandler(securityKeyStore, sslHandler);
-        List<Object> decodedObjs = new ArrayList<>();
-        handler.decode(ctx, buffer, decodedObjs);
-
-        ArgumentCaptor<ByteBuf> serverHelloReplyBuffer = ArgumentCaptor.forClass(ByteBuf.class);
-        Mockito.verify(ctx, Mockito.times(1)).writeAndFlush(serverHelloReplyBuffer.capture());
-
-        String actualReply = serverHelloReplyBuffer.getValue().getCharSequence(0, 6, StandardCharsets.UTF_8).toString();
-        Assert.assertEquals(SSLConnectionTestUtil.DUAL_MODE_SERVER_HELLO_MSG, actualReply);
-    }
-}
diff --git a/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java b/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java
deleted file mode 100644
index 32e0f48fac..0000000000
--- a/src/test/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransportTests.java
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.ssl.transport;
-
-import java.util.Collections;
-
-import org.apache.logging.log4j.Logger;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-
-import org.opensearch.OpenSearchSecurityException;
-import org.opensearch.Version;
-import org.opensearch.cluster.node.DiscoveryNode;
-import org.opensearch.common.network.NetworkService;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.PageCacheRecycler;
-import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
-import org.opensearch.core.indices.breaker.CircuitBreakerService;
-import org.opensearch.security.ssl.SecurityKeyStore;
-import org.opensearch.security.ssl.SslExceptionHandler;
-import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport.SSLClientChannelInitializer;
-import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport.SSLServerChannelInitializer;
-import org.opensearch.telemetry.tracing.Tracer;
-import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.FakeTcpChannel;
-import org.opensearch.transport.SharedGroupFactory;
-import org.opensearch.transport.TcpChannel;
-
-import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.handler.codec.DecoderException;
-import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnit;
-import org.mockito.junit.MockitoRule;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.instanceOf;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.notNullValue;
-import static org.junit.Assert.assertThrows;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.spy;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class SecuritySSLNettyTransportTests {
-
-    @Mock
-    private Version version;
-    @Mock
-    private ThreadPool threadPool;
-    @Mock
-    private PageCacheRecycler pageCacheRecycler;
-    @Mock
-    private NamedWriteableRegistry namedWriteableRegistry;
-    @Mock
-    private CircuitBreakerService circuitBreakerService;
-    @Mock
-    private Tracer trace;
-    @Mock
-    private SecurityKeyStore ossks;
-    @Mock
-    private SslExceptionHandler sslExceptionHandler;
-    @Mock
-    private DiscoveryNode discoveryNode;
-
-    // This initializes all the above mocks
-    @Rule
-    public MockitoRule rule = MockitoJUnit.rule();
-
-    private NetworkService networkService;
-    private SharedGroupFactory sharedGroupFactory;
-    private Logger mockLogger;
-    private SSLConfig sslConfig;
-    private SecuritySSLNettyTransport securitySSLNettyTransport;
-    Throwable testCause = new Throwable("Test Cause");
-
-    @Before
-    public void setup() {
-
-        networkService = new NetworkService(Collections.emptyList());
-        sharedGroupFactory = new SharedGroupFactory(Settings.EMPTY);
-
-        sslConfig = new SSLConfig(Settings.EMPTY);
-        mockLogger = mock(Logger.class);
-
-        securitySSLNettyTransport = spy(
-            new SecuritySSLNettyTransport(
-                Settings.EMPTY,
-                version,
-                threadPool,
-                networkService,
-                pageCacheRecycler,
-                namedWriteableRegistry,
-                circuitBreakerService,
-                ossks,
-                sslExceptionHandler,
-                sharedGroupFactory,
-                sslConfig,
-                trace
-            )
-        );
-    }
-
-    @Test
-    public void OnException_withNullChannelShouldThrowException() {
-
-        OpenSearchSecurityException exception = new OpenSearchSecurityException("The provided TCP channel is invalid");
-        assertThrows(OpenSearchSecurityException.class, () -> securitySSLNettyTransport.onException(null, exception));
-    }
-
-    @Test
-    public void OnException_withClosedChannelShouldThrowException() {
-
-        TcpChannel channel = new FakeTcpChannel();
-        channel.close();
-        OpenSearchSecurityException exception = new OpenSearchSecurityException("The provided TCP channel is invalid");
-        assertThrows(OpenSearchSecurityException.class, () -> securitySSLNettyTransport.onException(channel, exception));
-    }
-
-    @Test
-    public void OnException_withNullExceptionShouldSucceed() {
-
-        TcpChannel channel = new FakeTcpChannel();
-        securitySSLNettyTransport.onException(channel, null);
-        verify(securitySSLNettyTransport, times(1)).onException(channel, null);
-        channel.close();
-    }
-
-    @Test
-    public void OnException_withDecoderExceptionShouldGetCause() {
-
-        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
-        DecoderException exception = new DecoderException("Test Exception", testCause);
-        TcpChannel channel = new FakeTcpChannel();
-        securitySSLNettyTransport.onException(channel, exception);
-        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
-    }
-
-    @Test
-    public void getServerChannelInitializer_shouldReturnValidServerChannel() {
-
-        ChannelHandler channelHandler = securitySSLNettyTransport.getServerChannelInitializer("test-server-channel");
-        assertThat(channelHandler, is(notNullValue()));
-        assertThat(channelHandler, is(instanceOf(SSLServerChannelInitializer.class)));
-    }
-
-    @Test
-    public void getClientChannelInitializer_shouldReturnValidClientChannel() {
-        ChannelHandler channelHandler = securitySSLNettyTransport.getClientChannelInitializer(discoveryNode);
-        assertThat(channelHandler, is(notNullValue()));
-        assertThat(channelHandler, is(instanceOf(SSLClientChannelInitializer.class)));
-    }
-
-    @Test
-    public void exceptionWithServerChannelHandlerContext_nonNullDecoderExceptionShouldGetCause() throws Exception {
-        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
-        Throwable exception = new DecoderException("Test Exception", testCause);
-        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
-        securitySSLNettyTransport.getServerChannelInitializer(discoveryNode.getName()).exceptionCaught(ctx, exception);
-        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
-    }
-
-    @Test
-    public void exceptionWithServerChannelHandlerContext_nonNullCauseOnlyShouldNotGetCause() throws Exception {
-        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
-        Throwable exception = new OpenSearchSecurityException("Test Exception", testCause);
-        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
-        securitySSLNettyTransport.getServerChannelInitializer(discoveryNode.getName()).exceptionCaught(ctx, exception);
-        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception, exception);
-    }
-
-    @Test
-    public void exceptionWithClientChannelHandlerContext_nonNullDecoderExceptionShouldGetCause() throws Exception {
-        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
-        Throwable exception = new DecoderException("Test Exception", testCause);
-        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
-        securitySSLNettyTransport.getClientChannelInitializer(discoveryNode).exceptionCaught(ctx, exception);
-        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception.getCause(), exception.getCause());
-    }
-
-    @Test
-    public void exceptionWithClientChannelHandlerContext_nonNullCauseOnlyShouldNotGetCause() throws Exception {
-        when(securitySSLNettyTransport.getLogger()).thenReturn(mockLogger);
-        Throwable exception = new OpenSearchSecurityException("Test Exception", testCause);
-        ChannelHandlerContext ctx = mock(ChannelHandlerContext.class);
-        securitySSLNettyTransport.getClientChannelInitializer(discoveryNode).exceptionCaught(ctx, exception);
-        verify(mockLogger, times(1)).error("Exception during establishing a SSL connection: " + exception, exception);
-    }
-}

From a16bb6272b6146c0d8ed9ba6755bd73641ccbce7 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 26 Mar 2024 17:20:43 -0400
Subject: [PATCH 096/143] Add simple roles mapping integ test to test mapping
 of backend role to role (#4172)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/http/RolesMappingTests.java      | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java

diff --git a/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java b/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java
new file mode 100644
index 0000000000..3907be4153
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.http;
+
+import java.util.List;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.RolesMapping;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.apache.http.HttpStatus.SC_OK;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.notNullValue;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class RolesMappingTests {
+    static final TestSecurityConfig.User USER_A = new TestSecurityConfig.User("userA").password("s3cret").backendRoles("mapsToRoleA");
+    static final TestSecurityConfig.User USER_B = new TestSecurityConfig.User("userB").password("P@ssw0rd").backendRoles("mapsToRoleB");
+
+    private static final TestSecurityConfig.Role ROLE_A = new TestSecurityConfig.Role("roleA").clusterPermissions("cluster_all");
+
+    private static final TestSecurityConfig.Role ROLE_B = new TestSecurityConfig.Role("roleB").clusterPermissions("cluster_all");
+
+    public static final TestSecurityConfig.AuthcDomain AUTHC_DOMAIN = new TestSecurityConfig.AuthcDomain("basic", 0)
+        .httpAuthenticatorWithChallenge("basic")
+        .backend("internal");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .authc(AUTHC_DOMAIN)
+        .roles(ROLE_A, ROLE_B)
+        .rolesMapping(new RolesMapping(ROLE_A).backendRoles("mapsToRoleA"), new RolesMapping(ROLE_B).backendRoles("mapsToRoleB"))
+        .users(USER_A, USER_B)
+        .build();
+
+    @Test
+    public void testBackendRoleToRoleMapping() {
+        try (TestRestClient client = cluster.getRestClient(USER_A)) {
+
+            TestRestClient.HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            List<String> roles = response.getTextArrayFromJsonBody("/roles");
+            List<String> backendRoles = response.getTextArrayFromJsonBody("/backend_roles");
+            assertThat(roles, contains(ROLE_A.getName()));
+            assertThat(roles, not(contains(ROLE_B.getName())));
+            assertThat(backendRoles, contains("mapsToRoleA"));
+            response.assertStatusCode(SC_OK);
+        }
+
+        try (TestRestClient client = cluster.getRestClient(USER_B)) {
+
+            TestRestClient.HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            List<String> roles = response.getTextArrayFromJsonBody("/roles");
+            List<String> backendRoles = response.getTextArrayFromJsonBody("/backend_roles");
+            assertThat(roles, contains(ROLE_B.getName()));
+            assertThat(roles, not(contains(ROLE_A.getName())));
+            assertThat(backendRoles, contains("mapsToRoleB"));
+            response.assertStatusCode(SC_OK);
+        }
+    }
+}

From 551d026552579774dc4cabd26831ba0829e95cf1 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 26 Mar 2024 18:40:26 -0400
Subject: [PATCH 097/143] Update file to modify in the README when adding a
 system index (#4139)

### Description

Updates the README to the current location of the default system
indexes.

* Category

Documentation

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fe698a12d9..0d5d81e109 100644
--- a/README.md
+++ b/README.md
@@ -129,8 +129,7 @@ plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task
 
 The demo configuration can be modified in the following files to add a new system index to the demo configuration:
 
-- https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh
-- https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.bat
+- https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
 
 
 ## Contributing

From dc8bd61a8df01b32805ddde0b6f6c6010eeca5cf Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Wed, 27 Mar 2024 08:32:10 -0500
Subject: [PATCH 098/143] Remove Pom task dependenices rewrite (#4178)

### Description
The underlying issue associated with Pom validation was fixed in
OpenSearch [1], this causes the 'hack' that was used to unblock pom
generation in security to start causing problems in the distribution
builds.

- [1] https://github.com/opensearch-project/OpenSearch/pull/12807

### Issues Resolved
- Fixes https://github.com/opensearch-project/security/issues/4160

### Testing
Added new CI test that executes the same job used by the distribution
build and checks the expected artifacts exist

### Check List
- [X] New functionality includes testing
- [ ] ~New functionality has been documented~
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Peter Nied <peternied@hotmail.com>
---
 .github/workflows/ci.yml | 2 ++
 build.gradle             | 5 -----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 68e966f56e..d1873fba2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -246,6 +246,8 @@ jobs:
 
     - run: ./gradlew clean assemble -Dbuild.version_qualifier=${{ env.TEST_QUALIFIER }} && test -s ./build/distributions/opensearch-security-${{ env.SECURITY_PLUGIN_VERSION_ONLY_NUMBER }}-${{ env.TEST_QUALIFIER }}-SNAPSHOT.zip
 
+    - run: ./gradlew clean publishPluginZipPublicationToZipStagingRepository && test -s ./build/distributions/opensearch-security-${{ env.SECURITY_PLUGIN_VERSION }}.zip && test -s ./build/distributions/opensearch-security-${{ env.SECURITY_PLUGIN_VERSION }}.pom
+
     - name: List files in the build directory if there was an error
       run: ls -al ./build/distributions/
       if: failure()
diff --git a/build.gradle b/build.gradle
index ea392a8eac..aa99828d5c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -407,11 +407,6 @@ opensearchplugin {
 // This requires an additional Jar not published as part of build-tools
 loggerUsageCheck.enabled = false
 
-// No need to validate pom, as we do not upload to maven/sonatype
-tasks.matching {it.path in [":validateMavenPom", ":validateNebulaPom", ":validatePluginZipPom"]}.all { task ->
-    task.dependsOn ':generatePomFileForNebulaPublication', ':generatePomFileForPluginZipPublication', ':generatePomFileForMavenPublication'
-}
-
 publishing {
     publications {
         pluginZip(MavenPublication) { publication ->

From b0d26ddbfd584a76cb7eb48ee36c461fd0e9e19b Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Wed, 27 Mar 2024 17:09:22 +0100
Subject: [PATCH 099/143] Fix cluster default initialization Part 1 (#4002)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 build.gradle                                  |   4 +-
 ...=> AbstractDefaultConfigurationTests.java} |  88 +--
 ...ultConfigurationMultiNodeClusterTests.java |  39 ++
 ...nMultiNodeClusterUseClusterStateTests.java |  42 ++
 ...ltConfigurationSingleNodeClusterTests.java |  44 ++
 ...SingleNodeClusterUseClusterStateTests.java |  42 ++
 .../SecurityConfigurationBootstrapTests.java  |   3 +-
 .../security/OpenSearchSecurityPlugin.java    |  33 +-
 .../ConfigurationRepository.java              | 221 ++++++--
 .../impl/SecurityDynamicConfiguration.java    |   5 +
 .../security/state/SecurityConfig.java        | 124 +++++
 .../security/state/SecurityMetadata.java      | 128 +++++
 .../security/support/ConfigConstants.java     |   5 +
 .../security/support/ConfigHelper.java        |   1 +
 .../support/SecurityIndexHandler.java         | 233 ++++++++
 .../security/support/YamlConfigReader.java    |  95 ++++
 .../ConfigurationRepositoryTest.java          | 190 ++++++-
 ...SecurityMetadataSerializationTestCase.java | 154 ++++++
 .../security/support/ConfigReaderTest.java    |  63 +++
 .../support/SecurityIndexHandlerTest.java     | 510 ++++++++++++++++++
 20 files changed, 1930 insertions(+), 94 deletions(-)
 rename src/integrationTest/java/org/opensearch/security/{DefaultConfigurationTests.java => AbstractDefaultConfigurationTests.java} (69%)
 create mode 100644 src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterTests.java
 create mode 100644 src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterUseClusterStateTests.java
 create mode 100644 src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterTests.java
 create mode 100644 src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterUseClusterStateTests.java
 create mode 100644 src/main/java/org/opensearch/security/state/SecurityConfig.java
 create mode 100644 src/main/java/org/opensearch/security/state/SecurityMetadata.java
 create mode 100644 src/main/java/org/opensearch/security/support/SecurityIndexHandler.java
 create mode 100644 src/main/java/org/opensearch/security/support/YamlConfigReader.java
 create mode 100644 src/test/java/org/opensearch/security/state/SecurityMetadataSerializationTestCase.java
 create mode 100644 src/test/java/org/opensearch/security/support/ConfigReaderTest.java
 create mode 100644 src/test/java/org/opensearch/security/support/SecurityIndexHandlerTest.java

diff --git a/build.gradle b/build.gradle
index aa99828d5c..607649d082 100644
--- a/build.gradle
+++ b/build.gradle
@@ -613,6 +613,7 @@ dependencies {
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.1'
+    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.15"
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
     implementation "org.opensaml:opensaml-core:${open_saml_version}"
@@ -638,7 +639,6 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.25'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'
@@ -699,12 +699,12 @@ dependencies {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
     testRuntimeOnly 'org.scala-lang:scala-library:2.13.13'
-    testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.2') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
         exclude(group:'ch.qos.logback', module: 'logback-core' )
     }
+    testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly "org.apache.kafka:kafka-metadata:${kafka_version}"
     testRuntimeOnly "org.apache.kafka:kafka-storage:${kafka_version}"
 
diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/AbstractDefaultConfigurationTests.java
similarity index 69%
rename from src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java
rename to src/integrationTest/java/org/opensearch/security/AbstractDefaultConfigurationTests.java
index eb028c74e4..5387b3e516 100644
--- a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/AbstractDefaultConfigurationTests.java
@@ -1,12 +1,12 @@
 /*
-* Copyright OpenSearch Contributors
-* SPDX-License-Identifier: Apache-2.0
-*
-* The OpenSearch Contributors require contributions made to
-* this file be licensed under the Apache-2.0 license or a
-* compatible open source license.
-*
-*/
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
 package org.opensearch.security;
 
 import java.io.IOException;
@@ -19,17 +19,16 @@
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.commons.io.FileUtils;
+import org.apache.http.HttpStatus;
 import org.awaitility.Awaitility;
 import org.junit.AfterClass;
-import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.test.framework.TestSecurityConfig.User;
-import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.security.state.SecurityMetadata;
+import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
-import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.aMapWithSize;
@@ -37,29 +36,22 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 @RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
 @ThreadLeakScope(ThreadLeakScope.Scope.NONE)
-public class DefaultConfigurationTests {
-
-    private final static Path configurationFolder = ConfigurationFiles.createConfigurationDirectory();
-    private static final User ADMIN_USER = new User("admin");
-    private static final User NEW_USER = new User("new-user");
-    private static final User LIMITED_USER = new User("limited-user");
-
-    @ClassRule
-    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
-        .nodeSettings(
-            Map.of(
-                "plugins.security.allow_default_init_securityindex",
-                true,
-                "plugins.security.restapi.roles_enabled",
-                List.of("user_admin__all_access")
-            )
-        )
-        .defaultConfigurationInitDirectory(configurationFolder.toString())
-        .loadConfigurationIntoIndex(false)
-        .build();
+public abstract class AbstractDefaultConfigurationTests {
+    public final static Path configurationFolder = ConfigurationFiles.createConfigurationDirectory();
+    private static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin");
+    private static final TestSecurityConfig.User NEW_USER = new TestSecurityConfig.User("new-user");
+    private static final TestSecurityConfig.User LIMITED_USER = new TestSecurityConfig.User("limited-user");
+
+    private final LocalCluster cluster;
+
+    protected AbstractDefaultConfigurationTests(LocalCluster cluster) {
+        this.cluster = cluster;
+    }
 
     @AfterClass
     public static void cleanConfigurationDirectory() throws IOException {
@@ -73,18 +65,43 @@ public void shouldLoadDefaultConfiguration() {
         }
         try (TestRestClient client = cluster.getRestClient(ADMIN_USER)) {
             client.confirmCorrectCredentials(ADMIN_USER.getName());
-            HttpResponse response = client.get("_plugins/_security/api/internalusers");
-            response.assertStatusCode(200);
+            TestRestClient.HttpResponse response = client.get("_plugins/_security/api/internalusers");
+            response.assertStatusCode(HttpStatus.SC_OK);
             Map<String, Object> users = response.getBodyAs(Map.class);
             assertThat(
+                response.getBody(),
                 users,
                 allOf(aMapWithSize(3), hasKey(ADMIN_USER.getName()), hasKey(NEW_USER.getName()), hasKey(LIMITED_USER.getName()))
             );
         }
     }
 
+    void assertClusterState(final TestRestClient client) {
+        if (cluster.node().settings().getAsBoolean("plugins.security.allow_default_init_securityindex.use_cluster_state", false)) {
+            final TestRestClient.HttpResponse response = client.get("_cluster/state");
+            response.assertStatusCode(HttpStatus.SC_OK);
+            final var clusterState = response.getBodyAs(Map.class);
+            assertTrue(response.getBody(), clusterState.containsKey(SecurityMetadata.TYPE));
+            @SuppressWarnings("unchecked")
+            final var securityClusterState = (Map<String, Object>) clusterState.get(SecurityMetadata.TYPE);
+            @SuppressWarnings("unchecked")
+            final var securityConfiguration = (Map<String, Object>) ((Map<?, ?>) clusterState.get(SecurityMetadata.TYPE)).get(
+                "configuration"
+            );
+            assertTrue(response.getBody(), securityClusterState.containsKey("created"));
+            assertNotNull(response.getBody(), securityClusterState.get("created"));
+
+            for (final var k : securityConfiguration.keySet()) {
+                @SuppressWarnings("unchecked")
+                final var sc = (Map<String, Object>) securityConfiguration.get(k);
+                assertTrue(response.getBody(), sc.containsKey("hash"));
+                assertTrue(response.getBody(), sc.containsKey("last_modified"));
+            }
+        }
+    }
+
     @Test
-    public void securityRolesUgrade() throws Exception {
+    public void securityRolesUpgrade() throws Exception {
         try (var client = cluster.getRestClient(ADMIN_USER)) {
             // Setup: Make sure the config is ready before starting modifications
             Awaitility.await().alias("Load default configuration").until(() -> client.getAuthInfo().getStatusCode(), equalTo(200));
@@ -159,4 +176,5 @@ private Set<String> extractFieldNames(final JsonNode json) {
         json.fieldNames().forEachRemaining(set::add);
         return set;
     }
+
 }
diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterTests.java b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterTests.java
new file mode 100644
index 0000000000..704e2c7255
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterTests.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationMultiNodeClusterTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationMultiNodeClusterTests() {
+        super(cluster);
+    }
+}
diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterUseClusterStateTests.java b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterUseClusterStateTests.java
new file mode 100644
index 0000000000..8abffac9cf
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterUseClusterStateTests.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationMultiNodeClusterUseClusterStateTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.allow_default_init_securityindex.use_cluster_state",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationMultiNodeClusterUseClusterStateTests() {
+        super(cluster);
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterTests.java b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterTests.java
new file mode 100644
index 0000000000..362245db5e
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterTests.java
@@ -0,0 +1,44 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class DefaultConfigurationSingleNodeClusterTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationSingleNodeClusterTests() {
+        super(cluster);
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterUseClusterStateTests.java b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterUseClusterStateTests.java
new file mode 100644
index 0000000000..e05005e912
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterUseClusterStateTests.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationSingleNodeClusterUseClusterStateTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.allow_default_init_securityindex.use_cluster_state",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationSingleNodeClusterUseClusterStateTests() {
+        super(cluster);
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java
index 5b83e0d6d0..e6af5d58bb 100644
--- a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java
+++ b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java
@@ -124,6 +124,7 @@ public void shouldStillLoadSecurityConfigDuringBootstrapAndActiveConfigUpdateReq
                     .put("action_groups.yml", CType.ACTIONGROUPS)
                     .put("config.yml", CType.CONFIG)
                     .put("roles.yml", CType.ROLES)
+                    .put("roles_mapping.yml", CType.ROLESMAPPING)
                     .put("tenants.yml", CType.TENANTS)
                     .build();
 
@@ -146,7 +147,7 @@ public void shouldStillLoadSecurityConfigDuringBootstrapAndActiveConfigUpdateReq
                     // After the configuration has been loaded, the rest clients should be able to connect successfully
                     cluster.triggerConfigurationReloadForCTypes(
                         internalNodeClient,
-                        List.of(CType.ACTIONGROUPS, CType.CONFIG, CType.ROLES, CType.TENANTS),
+                        List.of(CType.ACTIONGROUPS, CType.CONFIG, CType.ROLES, CType.ROLESMAPPING, CType.TENANTS),
                         true
                     );
                     try (final TestRestClient freshClient = cluster.getRestClient(USER_ADMIN)) {
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index ac32da1d1b..a59d1f531d 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -73,6 +73,8 @@
 import org.opensearch.action.search.SearchScrollAction;
 import org.opensearch.action.support.ActionFilter;
 import org.opensearch.client.Client;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.NamedDiff;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.node.DiscoveryNodes;
@@ -176,6 +178,7 @@
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
+import org.opensearch.security.state.SecurityMetadata;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.GuardedSearchOperationWrapper;
 import org.opensearch.security.support.HeaderHelper;
@@ -208,6 +211,8 @@
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
 import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE;
 import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION;
 // CS-ENFORCE-SINGLE
 
@@ -288,6 +293,10 @@ private static boolean isDisabled(final Settings settings) {
         return settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false);
     }
 
+    private static boolean useClusterStateToInitSecurityConfig(final Settings settings) {
+        return settings.getAsBoolean(SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE, false);
+    }
+
     /**
      * SSL Cert Reload will be enabled only if security is not disabled and not in we are not using sslOnly mode.
      * @param settings Elastic configuration settings
@@ -1172,11 +1181,23 @@ public Collection<Object> createComponents(
         components.add(si);
         components.add(dcf);
         components.add(userService);
-
+        final var allowDefaultInit = settings.getAsBoolean(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false);
+        final var useClusterState = useClusterStateToInitSecurityConfig(settings);
+        if (!SSLConfig.isSslOnlyMode() && !isDisabled(settings) && allowDefaultInit && useClusterState) {
+            clusterService.addListener(cr);
+        }
         return components;
 
     }
 
+    @Override
+    public List<NamedWriteableRegistry.Entry> getNamedWriteables() {
+        return List.of(
+            new NamedWriteableRegistry.Entry(ClusterState.Custom.class, SecurityMetadata.TYPE, SecurityMetadata::new),
+            new NamedWriteableRegistry.Entry(NamedDiff.class, SecurityMetadata.TYPE, SecurityMetadata::readDiffFrom)
+        );
+    }
+
     @Override
     public Settings additionalSettings() {
 
@@ -1317,9 +1338,8 @@ public List<Setting<?>> getSettings() {
             settings.add(
                 Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Property.NodeScope, Property.Filtered)
             );
-            settings.add(
-                Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Property.NodeScope, Property.Filtered)
-            );
+            settings.add(Setting.boolSetting(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Property.NodeScope, Property.Filtered));
+            settings.add(Setting.boolSetting(SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE, false, Property.NodeScope, Property.Filtered));
             settings.add(
                 Setting.boolSetting(
                     ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST,
@@ -1915,11 +1935,10 @@ public List<String> getSettingsFilter() {
 
     @Override
     public void onNodeStarted(DiscoveryNode localNode) {
-        log.info("Node started");
-        if (!SSLConfig.isSslOnlyMode() && !client && !disabled) {
+        this.localNode.set(localNode);
+        if (!SSLConfig.isSslOnlyMode() && !client && !disabled && !useClusterStateToInitSecurityConfig(settings)) {
             cr.initOnNodeStart();
         }
-        this.localNode.set(localNode);
         final Set<ModuleInfo> securityModules = ReflectionHelper.getModulesLoaded();
         log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules);
     }
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
index 353286fc4a..44ba77428f 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
@@ -31,6 +31,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.text.SimpleDateFormat;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -38,12 +39,16 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
@@ -58,13 +63,19 @@
 import org.opensearch.action.admin.cluster.health.ClusterHealthResponse;
 import org.opensearch.action.admin.indices.create.CreateIndexRequest;
 import org.opensearch.client.Client;
+import org.opensearch.cluster.ClusterChangedEvent;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.ClusterStateListener;
+import org.opensearch.cluster.ClusterStateUpdateTask;
 import org.opensearch.cluster.health.ClusterHealthStatus;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.cluster.metadata.MappingMetadata;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.Priority;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.util.concurrent.ThreadContext.StoredContext;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.MediaTypeRegistry;
@@ -75,12 +86,16 @@
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.ssl.util.ExceptionUtils;
+import org.opensearch.security.state.SecurityMetadata;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.ConfigHelper;
+import org.opensearch.security.support.SecurityIndexHandler;
 import org.opensearch.security.support.SecurityUtils;
 import org.opensearch.threadpool.ThreadPool;
 
-public class ConfigurationRepository {
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE;
+
+public class ConfigurationRepository implements ClusterStateListener {
     private static final Logger LOGGER = LogManager.getLogger(ConfigurationRepository.class);
 
     private final String securityIndex;
@@ -96,20 +111,27 @@ public class ConfigurationRepository {
     private DynamicConfigFactory dynamicConfigFactory;
     public static final int DEFAULT_CONFIG_VERSION = 2;
     private final CompletableFuture<Void> initalizeConfigTask = new CompletableFuture<>();
+
     private final boolean acceptInvalid;
 
-    private ConfigurationRepository(
-        Settings settings,
+    private final AtomicBoolean auditHotReloadingEnabled = new AtomicBoolean(false);
+
+    private final AtomicBoolean initializationInProcess = new AtomicBoolean(false);
+
+    private final SecurityIndexHandler securityIndexHandler;
+
+    // visible for testing
+    protected ConfigurationRepository(
+        final String securityIndex,
+        final Settings settings,
         final Path configPath,
-        ThreadPool threadPool,
-        Client client,
-        ClusterService clusterService,
-        AuditLog auditLog
+        final ThreadPool threadPool,
+        final Client client,
+        final ClusterService clusterService,
+        final AuditLog auditLog,
+        final SecurityIndexHandler securityIndexHandler
     ) {
-        this.securityIndex = settings.get(
-            ConfigConstants.SECURITY_CONFIG_INDEX_NAME,
-            ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX
-        );
+        this.securityIndex = securityIndex;
         this.settings = settings;
         this.configPath = configPath;
         this.client = client;
@@ -119,8 +141,38 @@ private ConfigurationRepository(
         this.configurationChangedListener = new ArrayList<>();
         this.acceptInvalid = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false);
         cl = new ConfigurationLoaderSecurity7(client, threadPool, settings, clusterService);
-
         configCache = CacheBuilder.newBuilder().build();
+        this.securityIndexHandler = securityIndexHandler;
+    }
+
+    private Path resolveConfigDir() {
+        return Optional.ofNullable(System.getProperty("security.default_init.dir"))
+            .map(Path::of)
+            .orElseGet(() -> new Environment(settings, configPath).configDir().resolve("opensearch-security/"));
+    }
+
+    @Override
+    public void clusterChanged(final ClusterChangedEvent event) {
+        final SecurityMetadata securityMetadata = event.state().custom(SecurityMetadata.TYPE);
+        // init and upload sec index on the manager node only as soon as
+        // creation of index and upload config are done a new cluster state will be created.
+        // in case of failures it repeats attempt after restart
+        if (nodeSelectedAsManager(event)) {
+            if (securityMetadata == null) {
+                initSecurityIndex(event);
+            }
+        }
+        // executes reload of cache on each node on the cluster,
+        // since sec initialization has been finished
+        if (securityMetadata != null) {
+            executeConfigurationInitialization(securityMetadata);
+        }
+    }
+
+    private boolean nodeSelectedAsManager(final ClusterChangedEvent event) {
+        boolean wasClusterManager = event.previousState().nodes().isLocalNodeElectedClusterManager();
+        boolean isClusterManager = event.localNodeClusterManager();
+        return !wasClusterManager && isClusterManager;
     }
 
     public String getConfigDirectory() {
@@ -236,7 +288,7 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
                 } catch (Exception e) {
                     LOGGER.debug("Unable to load configuration due to {}", String.valueOf(ExceptionUtils.getRootCause(e)));
                     try {
-                        Thread.sleep(3000);
+                        TimeUnit.MILLISECONDS.sleep(3000);
                     } catch (InterruptedException e1) {
                         Thread.currentThread().interrupt();
                         LOGGER.debug("Thread was interrupted so we cancel initialization");
@@ -244,27 +296,7 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
                     }
                 }
             }
-
-            final Set<String> deprecatedAuditKeysInSettings = AuditConfig.getDeprecatedKeys(settings);
-            if (!deprecatedAuditKeysInSettings.isEmpty()) {
-                LOGGER.warn(
-                    "Following keys {} are deprecated in opensearch settings. They will be removed in plugin v2.0.0.0",
-                    deprecatedAuditKeysInSettings
-                );
-            }
-            final boolean isAuditConfigDocPresentInIndex = cl.isAuditConfigDocPresentInIndex();
-            if (isAuditConfigDocPresentInIndex) {
-                if (!deprecatedAuditKeysInSettings.isEmpty()) {
-                    LOGGER.warn("Audit configuration settings found in both index and opensearch settings (deprecated)");
-                }
-                LOGGER.info("Hot-reloading of audit configuration is enabled");
-            } else {
-                LOGGER.info(
-                    "Hot-reloading of audit configuration is disabled. Using configuration with defaults from opensearch settings.  Populate the configuration in index using audit.yml or securityadmin to enable it."
-                );
-                auditLog.setConfig(AuditConfig.from(settings));
-            }
-
+            setupAuditConfigurationIfAny(cl.isAuditConfigDocPresentInIndex());
             LOGGER.info("Node '{}' initialized", clusterService.localNode().getName());
 
         } catch (Exception e) {
@@ -272,6 +304,27 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
         }
     }
 
+    private void setupAuditConfigurationIfAny(final boolean auditConfigDocPresent) {
+        final Set<String> deprecatedAuditKeysInSettings = AuditConfig.getDeprecatedKeys(settings);
+        if (!deprecatedAuditKeysInSettings.isEmpty()) {
+            LOGGER.warn(
+                "Following keys {} are deprecated in opensearch settings. They will be removed in plugin v2.0.0.0",
+                deprecatedAuditKeysInSettings
+            );
+        }
+        if (auditConfigDocPresent) {
+            if (!deprecatedAuditKeysInSettings.isEmpty()) {
+                LOGGER.warn("Audit configuration settings found in both index and opensearch settings (deprecated)");
+            }
+            LOGGER.info("Hot-reloading of audit configuration is enabled");
+        } else {
+            LOGGER.info(
+                "Hot-reloading of audit configuration is disabled. Using configuration with defaults from opensearch settings.  Populate the configuration in index using audit.yml or securityadmin to enable it."
+            );
+            auditLog.setConfig(AuditConfig.from(settings));
+        }
+    }
+
     private boolean createSecurityIndexIfAbsent() {
         try {
             final Map<String, Object> indexSettings = ImmutableMap.of("index.number_of_shards", 1, "index.auto_expand_replicas", "0-all");
@@ -304,7 +357,7 @@ private void waitForSecurityIndexToBeAtLeastYellow() {
                 response == null ? "no response" : (response.isTimedOut() ? "timeout" : "other, maybe red cluster")
             );
             try {
-                Thread.sleep(500);
+                TimeUnit.MILLISECONDS.sleep(500);
             } catch (InterruptedException e) {
                 // ignore
                 Thread.currentThread().interrupt();
@@ -317,6 +370,69 @@ private void waitForSecurityIndexToBeAtLeastYellow() {
         }
     }
 
+    void initSecurityIndex(final ClusterChangedEvent event) {
+        if (!event.state().metadata().hasIndex(securityIndex)) {
+            securityIndexHandler.createIndex(
+                ActionListener.wrap(r -> uploadDefaultConfiguration0(), e -> LOGGER.error("Couldn't create index {}", securityIndex, e))
+            );
+        } else {
+            // in case index was created and cluster state has not been changed (e.g. restart of the node or something)
+            // just upload default configuration
+            uploadDefaultConfiguration0();
+        }
+    }
+
+    private void uploadDefaultConfiguration0() {
+        securityIndexHandler.uploadDefaultConfiguration(
+            resolveConfigDir(),
+            ActionListener.wrap(
+                configuration -> clusterService.submitStateUpdateTask(
+                    "init-security-configuration",
+                    new ClusterStateUpdateTask(Priority.IMMEDIATE) {
+                        @Override
+                        public ClusterState execute(ClusterState clusterState) throws Exception {
+                            return ClusterState.builder(clusterState)
+                                .putCustom(SecurityMetadata.TYPE, new SecurityMetadata(Instant.now(), configuration))
+                                .build();
+                        }
+
+                        @Override
+                        public void onFailure(String s, Exception e) {
+                            LOGGER.error(s, e);
+                        }
+                    }
+                ),
+                e -> LOGGER.error("Couldn't upload default configuration", e)
+            )
+        );
+    }
+
+    Future<Void> executeConfigurationInitialization(final SecurityMetadata securityMetadata) {
+        if (!initalizeConfigTask.isDone()) {
+            if (initializationInProcess.compareAndSet(false, true)) {
+                return threadPool.generic().submit(() -> {
+                    securityIndexHandler.loadConfiguration(securityMetadata.configuration(), ActionListener.wrap(cTypeConfigs -> {
+                        notifyConfigurationListeners(cTypeConfigs);
+                        final var auditConfigDocPresent = cTypeConfigs.containsKey(CType.AUDIT) && cTypeConfigs.get(CType.AUDIT).notEmpty();
+                        setupAuditConfigurationIfAny(auditConfigDocPresent);
+                        auditHotReloadingEnabled.getAndSet(auditConfigDocPresent);
+                        initalizeConfigTask.complete(null);
+                        LOGGER.info(
+                            "Security configuration initialized. Applied hashes: {}",
+                            securityMetadata.configuration()
+                                .stream()
+                                .map(c -> String.format("%s:%s", c.type().toLCString(), c.hash()))
+                                .collect(Collectors.toList())
+                        );
+                    }, e -> LOGGER.error("Couldn't reload security configuration", e)));
+                    return null;
+                });
+            }
+        }
+        return CompletableFuture.completedFuture(null);
+    }
+
+    @Deprecated
     public CompletableFuture<Boolean> initOnNodeStart() {
         final boolean installDefaultConfig = settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false);
 
@@ -333,13 +449,15 @@ public CompletableFuture<Boolean> initOnNodeStart() {
                 return startInitialization.get();
             } else if (settings.getAsBoolean(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true)) {
                 LOGGER.info(
-                    "Will not attempt to create index {} and default configs if they are absent. Use securityadmin to initialize cluster",
+                    "Will not attempt to create index {} and default configs if they are absent."
+                        + " Use securityadmin to initialize cluster",
                     securityIndex
                 );
                 return startInitialization.get();
             } else {
                 LOGGER.info(
-                    "Will not attempt to create index {} and default configs if they are absent. Will not perform background initialization",
+                    "Will not attempt to create index {} and default configs if they are absent. "
+                        + "Will not perform background initialization",
                     securityIndex
                 );
                 initalizeConfigTask.complete(null);
@@ -352,7 +470,11 @@ public CompletableFuture<Boolean> initOnNodeStart() {
     }
 
     public boolean isAuditHotReloadingEnabled() {
-        return cl.isAuditConfigDocPresentInIndex();
+        if (settings.getAsBoolean(SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE, false)) {
+            return auditHotReloadingEnabled.get();
+        } else {
+            return cl.isAuditConfigDocPresentInIndex();
+        }
     }
 
     public static ConfigurationRepository create(
@@ -363,15 +485,20 @@ public static ConfigurationRepository create(
         ClusterService clusterService,
         AuditLog auditLog
     ) {
-        final ConfigurationRepository repository = new ConfigurationRepository(
+        final var securityIndex = settings.get(
+            ConfigConstants.SECURITY_CONFIG_INDEX_NAME,
+            ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX
+        );
+        return new ConfigurationRepository(
+            securityIndex,
             settings,
             configPath,
             threadPool,
             client,
             clusterService,
-            auditLog
+            auditLog,
+            new SecurityIndexHandler(securityIndex, settings, client)
         );
-        return repository;
     }
 
     public void setDynamicConfigFactory(DynamicConfigFactory dynamicConfigFactory) {
@@ -403,6 +530,10 @@ private boolean reloadConfiguration(final Collection<CType> configTypes, final b
             LOGGER.warn("Unable to reload configuration, initalization thread has not yet completed.");
             return false;
         }
+        return loadConfigurationWithLock(configTypes);
+    }
+
+    private boolean loadConfigurationWithLock(Collection<CType> configTypes) {
         try {
             if (LOCK.tryLock(60, TimeUnit.SECONDS)) {
                 try {
@@ -422,8 +553,12 @@ private boolean reloadConfiguration(final Collection<CType> configTypes, final b
 
     private void reloadConfiguration0(Collection<CType> configTypes, boolean acceptInvalid) {
         final Map<CType, SecurityDynamicConfiguration<?>> loaded = getConfigurationsFromIndex(configTypes, false, acceptInvalid);
-        configCache.putAll(loaded);
-        notifyAboutChanges(loaded);
+        notifyConfigurationListeners(loaded);
+    }
+
+    private void notifyConfigurationListeners(final Map<CType, SecurityDynamicConfiguration<?>> configuration) {
+        configCache.putAll(configuration);
+        notifyAboutChanges(configuration);
     }
 
     public synchronized void subscribeOnChange(ConfigurationChangeListener listener) {
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
index 90508840e7..83553f2de7 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/SecurityDynamicConfiguration.java
@@ -68,6 +68,11 @@ public static <T> SecurityDynamicConfiguration<T> empty() {
         return new SecurityDynamicConfiguration<T>();
     }
 
+    @JsonIgnore
+    public boolean notEmpty() {
+        return !centries.isEmpty();
+    }
+
     public static <T> SecurityDynamicConfiguration<T> fromJson(String json, CType ctype, int version, long seqNo, long primaryTerm)
         throws IOException {
         return fromJson(json, ctype, version, seqNo, primaryTerm, false);
diff --git a/src/main/java/org/opensearch/security/state/SecurityConfig.java b/src/main/java/org/opensearch/security/state/SecurityConfig.java
new file mode 100644
index 0000000000..f8de098365
--- /dev/null
+++ b/src/main/java/org/opensearch/security/state/SecurityConfig.java
@@ -0,0 +1,124 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.state;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.Objects;
+import java.util.Optional;
+
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.security.securityconf.impl.CType;
+
+import static java.time.format.DateTimeFormatter.ISO_INSTANT;
+
+public class SecurityConfig implements Writeable, ToXContent {
+
+    private final CType type;
+
+    private final Instant lastModified;
+
+    private final String hash;
+
+    public SecurityConfig(final CType type, final String hash, final Instant lastModified) {
+        this.type = type;
+        this.hash = hash;
+        this.lastModified = lastModified;
+    }
+
+    public SecurityConfig(final StreamInput in) throws IOException {
+        this.type = in.readEnum(CType.class);
+        this.hash = in.readString();
+        this.lastModified = in.readOptionalInstant();
+    }
+
+    public Optional<Instant> lastModified() {
+        return Optional.ofNullable(lastModified);
+    }
+
+    public CType type() {
+        return type;
+    }
+
+    public String hash() {
+        return hash;
+    }
+
+    @Override
+    public void writeTo(final StreamOutput out) throws IOException {
+        out.writeEnum(type);
+        out.writeString(hash);
+        out.writeOptionalInstant(lastModified);
+    }
+
+    @Override
+    public XContentBuilder toXContent(final XContentBuilder xContentBuilder, final Params params) throws IOException {
+        xContentBuilder.startObject(type.toLCString()).field("hash", hash);
+        if (lastModified != null) {
+            xContentBuilder.field("last_modified", ISO_INSTANT.format(lastModified));
+        } else {
+            xContentBuilder.nullField("last_modified");
+        }
+        return xContentBuilder.endObject();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        SecurityConfig that = (SecurityConfig) o;
+        return type == that.type && Objects.equals(lastModified, that.lastModified) && Objects.equals(hash, that.hash);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(type, lastModified, hash);
+    }
+
+    public final static class Builder {
+
+        private final CType type;
+
+        private Instant lastModified;
+
+        private String hash;
+
+        Builder(final SecurityConfig securityConfig) {
+            this.type = securityConfig.type;
+            this.lastModified = securityConfig.lastModified;
+            this.hash = securityConfig.hash;
+        }
+
+        public Builder withHash(final String hash) {
+            this.hash = hash;
+            return this;
+        }
+
+        public Builder withLastModified(final Instant lastModified) {
+            this.lastModified = lastModified;
+            return this;
+        }
+
+        public SecurityConfig build() {
+            return new SecurityConfig(type, hash, lastModified);
+        }
+
+    }
+
+    public static SecurityConfig.Builder from(final SecurityConfig securityConfig) {
+        return new SecurityConfig.Builder(securityConfig);
+    }
+
+}
diff --git a/src/main/java/org/opensearch/security/state/SecurityMetadata.java b/src/main/java/org/opensearch/security/state/SecurityMetadata.java
new file mode 100644
index 0000000000..f8e2e043fd
--- /dev/null
+++ b/src/main/java/org/opensearch/security/state/SecurityMetadata.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.state;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.Comparator;
+import java.util.Objects;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSortedSet;
+
+import org.opensearch.Version;
+import org.opensearch.cluster.AbstractNamedDiffable;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.NamedDiff;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import static java.time.format.DateTimeFormatter.ISO_INSTANT;
+
+public final class SecurityMetadata extends AbstractNamedDiffable<ClusterState.Custom> implements ClusterState.Custom {
+
+    public final static String TYPE = "security";
+
+    private final Instant created;
+
+    private final Set<SecurityConfig> configuration;
+
+    public SecurityMetadata(final Instant created, final Set<SecurityConfig> configuration) {
+        this.created = created;
+        this.configuration = configuration;
+    }
+
+    public SecurityMetadata(StreamInput in) throws IOException {
+        this.created = in.readInstant();
+        this.configuration = in.readSet(SecurityConfig::new);
+    }
+
+    public Instant created() {
+        return created;
+    }
+
+    public Set<SecurityConfig> configuration() {
+        return configuration;
+    }
+
+    @Override
+    public Version getMinimalSupportedVersion() {
+        return Version.CURRENT.minimumCompatibilityVersion();
+    }
+
+    @Override
+    public String getWriteableName() {
+        return TYPE;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeInstant(created);
+        out.writeCollection(configuration);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
+        xContentBuilder.field("created", ISO_INSTANT.format(created));
+        xContentBuilder.startObject("configuration");
+        for (final var securityConfig : configuration) {
+            securityConfig.toXContent(xContentBuilder, EMPTY_PARAMS);
+        }
+        return xContentBuilder.endObject();
+    }
+
+    public static NamedDiff<ClusterState.Custom> readDiffFrom(StreamInput in) throws IOException {
+        return readDiffFrom(ClusterState.Custom.class, TYPE, in);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        SecurityMetadata that = (SecurityMetadata) o;
+        return Objects.equals(created, that.created) && Objects.equals(configuration, that.configuration);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(created, configuration);
+    }
+
+    public final static class Builder {
+
+        private final Instant created;
+
+        private final ImmutableSet.Builder<SecurityConfig> configuration = new ImmutableSortedSet.Builder<>(
+            Comparator.comparing(SecurityConfig::type)
+        );
+
+        Builder(SecurityMetadata oldMetadata) {
+            this.created = oldMetadata.created;
+            this.configuration.addAll(oldMetadata.configuration);
+        }
+
+        public Builder withSecurityConfig(final SecurityConfig securityConfig) {
+            this.configuration.add(securityConfig);
+            return this;
+        }
+
+        public SecurityMetadata build() {
+            return new SecurityMetadata(created, configuration.build());
+        }
+
+    }
+
+    public static SecurityMetadata.Builder from(final SecurityMetadata securityMetadata) {
+        return new SecurityMetadata.Builder(securityMetadata);
+    }
+
+}
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index 3060e1b2dc..5169d02d20 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -220,9 +220,14 @@ public class ConfigConstants {
     public static final String SECURITY_NODES_DN = "plugins.security.nodes_dn";
     public static final String SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "plugins.security.nodes_dn_dynamic_config_enabled";
     public static final String SECURITY_DISABLED = "plugins.security.disabled";
+
     public static final String SECURITY_CACHE_TTL_MINUTES = "plugins.security.cache.ttl_minutes";
     public static final String SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "plugins.security.allow_unsafe_democertificates";
     public static final String SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "plugins.security.allow_default_init_securityindex";
+
+    public static final String SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE =
+        "plugins.security.allow_default_init_securityindex.use_cluster_state";
+
     public static final String SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST =
         "plugins.security.background_init_if_securityindex_not_exist";
 
diff --git a/src/main/java/org/opensearch/security/support/ConfigHelper.java b/src/main/java/org/opensearch/security/support/ConfigHelper.java
index 4f310f6af7..e8526478f2 100644
--- a/src/main/java/org/opensearch/security/support/ConfigHelper.java
+++ b/src/main/java/org/opensearch/security/support/ConfigHelper.java
@@ -57,6 +57,7 @@
 
 import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
 
+@Deprecated
 public class ConfigHelper {
 
     private static final Logger LOGGER = LogManager.getLogger(ConfigHelper.class);
diff --git a/src/main/java/org/opensearch/security/support/SecurityIndexHandler.java b/src/main/java/org/opensearch/security/support/SecurityIndexHandler.java
new file mode 100644
index 0000000000..1ed8a99614
--- /dev/null
+++ b/src/main/java/org/opensearch/security/support/SecurityIndexHandler.java
@@ -0,0 +1,233 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.support;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSortedSet;
+import com.google.common.hash.Hashing;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.action.DocWriteRequest;
+import org.opensearch.action.admin.indices.create.CreateIndexRequest;
+import org.opensearch.action.bulk.BulkRequest;
+import org.opensearch.action.get.MultiGetRequest;
+import org.opensearch.action.get.MultiGetResponse;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.support.WriteRequest;
+import org.opensearch.client.Client;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.state.SecurityConfig;
+
+import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
+import static org.opensearch.security.support.YamlConfigReader.emptyJsonConfigFor;
+import static org.opensearch.security.support.YamlConfigReader.yamlContentFor;
+
+public class SecurityIndexHandler {
+
+    private final static int MINIMUM_HASH_BITS = 128;
+
+    private static final Logger LOGGER = LogManager.getLogger(SecurityIndexHandler.class);
+
+    private final Settings settings;
+
+    private final Client client;
+
+    private final String indexName;
+
+    public SecurityIndexHandler(final String indexName, final Settings settings, final Client client) {
+        this.indexName = indexName;
+        this.settings = settings;
+        this.client = client;
+    }
+
+    public final static Map<String, Object> INDEX_SETTINGS = Map.of("index.number_of_shards", 1, "index.auto_expand_replicas", "0-all");
+
+    public void createIndex(ActionListener<Boolean> listener) {
+        try (final ThreadContext.StoredContext threadContext = client.threadPool().getThreadContext().stashContext()) {
+            client.admin()
+                .indices()
+                .create(
+                    new CreateIndexRequest(indexName).settings(INDEX_SETTINGS).waitForActiveShards(1),
+                    ActionListener.runBefore(ActionListener.wrap(r -> {
+                        if (r.isAcknowledged()) {
+                            listener.onResponse(true);
+                        } else listener.onFailure(new SecurityException("Couldn't create security index " + indexName));
+                    }, listener::onFailure), threadContext::restore)
+                );
+        }
+    }
+
+    public void uploadDefaultConfiguration(final Path configDir, final ActionListener<Set<SecurityConfig>> listener) {
+        try (final ThreadContext.StoredContext threadContext = client.threadPool().getThreadContext().stashContext()) {
+            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+                try {
+                    LOGGER.info("Uploading default security configuration from {}", configDir.toAbsolutePath());
+                    final var bulkRequest = new BulkRequest().setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
+                    final var configuration = new ImmutableSortedSet.Builder<>(Comparator.comparing(SecurityConfig::type));
+                    for (final var cType : CType.values()) {
+                        final var fileExists = Files.exists(cType.configFile(configDir));
+                        // Audit config is not packaged by default and while list is deprecated
+                        if ((cType == CType.AUDIT || cType == CType.WHITELIST) && !fileExists) continue;
+                        if (cType == CType.WHITELIST) {
+                            LOGGER.warn(
+                                "WHITELIST configuration type is deprecated and will be replaced with ALLOWLIST in the next major version"
+                            );
+                        }
+                        final var yamlContent = yamlContentFor(cType, configDir);
+                        final var hash = Hashing.goodFastHash(MINIMUM_HASH_BITS).hashBytes(yamlContent.toBytesRef().bytes);
+                        configuration.add(new SecurityConfig(cType, hash.toString(), null));
+                        bulkRequest.add(
+                            new IndexRequest(indexName).id(cType.toLCString())
+                                .opType(DocWriteRequest.OpType.INDEX)
+                                .source(cType.toLCString(), yamlContent)
+                        );
+                    }
+                    client.bulk(bulkRequest, ActionListener.runBefore(ActionListener.wrap(r -> {
+                        if (r.hasFailures()) {
+                            listener.onFailure(new SecurityException(r.buildFailureMessage()));
+                            return;
+                        }
+                        listener.onResponse(configuration.build());
+                    }, listener::onFailure), threadContext::restore));
+                } catch (final IOException ioe) {
+                    listener.onFailure(new SecurityException(ioe));
+                }
+                return null;
+            });
+        }
+    }
+
+    public void loadConfiguration(
+        final Set<SecurityConfig> configuration,
+        final ActionListener<Map<CType, SecurityDynamicConfiguration<?>>> listener
+    ) {
+        try (final ThreadContext.StoredContext threadContext = client.threadPool().getThreadContext().stashContext()) {
+            client.threadPool().getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true");
+            final var configurationTypes = configuration.stream().map(SecurityConfig::type).collect(Collectors.toUnmodifiableList());
+            client.multiGet(newMultiGetRequest(configurationTypes), ActionListener.runBefore(ActionListener.wrap(r -> {
+                final var cTypeConfigsBuilder = ImmutableMap.<CType, SecurityDynamicConfiguration<?>>builderWithExpectedSize(
+                    configuration.size()
+                );
+                var hasFailures = false;
+                for (final var item : r.getResponses()) {
+                    if (item.isFailed()) {
+                        listener.onFailure(new SecurityException(multiGetFailureMessage(item.getId(), item.getFailure())));
+                        hasFailures = true;
+                        break;
+                    }
+                    final var cType = CType.fromString(item.getId());
+                    final var cTypeResponse = item.getResponse();
+                    if (cTypeResponse.isExists() && !cTypeResponse.isSourceEmpty()) {
+                        final var config = buildDynamicConfiguration(
+                            cType,
+                            cTypeResponse.getSourceAsBytesRef(),
+                            cTypeResponse.getSeqNo(),
+                            cTypeResponse.getPrimaryTerm()
+                        );
+                        if (config.getVersion() != DEFAULT_CONFIG_VERSION) {
+                            listener.onFailure(
+                                new SecurityException("Version " + config.getVersion() + " is not supported for " + cType.name())
+                            );
+                            hasFailures = true;
+                            break;
+                        }
+                        cTypeConfigsBuilder.put(cType, config);
+                    } else {
+                        if (!cType.emptyIfMissing()) {
+                            listener.onFailure(new SecurityException("Missing required configuration for type: " + cType));
+                            hasFailures = true;
+                            break;
+                        }
+                        cTypeConfigsBuilder.put(
+                            cType,
+                            SecurityDynamicConfiguration.fromJson(
+                                emptyJsonConfigFor(cType),
+                                cType,
+                                DEFAULT_CONFIG_VERSION,
+                                cTypeResponse.getSeqNo(),
+                                cTypeResponse.getPrimaryTerm()
+                            )
+                        );
+                    }
+                }
+                if (!hasFailures) {
+                    listener.onResponse(cTypeConfigsBuilder.build());
+                }
+            }, listener::onFailure), threadContext::restore));
+        }
+    }
+
+    private MultiGetRequest newMultiGetRequest(final List<CType> configurationTypes) {
+        final var request = new MultiGetRequest().realtime(true).refresh(true);
+        for (final var cType : configurationTypes) {
+            request.add(indexName, cType.toLCString());
+        }
+        return request;
+    }
+
+    private SecurityDynamicConfiguration<?> buildDynamicConfiguration(
+        final CType cType,
+        final BytesReference bytesRef,
+        final long seqNo,
+        final long primaryTerm
+    ) {
+        try {
+            final var source = SecurityUtils.replaceEnvVars(configTypeSource(bytesRef.streamInput()), settings);
+            final var jsonNode = DefaultObjectMapper.readTree(source);
+            var version = 1;
+            if (jsonNode.has("_meta")) {
+                if (jsonNode.get("_meta").has("config_version")) {
+                    version = jsonNode.get("_meta").get("config_version").asInt();
+                }
+            }
+            return SecurityDynamicConfiguration.fromJson(source, cType, version, seqNo, primaryTerm);
+        } catch (IOException e) {
+            throw new SecurityException("Couldn't parse content for " + cType, e);
+        }
+    }
+
+    private String configTypeSource(final InputStream inputStream) throws IOException {
+        final var jsonContent = XContentType.JSON.xContent();
+        try (final var parser = jsonContent.createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, inputStream)) {
+            parser.nextToken();
+            parser.nextToken();
+            parser.nextToken();
+            return new String(parser.binaryValue(), StandardCharsets.UTF_8);
+        }
+    }
+
+    private String multiGetFailureMessage(final String cTypeId, final MultiGetResponse.Failure failure) {
+        return String.format("Failure %s retrieving configuration for %s (index=%s)", failure, cTypeId, indexName);
+    }
+
+}
diff --git a/src/main/java/org/opensearch/security/support/YamlConfigReader.java b/src/main/java/org/opensearch/security/support/YamlConfigReader.java
new file mode 100644
index 0000000000..237e5b5bfb
--- /dev/null
+++ b/src/main/java/org/opensearch/security/support/YamlConfigReader.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.support;
+
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.Meta;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+
+import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
+
+/**
+ * Read YAML security config files
+ */
+public final class YamlConfigReader {
+
+    private static final Logger LOGGER = LogManager.getLogger(YamlConfigReader.class);
+
+    public static BytesReference yamlContentFor(final CType cType, final Path configDir) throws IOException {
+        final var yamlXContent = XContentType.YAML.xContent();
+        try (
+            final var r = newReader(cType, configDir);
+            final var parser = yamlXContent.createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, r)
+        ) {
+            parser.nextToken();
+            try (final var xContentBuilder = XContentFactory.jsonBuilder()) {
+                xContentBuilder.copyCurrentStructure(parser);
+                final var bytesRef = BytesReference.bytes(xContentBuilder);
+                validateYamlContent(cType, bytesRef.streamInput());
+                return bytesRef;
+            }
+        }
+    }
+
+    public static Reader newReader(final CType cType, final Path configDir) throws IOException {
+        final var cTypeFile = cType.configFile(configDir);
+        final var fileExists = Files.exists(cTypeFile);
+        if (!fileExists && !cType.emptyIfMissing()) {
+            throw new IOException("Couldn't find configuration file " + cTypeFile.getFileName());
+        }
+        if (fileExists) {
+            LOGGER.info("Reading {} configuration from {}", cType, cTypeFile.getFileName());
+            return new FileReader(cTypeFile.toFile(), StandardCharsets.UTF_8);
+        } else {
+            LOGGER.info("Reading empty {} configuration", cType);
+            return new StringReader(emptyYamlConfigFor(cType));
+        }
+    }
+
+    private static SecurityDynamicConfiguration<?> emptyConfigFor(final CType cType) {
+        final var emptyConfiguration = SecurityDynamicConfiguration.empty();
+        emptyConfiguration.setCType(cType);
+        emptyConfiguration.set_meta(new Meta());
+        emptyConfiguration.get_meta().setConfig_version(DEFAULT_CONFIG_VERSION);
+        emptyConfiguration.get_meta().setType(cType.toLCString());
+        return emptyConfiguration;
+    }
+
+    public static String emptyJsonConfigFor(final CType cType) throws IOException {
+        return DefaultObjectMapper.writeValueAsString(emptyConfigFor(cType), false);
+    }
+
+    public static String emptyYamlConfigFor(final CType cType) throws IOException {
+        return DefaultObjectMapper.YAML_MAPPER.writeValueAsString(emptyConfigFor(cType));
+    }
+
+    private static void validateYamlContent(final CType cType, final InputStream in) throws IOException {
+        SecurityDynamicConfiguration.fromNode(DefaultObjectMapper.YAML_MAPPER.readTree(in), cType, DEFAULT_CONFIG_VERSION, -1, -1);
+    }
+
+}
diff --git a/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java b/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
index 5ce1873405..30cbbe6a01 100644
--- a/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
+++ b/src/test/java/org/opensearch/security/configuration/ConfigurationRepositoryTest.java
@@ -13,22 +13,37 @@
 
 import java.io.IOException;
 import java.nio.file.Path;
+import java.time.Instant;
+import java.util.Map;
+import java.util.Set;
 
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.runner.RunWith;
 
 import org.opensearch.client.Client;
+import org.opensearch.cluster.ClusterChangedEvent;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.cluster.ClusterStateUpdateTask;
+import org.opensearch.cluster.metadata.Metadata;
+import org.opensearch.cluster.node.DiscoveryNodes;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.Priority;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.state.SecurityConfig;
+import org.opensearch.security.state.SecurityMetadata;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.SecurityIndexHandler;
 import org.opensearch.security.transport.SecurityInterceptorTests;
 import org.opensearch.threadpool.ThreadPool;
 
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
+import org.mockito.junit.MockitoJUnitRunner;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
@@ -36,7 +51,22 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.anyString;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.doCallRealMethod;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.reset;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
 
+@RunWith(MockitoJUnitRunner.class)
 public class ConfigurationRepositoryTest {
 
     @Mock
@@ -50,21 +80,44 @@ public class ConfigurationRepositoryTest {
 
     private ThreadPool threadPool;
 
+    @Mock
+    private SecurityIndexHandler securityIndexHandler;
+
+    @Mock
+    private ClusterChangedEvent event;
+
     @Before
     public void setUp() {
-        MockitoAnnotations.openMocks(this);
-
         Settings settings = Settings.builder()
             .put("node.name", SecurityInterceptorTests.class.getSimpleName())
             .put("request.headers.default", "1")
             .build();
 
         threadPool = new ThreadPool(settings);
+
+        final var previousState = mock(ClusterState.class);
+        final var previousDiscoveryNodes = mock(DiscoveryNodes.class);
+        when(previousState.nodes()).thenReturn(previousDiscoveryNodes);
+        when(event.previousState()).thenReturn(previousState);
+
+        final var newState = mock(ClusterState.class);
+        when(event.state()).thenReturn(newState);
+        when(event.state().metadata()).thenReturn(mock(Metadata.class));
+
+        when(event.state().custom(SecurityMetadata.TYPE)).thenReturn(null);
     }
 
     private ConfigurationRepository createConfigurationRepository(Settings settings) {
-
-        return ConfigurationRepository.create(settings, path, threadPool, localClient, clusterService, auditLog);
+        return new ConfigurationRepository(
+            settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX),
+            settings,
+            path,
+            threadPool,
+            localClient,
+            clusterService,
+            auditLog,
+            securityIndexHandler
+        );
     }
 
     @Test
@@ -77,7 +130,7 @@ public void create_shouldReturnConfigurationRepository() {
 
     @Test
     public void initOnNodeStart_withSecurityIndexCreationEnabledShouldSetInstallDefaultConfigTrue() {
-        Settings settings = Settings.builder().put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true).build();
+        Settings settings = Settings.builder().put(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true).build();
 
         ConfigurationRepository configRepository = createConfigurationRepository(settings);
 
@@ -111,4 +164,129 @@ public void getConfiguration_withInvalidConfigurationShouldReturnNewEmptyConfigu
         assertThat(config.getSeqNo(), is(equalTo(emptyConfig.getSeqNo())));
         assertThat(config, is(not(equalTo(emptyConfig))));
     }
+
+    @Test
+    public void testClusterChanged_shouldInitSecurityIndexIfNoSecurityData() {
+        when(event.previousState().nodes().isLocalNodeElectedClusterManager()).thenReturn(false);
+        when(event.localNodeClusterManager()).thenReturn(true);
+
+        final var configurationRepository = mock(ConfigurationRepository.class);
+        doCallRealMethod().when(configurationRepository).clusterChanged(any());
+        configurationRepository.clusterChanged(event);
+
+        verify(configurationRepository).initSecurityIndex(any());
+    }
+
+    @Test
+    public void testClusterChanged_shouldExecuteInitialization() {
+        when(event.state().custom(SecurityMetadata.TYPE)).thenReturn(new SecurityMetadata(Instant.now(), Set.of()));
+
+        final var configurationRepository = mock(ConfigurationRepository.class);
+        doCallRealMethod().when(configurationRepository).clusterChanged(any());
+        configurationRepository.clusterChanged(event);
+
+        verify(configurationRepository).executeConfigurationInitialization(any());
+    }
+
+    @Test
+    public void testClusterChanged_shouldNotExecuteInitialization() {
+        final var configurationRepository = mock(ConfigurationRepository.class);
+        doCallRealMethod().when(configurationRepository).clusterChanged(any());
+        configurationRepository.clusterChanged(event);
+
+        verify(configurationRepository, never()).executeConfigurationInitialization(any());
+    }
+
+    @Test
+    public void testInitSecurityIndex_shouldCreateIndexAndUploadConfiguration() throws Exception {
+        System.setProperty("security.default_init.dir", Path.of(".").toString());
+        ConfigurationRepository configRepository = createConfigurationRepository(Settings.EMPTY);
+
+        doAnswer(invocation -> {
+            @SuppressWarnings("unchecked")
+            final var listener = (ActionListener<Boolean>) invocation.getArgument(0);
+            listener.onResponse(true);
+            return null;
+        }).when(securityIndexHandler).createIndex(any());
+        doAnswer(invocation -> {
+            @SuppressWarnings("unchecked")
+            final var listener = (ActionListener<Set<SecurityConfig>>) invocation.getArgument(1);
+            listener.onResponse(Set.of(new SecurityConfig(CType.CONFIG, "aaa", null)));
+            return null;
+        }).when(securityIndexHandler).uploadDefaultConfiguration(any(), any());
+        when(event.state().metadata().hasIndex(OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX)).thenReturn(false);
+        configRepository.initSecurityIndex(event);
+
+        final var clusterStateUpdateTaskCaptor = ArgumentCaptor.forClass(ClusterStateUpdateTask.class);
+        verify(securityIndexHandler).createIndex(any());
+        verify(securityIndexHandler).uploadDefaultConfiguration(any(), any());
+        verify(clusterService).submitStateUpdateTask(anyString(), clusterStateUpdateTaskCaptor.capture());
+        verifyNoMoreInteractions(clusterService, securityIndexHandler);
+
+        assertClusterState(clusterStateUpdateTaskCaptor);
+    }
+
+    @Test
+    public void testInitSecurityIndex_shouldUploadConfigIfIndexCreated() throws Exception {
+        System.setProperty("security.default_init.dir", Path.of(".").toString());
+
+        doAnswer(invocation -> {
+            @SuppressWarnings("unchecked")
+            final var listener = (ActionListener<Set<SecurityConfig>>) invocation.getArgument(1);
+            listener.onResponse(Set.of(new SecurityConfig(CType.CONFIG, "aaa", null)));
+            return null;
+        }).when(securityIndexHandler).uploadDefaultConfiguration(any(), any());
+
+        when(event.state().metadata().hasIndex(OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX)).thenReturn(true);
+
+        ConfigurationRepository configRepository = createConfigurationRepository(Settings.EMPTY);
+        configRepository.initSecurityIndex(event);
+
+        final var clusterStateUpdateTaskCaptor = ArgumentCaptor.forClass(ClusterStateUpdateTask.class);
+
+        verify(event.state().metadata()).hasIndex(OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
+        verify(clusterService).submitStateUpdateTask(anyString(), clusterStateUpdateTaskCaptor.capture());
+        verify(securityIndexHandler, never()).createIndex(any());
+        verify(securityIndexHandler).uploadDefaultConfiguration(any(), any());
+        verifyNoMoreInteractions(securityIndexHandler, clusterService);
+
+        assertClusterState(clusterStateUpdateTaskCaptor);
+    }
+
+    @Test
+    public void testExecuteConfigurationInitialization_executeInitializationOnlyOnce() throws Exception {
+        doAnswer(invocation -> {
+            @SuppressWarnings("unchecked")
+            final var listener = (ActionListener<Map<CType, SecurityDynamicConfiguration<?>>>) invocation.getArgument(1);
+            listener.onResponse(Map.of());
+            return null;
+        }).when(securityIndexHandler).loadConfiguration(any(), any());
+
+        ConfigurationRepository configRepository = createConfigurationRepository(Settings.EMPTY);
+        configRepository.executeConfigurationInitialization(
+            new SecurityMetadata(Instant.now(), Set.of(new SecurityConfig(CType.CONFIG, "aaa", null)))
+        ).get();
+
+        verify(securityIndexHandler).loadConfiguration(any(), any());
+        verifyNoMoreInteractions(securityIndexHandler);
+
+        reset(securityIndexHandler);
+
+        configRepository.executeConfigurationInitialization(
+            new SecurityMetadata(Instant.now(), Set.of(new SecurityConfig(CType.CONFIG, "aaa", null)))
+        ).get();
+
+        verify(securityIndexHandler, never()).loadConfiguration(any(), any());
+        verifyNoMoreInteractions(securityIndexHandler);
+    }
+
+    void assertClusterState(final ArgumentCaptor<ClusterStateUpdateTask> clusterStateUpdateTaskCaptor) throws Exception {
+        final var initializedStateUpdate = clusterStateUpdateTaskCaptor.getValue();
+        assertEquals(Priority.IMMEDIATE, initializedStateUpdate.priority());
+        var clusterState = initializedStateUpdate.execute(ClusterState.EMPTY_STATE);
+        SecurityMetadata securityMetadata = clusterState.custom(SecurityMetadata.TYPE);
+        assertNotNull(securityMetadata.created());
+        assertNotNull(securityMetadata.configuration());
+    }
+
 }
diff --git a/src/test/java/org/opensearch/security/state/SecurityMetadataSerializationTestCase.java b/src/test/java/org/opensearch/security/state/SecurityMetadataSerializationTestCase.java
new file mode 100644
index 0000000000..c52f37cf54
--- /dev/null
+++ b/src/test/java/org/opensearch/security/state/SecurityMetadataSerializationTestCase.java
@@ -0,0 +1,154 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.state;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.List;
+
+import com.carrotsearch.randomizedtesting.RandomizedContext;
+import com.carrotsearch.randomizedtesting.RandomizedRunner;
+import com.carrotsearch.randomizedtesting.RandomizedTest;
+import com.google.common.collect.ImmutableSortedSet;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.Version;
+import org.opensearch.cluster.ClusterState;
+import org.opensearch.common.io.stream.BytesStreamOutput;
+import org.opensearch.core.common.io.stream.NamedWriteableAwareStreamInput;
+import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.test.DiffableTestUtils;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+
+@RunWith(RandomizedRunner.class)
+public class SecurityMetadataSerializationTestCase extends RandomizedTest {
+
+    protected ClusterState.Custom createTestInstance() {
+        final var configuration = new ImmutableSortedSet.Builder<>(Comparator.comparing(SecurityConfig::type));
+        for (final var c : CType.values()) {
+            configuration.add(new SecurityConfig(c, randomAsciiAlphanumOfLength(128), null));
+        }
+        return new SecurityMetadata(randomInstant(), configuration.build());
+    }
+
+    protected ClusterState.Custom makeTestChanges(ClusterState.Custom custom) {
+        final var securityMetadata = (SecurityMetadata) custom;
+
+        if (randomBoolean()) {
+            final var configuration = securityMetadata.configuration();
+            int leaveElements = randomIntBetween(0, configuration.size() - 1);
+            final var randomConfigs = randomSubsetOf(leaveElements, configuration);
+            final var securityMetadataBuilder = SecurityMetadata.from(securityMetadata);
+            for (final var config : randomConfigs) {
+                securityMetadataBuilder.withSecurityConfig(
+                    SecurityConfig.from(config).withLastModified(randomInstant()).withHash(randomAsciiAlphanumOfLength(128)).build()
+                );
+            }
+            return securityMetadataBuilder.build();
+        }
+
+        return securityMetadata;
+    }
+
+    public static <T> List<T> randomSubsetOf(int size, Collection<T> collection) {
+        if (size > collection.size()) {
+            throw new IllegalArgumentException(
+                "Can't pick " + size + " random objects from a collection of " + collection.size() + " objects"
+            );
+        }
+        List<T> tempList = new ArrayList<>(collection);
+        Collections.shuffle(tempList, RandomizedContext.current().getRandom());
+        return tempList.subList(0, size);
+    }
+
+    protected Instant randomInstant() {
+        return Instant.ofEpochSecond(randomLongBetween(0L, 3000000000L), randomLongBetween(0L, 999999999L));
+    }
+
+    @Test
+    public void testSerialization() throws IOException {
+        for (int runs = 0; runs < 20; runs++) {
+            ClusterState.Custom testInstance = createTestInstance();
+            assertSerialization(testInstance);
+        }
+    }
+
+    void assertSerialization(ClusterState.Custom testInstance) throws IOException {
+        assertSerialization(testInstance, Version.CURRENT);
+    }
+
+    void assertSerialization(ClusterState.Custom testInstance, Version version) throws IOException {
+        ClusterState.Custom deserializedInstance = copyInstance(testInstance, version);
+        assertEqualInstances(testInstance, deserializedInstance);
+    }
+
+    void assertEqualInstances(ClusterState.Custom expectedInstance, ClusterState.Custom newInstance) {
+        assertNotSame(newInstance, expectedInstance);
+        assertEquals(expectedInstance, newInstance);
+        assertEquals(expectedInstance.hashCode(), newInstance.hashCode());
+    }
+
+    @Test
+    public void testDiffableSerialization() throws IOException {
+        DiffableTestUtils.testDiffableSerialization(
+            this::createTestInstance,
+            this::makeTestChanges,
+            getNamedWriteableRegistry(),
+            SecurityMetadata::new,
+            SecurityMetadata::readDiffFrom
+        );
+    }
+
+    protected NamedWriteableRegistry getNamedWriteableRegistry() {
+        return new NamedWriteableRegistry(Collections.emptyList());
+    }
+
+    protected final ClusterState.Custom copyInstance(ClusterState.Custom instance, Version version) throws IOException {
+        return copyWriteable(instance, getNamedWriteableRegistry(), SecurityMetadata::new, version);
+    }
+
+    public static <T extends Writeable> T copyWriteable(
+        T original,
+        NamedWriteableRegistry namedWriteableRegistry,
+        Writeable.Reader<T> reader,
+        Version version
+    ) throws IOException {
+        return copyInstance(original, namedWriteableRegistry, (out, value) -> value.writeTo(out), reader, version);
+    }
+
+    protected static <T> T copyInstance(
+        T original,
+        NamedWriteableRegistry namedWriteableRegistry,
+        Writeable.Writer<T> writer,
+        Writeable.Reader<T> reader,
+        Version version
+    ) throws IOException {
+        try (BytesStreamOutput output = new BytesStreamOutput()) {
+            output.setVersion(version);
+            writer.write(output, original);
+            try (StreamInput in = new NamedWriteableAwareStreamInput(output.bytes().streamInput(), namedWriteableRegistry)) {
+                in.setVersion(version);
+                return reader.read(in);
+            }
+        }
+    }
+
+}
diff --git a/src/test/java/org/opensearch/security/support/ConfigReaderTest.java b/src/test/java/org/opensearch/security/support/ConfigReaderTest.java
new file mode 100644
index 0000000000..189b92ff68
--- /dev/null
+++ b/src/test/java/org/opensearch/security/support/ConfigReaderTest.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security.support;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.securityconf.impl.CType;
+
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+
+public class ConfigReaderTest {
+
+    @ClassRule
+    public static TemporaryFolder folder = new TemporaryFolder();
+
+    private static File configDir;
+
+    @BeforeClass
+    public static void createConfigFile() throws IOException {
+        configDir = folder.newFolder("config");
+    }
+
+    @Test
+    public void testThrowsIOExceptionForMandatoryCTypes() {
+        for (final var cType : CType.REQUIRED_CONFIG_FILES) {
+            assertThrows(IOException.class, () -> YamlConfigReader.newReader(cType, configDir.toPath()));
+        }
+    }
+
+    @Test
+    public void testCreateReaderForNonMandatoryCTypes() throws IOException {
+        final var yamlMapper = DefaultObjectMapper.YAML_MAPPER;
+        for (final var cType : CType.NOT_REQUIRED_CONFIG_FILES) {
+            try (final var reader = new BufferedReader(YamlConfigReader.newReader(cType, configDir.toPath()))) {
+                final var emptyYaml = yamlMapper.readTree(reader);
+                assertTrue(emptyYaml.has("_meta"));
+
+                final var meta = emptyYaml.get("_meta");
+                assertEquals(cType.toLCString(), meta.get("type").asText());
+                assertEquals(DEFAULT_CONFIG_VERSION, meta.get("config_version").asInt());
+            }
+        }
+    }
+
+}
diff --git a/src/test/java/org/opensearch/security/support/SecurityIndexHandlerTest.java b/src/test/java/org/opensearch/security/support/SecurityIndexHandlerTest.java
new file mode 100644
index 0000000000..170f0a9853
--- /dev/null
+++ b/src/test/java/org/opensearch/security/support/SecurityIndexHandlerTest.java
@@ -0,0 +1,510 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+
+package org.opensearch.security.support;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+import java.util.Set;
+
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import org.junit.runner.RunWith;
+
+import org.opensearch.action.DocWriteRequest;
+import org.opensearch.action.admin.indices.create.CreateIndexRequest;
+import org.opensearch.action.admin.indices.create.CreateIndexResponse;
+import org.opensearch.action.bulk.BulkItemResponse;
+import org.opensearch.action.bulk.BulkRequest;
+import org.opensearch.action.bulk.BulkResponse;
+import org.opensearch.action.get.GetResponse;
+import org.opensearch.action.get.MultiGetItemResponse;
+import org.opensearch.action.get.MultiGetRequest;
+import org.opensearch.action.get.MultiGetResponse;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.support.ActiveShardCount;
+import org.opensearch.client.AdminClient;
+import org.opensearch.client.Client;
+import org.opensearch.client.IndicesAdminClient;
+import org.opensearch.common.CheckedSupplier;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.common.bytes.BytesArray;
+import org.opensearch.index.get.GetResult;
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.state.SecurityConfig;
+import org.opensearch.threadpool.ThreadPool;
+
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.opensearch.security.configuration.ConfigurationRepository.DEFAULT_CONFIG_VERSION;
+import static org.opensearch.security.support.YamlConfigReader.emptyYamlConfigFor;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.isA;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class SecurityIndexHandlerTest {
+
+    final static String INDEX_NAME = "some_index";
+
+    final static String CONFIG_YAML = "_meta: \n"
+        + "  type: \"config\"\n"
+        + "  config_version: 2\n"
+        + "config:\n"
+        + "  dynamic:\n"
+        + "    http:\n"
+        + "      anonymous_auth_enabled: false\n";
+
+    final static String USERS_YAML = "_meta:\n"
+        + "  type: \"internalusers\"\n"
+        + "  config_version: 2\n"
+        + "admin:\n"
+        + "  hash: \"$2y$12$erlkZeSv7eRMa1vs3UgDl.xoqu1P9GY94Toj1BwdvJiq7eKTOjQjS\"\n"
+        + "  reserved: true\n"
+        + "  backend_roles:\n"
+        + "  - \"admin\"\n"
+        + "  description: \"Some admin user\"\n";
+
+    final static String ROLES_YAML = "_meta:\n" + "  type: \"roles\"\n" + "  config_version: 2\n" + "some_role:\n" + "  reserved: true\n";
+
+    final static String ROLES_MAPPING_YAML = "_meta:\n"
+        + " type: \"rolesmapping\"\n"
+        + " config_version: 2\n"
+        + "all_access: \n"
+        + " reserved: false\n";
+
+    static final Map<CType, CheckedSupplier<String, IOException>> YAML = Map.of(
+        CType.ACTIONGROUPS,
+        () -> emptyYamlConfigFor(CType.ACTIONGROUPS),
+        CType.ALLOWLIST,
+        () -> emptyYamlConfigFor(CType.ALLOWLIST),
+        CType.AUDIT,
+        () -> emptyYamlConfigFor(CType.AUDIT),
+        CType.CONFIG,
+        () -> CONFIG_YAML,
+        CType.INTERNALUSERS,
+        () -> USERS_YAML,
+        CType.NODESDN,
+        () -> emptyYamlConfigFor(CType.NODESDN),
+        CType.ROLES,
+        () -> ROLES_YAML,
+        CType.ROLESMAPPING,
+        () -> ROLES_MAPPING_YAML,
+        CType.TENANTS,
+        () -> emptyYamlConfigFor(CType.TENANTS),
+        CType.WHITELIST,
+        () -> emptyYamlConfigFor(CType.WHITELIST)
+    );
+
+    @Rule
+    public TemporaryFolder temporaryFolder = new TemporaryFolder();
+
+    @Mock
+    private Client client;
+
+    @Mock
+    private ThreadPool threadPool;
+
+    @Mock
+    private IndicesAdminClient indicesAdminClient;
+
+    private Path configFolder;
+
+    private ThreadContext threadContext;
+
+    private SecurityIndexHandler securityIndexHandler;
+
+    @Before
+    public void setupClient() throws IOException {
+        when(client.admin()).thenReturn(mock(AdminClient.class));
+        when(client.admin().indices()).thenReturn(indicesAdminClient);
+        when(client.threadPool()).thenReturn(threadPool);
+        threadContext = new ThreadContext(Settings.EMPTY);
+        when(client.threadPool()).thenReturn(threadPool);
+        when(threadPool.getThreadContext()).thenReturn(threadContext);
+        configFolder = temporaryFolder.newFolder("config").toPath();
+        securityIndexHandler = new SecurityIndexHandler(INDEX_NAME, Settings.EMPTY, client);
+    }
+
+    @Test
+    public void testCreateIndex_shouldCreateIndex() {
+        doAnswer(invocation -> {
+            ActionListener<CreateIndexResponse> actionListener = invocation.getArgument(1);
+            actionListener.onResponse(new CreateIndexResponse(true, true, "some_index"));
+            return null;
+        }).when(indicesAdminClient).create(any(), any());
+
+        securityIndexHandler.createIndex(ActionListener.wrap(Assert::assertTrue, Assert::assertNull));
+
+        final var requestCaptor = ArgumentCaptor.forClass(CreateIndexRequest.class);
+
+        verify(indicesAdminClient).create(requestCaptor.capture(), any());
+
+        final var createRequest = requestCaptor.getValue();
+        assertEquals(INDEX_NAME, createRequest.index());
+        for (final var setting : SecurityIndexHandler.INDEX_SETTINGS.entrySet())
+            assertEquals(setting.getValue().toString(), createRequest.settings().get(setting.getKey()));
+
+        assertEquals(ActiveShardCount.ONE, createRequest.waitForActiveShards());
+    }
+
+    @Test
+    public void testCreateIndex_shouldReturnSecurityExceptionIfItCanNotCreateIndex() {
+
+        final var listener = spy(ActionListener.<Boolean>wrap(r -> fail("Unexpected behave"), e -> {
+            assertEquals(SecurityException.class, e.getClass());
+            assertEquals("Couldn't create security index " + INDEX_NAME, e.getMessage());
+        }));
+
+        doAnswer(invocation -> {
+            ActionListener<CreateIndexResponse> actionListener = invocation.getArgument(1);
+            actionListener.onResponse(new CreateIndexResponse(false, false, "some_index"));
+            return null;
+        }).when(indicesAdminClient).create(any(), any());
+
+        securityIndexHandler.createIndex(listener);
+
+        verify(indicesAdminClient).create(isA(CreateIndexRequest.class), any());
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testUploadDefaultConfiguration_shouldFailIfRequiredConfigFilesAreMissing() {
+        final var listener = spy(ActionListener.<Set<SecurityConfig>>wrap(r -> fail("Unexpected behave"), e -> {
+            assertEquals(SecurityException.class, e.getClass());
+            assertThat(e.getMessage(), containsString("Couldn't find configuration file"));
+        }));
+        securityIndexHandler.uploadDefaultConfiguration(configFolder, listener);
+
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testUploadDefaultConfiguration_shouldFailIfBulkHasFailures() throws IOException {
+        final var failedBulkResponse = new BulkResponse(
+            new BulkItemResponse[] {
+                new BulkItemResponse(1, DocWriteRequest.OpType.CREATE, new BulkItemResponse.Failure("a", "b", new Exception())) },
+            100L
+        );
+        final var listener = spy(ActionListener.<Set<SecurityConfig>>wrap(r -> fail("Unexpected behave"), e -> {
+            assertEquals(SecurityException.class, e.getClass());
+            assertEquals(e.getMessage(), failedBulkResponse.buildFailureMessage());
+        }));
+        doAnswer(invocation -> {
+            ActionListener<BulkResponse> actionListener = invocation.getArgument(1);
+            actionListener.onResponse(failedBulkResponse);
+            return null;
+        }).when(client).bulk(any(BulkRequest.class), any());
+        for (final var c : CType.REQUIRED_CONFIG_FILES) {
+            try (final var io = Files.newBufferedWriter(c.configFile(configFolder))) {
+                io.write(YAML.get(c).get());
+                io.flush();
+            }
+        }
+        securityIndexHandler.uploadDefaultConfiguration(configFolder, listener);
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testUploadDefaultConfiguration_shouldCreateSetOfSecurityConfigs() throws IOException {
+
+        final var listener = spy(ActionListener.<Set<SecurityConfig>>wrap(configuration -> {
+            for (final var sc : configuration) {
+                assertTrue(sc.lastModified().isEmpty());
+                assertNotNull(sc.hash());
+            }
+        }, e -> fail("Unexpected behave")));
+
+        for (final var c : CType.REQUIRED_CONFIG_FILES) {
+            try (final var io = Files.newBufferedWriter(c.configFile(configFolder))) {
+                final var source = YAML.get(c).get();
+                io.write(source);
+                io.flush();
+            }
+        }
+
+        final var bulkRequestCaptor = ArgumentCaptor.forClass(BulkRequest.class);
+
+        doAnswer(invocation -> {
+            ActionListener<BulkResponse> actionListener = invocation.getArgument(1);
+            final var r = mock(BulkResponse.class);
+            when(r.hasFailures()).thenReturn(false);
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).bulk(bulkRequestCaptor.capture(), any());
+        securityIndexHandler.uploadDefaultConfiguration(configFolder, listener);
+
+        final var bulkRequest = bulkRequestCaptor.getValue();
+        for (final var r : bulkRequest.requests()) {
+            final var indexRequest = (IndexRequest) r;
+            assertEquals(INDEX_NAME, r.index());
+            assertEquals(DocWriteRequest.OpType.INDEX, indexRequest.opType());
+        }
+        verify(listener).onResponse(any());
+    }
+
+    @Test
+    public void testUploadDefaultConfiguration_shouldSkipAudit() throws IOException {
+        final var listener = spy(
+            ActionListener.<Set<SecurityConfig>>wrap(
+                configuration -> assertFalse(configuration.stream().anyMatch(sc -> sc.type() == CType.AUDIT)),
+                e -> fail("Unexpected behave")
+            )
+        );
+
+        for (final var c : CType.REQUIRED_CONFIG_FILES) {
+            if (c == CType.AUDIT) continue;
+            try (final var io = Files.newBufferedWriter(c.configFile(configFolder))) {
+                final var source = YAML.get(c).get();
+                io.write(source);
+                io.flush();
+            }
+        }
+        doAnswer(invocation -> {
+            ActionListener<BulkResponse> actionListener = invocation.getArgument(1);
+            final var r = mock(BulkResponse.class);
+            when(r.hasFailures()).thenReturn(false);
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).bulk(any(BulkRequest.class), any());
+
+        securityIndexHandler.uploadDefaultConfiguration(configFolder, listener);
+        verify(listener).onResponse(any());
+    }
+
+    @Test
+    public void testUploadDefaultConfiguration_shouldSkipWhitelist() throws IOException {
+        final var listener = spy(
+            ActionListener.<Set<SecurityConfig>>wrap(
+                configuration -> assertFalse(configuration.stream().anyMatch(sc -> sc.type() == CType.WHITELIST)),
+                e -> fail("Unexpected behave")
+            )
+        );
+
+        for (final var c : CType.REQUIRED_CONFIG_FILES) {
+            if (c == CType.WHITELIST) continue;
+            try (final var io = Files.newBufferedWriter(c.configFile(configFolder))) {
+                final var source = YAML.get(c).get();
+                io.write(source);
+                io.flush();
+            }
+        }
+        doAnswer(invocation -> {
+            ActionListener<BulkResponse> actionListener = invocation.getArgument(1);
+            final var r = mock(BulkResponse.class);
+            when(r.hasFailures()).thenReturn(false);
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).bulk(any(BulkRequest.class), any());
+
+        securityIndexHandler.uploadDefaultConfiguration(configFolder, listener);
+        verify(listener).onResponse(any());
+    }
+
+    @Test
+    public void testLoadConfiguration_shouldFailIfResponseHasFailures() {
+        final var listener = spy(
+            ActionListener.<Map<CType, SecurityDynamicConfiguration<?>>>wrap(
+                r -> fail("Unexpected behave"),
+                e -> assertEquals(SecurityException.class, e.getClass())
+            )
+        );
+
+        doAnswer(invocation -> {
+            ActionListener<MultiGetResponse> actionListener = invocation.getArgument(1);
+            final var r = mock(MultiGetResponse.class);
+            final var mr = mock(MultiGetItemResponse.class);
+            when(mr.isFailed()).thenReturn(true);
+            when(mr.getFailure()).thenReturn(new MultiGetResponse.Failure("a", "id", new Exception()));
+            when(r.getResponses()).thenReturn(new MultiGetItemResponse[] { mr });
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).multiGet(any(MultiGetRequest.class), any());
+
+        securityIndexHandler.loadConfiguration(configuration(), listener);
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testLoadConfiguration_shouldFailIfNoRequiredConfigInResponse() {
+        final var listener = spy(
+            ActionListener.<Map<CType, SecurityDynamicConfiguration<?>>>wrap(
+                r -> fail("Unexpected behave"),
+                e -> assertEquals("Missing required configuration for type: CONFIG", e.getMessage())
+            )
+        );
+        doAnswer(invocation -> {
+            ActionListener<MultiGetResponse> actionListener = invocation.getArgument(1);
+            final var getResult = mock(GetResult.class);
+            final var r = new MultiGetResponse(new MultiGetItemResponse[] { new MultiGetItemResponse(new GetResponse(getResult), null) });
+            when(getResult.getId()).thenReturn(CType.CONFIG.toLCString());
+            when(getResult.isExists()).thenReturn(false);
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).multiGet(any(MultiGetRequest.class), any());
+
+        securityIndexHandler.loadConfiguration(configuration(), listener);
+
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testLoadConfiguration_shouldFailForUnsupportedVersion() {
+        final var listener = spy(
+            ActionListener.<Map<CType, SecurityDynamicConfiguration<?>>>wrap(
+                r -> fail("Unexpected behave"),
+                e -> assertEquals("Version 1 is not supported for CONFIG", e.getMessage())
+            )
+        );
+        doAnswer(invocation -> {
+
+            final var objectMapper = DefaultObjectMapper.objectMapper;
+
+            ActionListener<MultiGetResponse> actionListener = invocation.getArgument(1);
+            final var getResult = mock(GetResult.class);
+            final var r = new MultiGetResponse(new MultiGetItemResponse[] { new MultiGetItemResponse(new GetResponse(getResult), null) });
+            when(getResult.getId()).thenReturn(CType.CONFIG.toLCString());
+            when(getResult.isExists()).thenReturn(true);
+
+            final var oldVersionJson = objectMapper.createObjectNode()
+                .set("opendistro_security", objectMapper.createObjectNode().set("dynamic", objectMapper.createObjectNode()))
+                .toString()
+                .getBytes(StandardCharsets.UTF_8);
+            final var configResponse = objectMapper.createObjectNode().put(CType.CONFIG.toLCString(), oldVersionJson);
+            final var source = objectMapper.writeValueAsBytes(configResponse);
+            when(getResult.sourceRef()).thenReturn(new BytesArray(source, 0, source.length));
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).multiGet(any(MultiGetRequest.class), any());
+        securityIndexHandler.loadConfiguration(configuration(), listener);
+
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testLoadConfiguration_shouldFailForUnparseableConfig() {
+        final var listener = spy(
+            ActionListener.<Map<CType, SecurityDynamicConfiguration<?>>>wrap(
+                r -> fail("Unexpected behave"),
+                e -> assertEquals("Couldn't parse content for CONFIG", e.getMessage())
+            )
+        );
+        doAnswer(invocation -> {
+
+            final var objectMapper = DefaultObjectMapper.objectMapper;
+
+            ActionListener<MultiGetResponse> actionListener = invocation.getArgument(1);
+            final var getResult = mock(GetResult.class);
+            final var r = new MultiGetResponse(new MultiGetItemResponse[] { new MultiGetItemResponse(new GetResponse(getResult), null) });
+            when(getResult.getId()).thenReturn(CType.CONFIG.toLCString());
+            when(getResult.isExists()).thenReturn(true);
+
+            final var configResponse = objectMapper.createObjectNode()
+                .put(
+                    CType.CONFIG.toLCString(),
+                    objectMapper.createObjectNode()
+                        .set("_meta", objectMapper.createObjectNode().put("type", CType.CONFIG.toLCString()))
+                        .toString()
+                        .getBytes(StandardCharsets.UTF_8)
+                );
+            final var source = objectMapper.writeValueAsBytes(configResponse);
+            when(getResult.sourceRef()).thenReturn(new BytesArray(source, 0, source.length));
+            actionListener.onResponse(r);
+            return null;
+        }).when(client).multiGet(any(MultiGetRequest.class), any());
+        securityIndexHandler.loadConfiguration(configuration(), listener);
+
+        verify(listener).onFailure(any());
+    }
+
+    @Test
+    public void testLoadConfiguration_shouldBuildSecurityConfig() {
+        final var listener = spy(ActionListener.<Map<CType, SecurityDynamicConfiguration<?>>>wrap(config -> {
+            assertEquals(CType.values().length, config.keySet().size());
+            for (final var c : CType.values()) {
+                assertTrue(c.toLCString(), config.containsKey(c));
+            }
+        }, e -> fail("Unexpected behave")));
+        doAnswer(invocation -> {
+            final var objectMapper = DefaultObjectMapper.objectMapper;
+            ActionListener<MultiGetResponse> actionListener = invocation.getArgument(1);
+
+            final var responses = new MultiGetItemResponse[CType.values().length];
+            var counter = 0;
+            for (final var c : CType.values()) {
+                final var getResult = mock(GetResult.class);
+                if (!c.emptyIfMissing()) {
+                    when(getResult.getId()).thenReturn(c.toLCString());
+                    when(getResult.isExists()).thenReturn(true);
+
+                    final var minimumRequiredConfig = minimumRequiredConfig(c);
+                    if (c == CType.CONFIG) minimumRequiredConfig.set(
+                        "config",
+                        objectMapper.createObjectNode().set("dynamic", objectMapper.createObjectNode())
+                    );
+
+                    final var source = objectMapper.writeValueAsBytes(
+                        objectMapper.createObjectNode()
+                            .put(c.toLCString(), minimumRequiredConfig.toString().getBytes(StandardCharsets.UTF_8))
+                    );
+
+                    when(getResult.sourceRef()).thenReturn(new BytesArray(source, 0, source.length));
+
+                    responses[counter] = new MultiGetItemResponse(new GetResponse(getResult), null);
+                } else {
+                    when(getResult.getId()).thenReturn(c.toLCString());
+                    when(getResult.isExists()).thenReturn(false);
+                    responses[counter] = new MultiGetItemResponse(new GetResponse(getResult), null);
+                }
+                counter++;
+            }
+            actionListener.onResponse(new MultiGetResponse(responses));
+            return null;
+        }).when(client).multiGet(any(MultiGetRequest.class), any());
+        securityIndexHandler.loadConfiguration(configuration(), listener);
+
+        verify(listener).onResponse(any());
+    }
+
+    private ObjectNode minimumRequiredConfig(final CType cType) {
+        final var objectMapper = DefaultObjectMapper.objectMapper;
+        return objectMapper.createObjectNode()
+            .set("_meta", objectMapper.createObjectNode().put("type", cType.toLCString()).put("config_version", DEFAULT_CONFIG_VERSION));
+    }
+
+    private Set<SecurityConfig> configuration() {
+        return Set.of(new SecurityConfig(CType.CONFIG, "aaa", null), new SecurityConfig(CType.AUDIT, "bbb", null));
+    }
+
+}

From 864d8be791a274658ada0c7b8a1a5fbe389fbbc7 Mon Sep 17 00:00:00 2001
From: Ashish Agrawal <ashisagr@amazon.com>
Date: Wed, 27 Mar 2024 13:50:46 -0700
Subject: [PATCH 100/143] Add new stop words system index (#4180)

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>
---
 .../security/tools/democonfig/SecuritySettingsConfigurer.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
index e66215ac9a..72f0247e53 100644
--- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
+++ b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java
@@ -58,6 +58,7 @@ public class SecuritySettingsConfigurer {
         ".plugins-ml-conversation-interactions",
         ".plugins-ml-memory-meta",
         ".plugins-ml-memory-message",
+        ".plugins-ml-stop-words",
         ".opendistro-alerting-config",
         ".opendistro-alerting-alert*",
         ".opendistro-anomaly-results*",

From aa56d26af83e4c8db8be3501c4c68eb72c250620 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Thu, 28 Mar 2024 00:55:53 +0100
Subject: [PATCH 101/143] Extract route paths prefixes into constants (#4173)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../http/saml/AuthTokenProcessorHandler.java  | 23 +++++++++++--------
 .../onbehalf/CreateOnBehalfOfTokenAction.java |  3 ++-
 .../security/dlic/rest/support/Utils.java     | 14 +++++++++--
 .../security/rest/DashboardsInfoAction.java   |  8 +++++--
 .../security/rest/SecurityHealthAction.java   |  6 +++--
 .../security/rest/SecurityInfoAction.java     |  6 +++--
 .../security/rest/TenantInfoAction.java       |  6 +++--
 7 files changed, 46 insertions(+), 20 deletions(-)

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
index 32e01b9e2f..6abe934925 100644
--- a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
+++ b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
@@ -137,7 +137,9 @@ private AuthTokenProcessorAction.Response handleImpl(
         String samlResponseBase64,
         String samlRequestId,
         String acsEndpoint,
-        Saml2Settings saml2Settings
+        Saml2Settings saml2Settings,
+        String requestPath // the parameter will be removed in the future as soon as we will read of legacy paths aka
+                           // /_opendistro/_security/...
     ) {
         if (token_log.isDebugEnabled()) {
             try {
@@ -156,7 +158,7 @@ private AuthTokenProcessorAction.Response handleImpl(
             final SamlResponse samlResponse = new SamlResponse(saml2Settings, acsEndpoint, samlResponseBase64);
 
             if (!samlResponse.isValid(samlRequestId)) {
-                log.warn("Error while validating SAML response in /_opendistro/_security/api/authtoken");
+                log.warn("Error while validating SAML response in {}", requestPath);
                 return null;
             }
 
@@ -178,17 +180,14 @@ private Optional<SecurityResponse> handleLowLevel(RestRequest restRequest) throw
 
             if (restRequest.getMediaType() != XContentType.JSON) {
                 throw new OpenSearchSecurityException(
-                    "/_opendistro/_security/api/authtoken expects content with type application/json",
+                    restRequest.path() + " expects content with type application/json",
                     RestStatus.UNSUPPORTED_MEDIA_TYPE
                 );
 
             }
 
             if (restRequest.method() != Method.POST) {
-                throw new OpenSearchSecurityException(
-                    "/_opendistro/_security/api/authtoken expects POST requests",
-                    RestStatus.METHOD_NOT_ALLOWED
-                );
+                throw new OpenSearchSecurityException(restRequest.path() + " expects POST requests", RestStatus.METHOD_NOT_ALLOWED);
             }
 
             Saml2Settings saml2Settings = this.saml2SettingsProvider.getCached();
@@ -218,7 +217,13 @@ private Optional<SecurityResponse> handleLowLevel(RestRequest restRequest) throw
                 acsEndpoint = getAbsoluteAcsEndpoint(((ObjectNode) jsonRoot).get("acsEndpoint").textValue());
             }
 
-            AuthTokenProcessorAction.Response responseBody = this.handleImpl(samlResponseBase64, samlRequestId, acsEndpoint, saml2Settings);
+            AuthTokenProcessorAction.Response responseBody = this.handleImpl(
+                samlResponseBase64,
+                samlRequestId,
+                acsEndpoint,
+                saml2Settings,
+                restRequest.path()
+            );
 
             if (responseBody == null) {
                 return Optional.empty();
@@ -228,7 +233,7 @@ private Optional<SecurityResponse> handleLowLevel(RestRequest restRequest) throw
 
             return Optional.of(new SecurityResponse(HttpStatus.SC_OK, null, responseBodyString, XContentType.JSON.mediaType()));
         } catch (JsonProcessingException e) {
-            log.warn("Error while parsing JSON for /_opendistro/_security/api/authtoken", e);
+            log.warn("Error while parsing JSON for {}", restRequest.path(), e);
             return Optional.of(new SecurityResponse(HttpStatus.SC_BAD_REQUEST, "JSON could not be parsed"));
         }
     }
diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
index 02b88bbd5c..2e88418acf 100644
--- a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
+++ b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
@@ -32,13 +32,14 @@
 import org.opensearch.security.identity.SecurityTokenManager;
 
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_API_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class CreateOnBehalfOfTokenAction extends BaseRestHandler {
 
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new NamedRoute.Builder().method(POST).path("/generateonbehalfoftoken").uniqueName("security:obo/create").build()),
-        "/_plugins/_security/api"
+        PLUGIN_API_ROUTE_PREFIX
     );
 
     public static final long OBO_DEFAULT_EXPIRY_SECONDS = 5 * 60;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
index 74b7cd415a..ee68a629c6 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
@@ -55,9 +55,19 @@
 import org.opensearch.security.user.User;
 
 import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION;
+import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
+import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
 public class Utils {
 
+    public final static String PLUGIN_ROUTE_PREFIX = "/" + PLUGINS_PREFIX;
+
+    public final static String LEGACY_PLUGIN_ROUTE_PREFIX = "/" + LEGACY_OPENDISTRO_PREFIX;
+
+    public final static String PLUGIN_API_ROUTE_PREFIX = PLUGIN_ROUTE_PREFIX + "/api";
+
+    public final static String LEGACY_PLUGIN_API_ROUTE_PREFIX = LEGACY_PLUGIN_ROUTE_PREFIX + "/api";
+
     private static final ObjectMapper internalMapper = new ObjectMapper();
 
     public static Map<String, Object> convertJsonToxToStructuredMap(ToXContent jsonContent) {
@@ -217,7 +227,7 @@ public static Set<String> generateFieldResourcePaths(final Set<String> fields, f
      *Total number of routes is expanded as twice as the number of routes passed in
      */
     public static List<Route> addRoutesPrefix(List<Route> routes) {
-        return addRoutesPrefix(routes, "/_opendistro/_security/api", "/_plugins/_security/api");
+        return addRoutesPrefix(routes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX);
     }
 
     /**
@@ -248,7 +258,7 @@ public static List<Route> addRoutesPrefix(List<Route> routes, final String... pr
      *Total number of routes is expanded as twice as the number of routes passed in
      */
     public static List<DeprecatedRoute> addDeprecatedRoutesPrefix(List<DeprecatedRoute> deprecatedRoutes) {
-        return addDeprecatedRoutesPrefix(deprecatedRoutes, "/_opendistro/_security/api", "/_plugins/_security/api");
+        return addDeprecatedRoutesPrefix(deprecatedRoutes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX);
     }
 
     /**
diff --git a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
index 070648ed92..3401ac71e8 100644
--- a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java
@@ -50,15 +50,19 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class DashboardsInfoAction extends BaseRestHandler {
 
     private static final List<Route> routes = ImmutableList.<Route>builder()
         .addAll(
-            addRoutesPrefix(ImmutableList.of(new Route(GET, "/dashboardsinfo"), new Route(POST, "/dashboardsinfo")), "/_plugins/_security")
+            addRoutesPrefix(ImmutableList.of(new Route(GET, "/dashboardsinfo"), new Route(POST, "/dashboardsinfo")), PLUGIN_ROUTE_PREFIX)
+        )
+        .addAll(
+            addRoutesPrefix(ImmutableList.of(new Route(GET, "/kibanainfo"), new Route(POST, "/kibanainfo")), LEGACY_PLUGIN_ROUTE_PREFIX)
         )
-        .addAll(addRoutesPrefix(ImmutableList.of(new Route(GET, "/kibanainfo"), new Route(POST, "/kibanainfo")), "/_opendistro/_security"))
         .build();
 
     private final Logger log = LogManager.getLogger(this.getClass());
diff --git a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
index 1b7e788dae..3c57773417 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java
@@ -44,13 +44,15 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class SecurityHealthAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/health"), new Route(POST, "/health")),
-        "/_opendistro/_security",
-        "/_plugins/_security"
+        LEGACY_PLUGIN_ROUTE_PREFIX,
+        PLUGIN_ROUTE_PREFIX
     );
 
     private final BackendRegistry registry;
diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
index 469c7f81b4..f6cf7f82ee 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
@@ -57,13 +57,15 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class SecurityInfoAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/authinfo"), new Route(POST, "/authinfo")),
-        "/_opendistro/_security",
-        "/_plugins/_security"
+        LEGACY_PLUGIN_ROUTE_PREFIX,
+        PLUGIN_ROUTE_PREFIX
     );
 
     private final Logger log = LogManager.getLogger(this.getClass());
diff --git a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
index 1b0bdd7f8e..bd911463d4 100644
--- a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java
@@ -61,13 +61,15 @@
 
 import static org.opensearch.rest.RestRequest.Method.GET;
 import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX;
+import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 public class TenantInfoAction extends BaseRestHandler {
     private static final List<Route> routes = addRoutesPrefix(
         ImmutableList.of(new Route(GET, "/tenantinfo"), new Route(POST, "/tenantinfo")),
-        "/_opendistro/_security",
-        "/_plugins/_security"
+        LEGACY_PLUGIN_ROUTE_PREFIX,
+        PLUGIN_ROUTE_PREFIX
     );
 
     private final Logger log = LogManager.getLogger(this.getClass());

From a870b40919b1a693ec810b50eda783d334b7a684 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Thu, 28 Mar 2024 14:25:13 +0100
Subject: [PATCH 102/143] Misc changes for tests (#4171)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../http/AnonymousAuthenticationTest.java     |   7 +-
 .../opensearch/security/http/AsyncTests.java  |   3 +-
 .../http/CertificateAuthenticationTest.java   |   4 +-
 .../http/CommonProxyAuthenticationTests.java  |  13 +-
 .../security/http/LdapAuthenticationTest.java |   3 +-
 .../http/LdapTlsAuthenticationTest.java       |   6 +-
 .../http/OnBehalfOfJwtAuthenticationTest.java |   3 +-
 .../security/http/RolesMappingTests.java      |   6 +-
 .../test/framework/RolesMapping.java          | 108 -------
 .../test/framework/TestSecurityConfig.java    | 279 +++++++++++++++++-
 .../test/framework/cluster/LocalCluster.java  |   3 +-
 .../cluster/LocalOpenSearchCluster.java       |  16 +-
 .../framework/cluster/TestRestClient.java     |   8 +
 13 files changed, 311 insertions(+), 148 deletions(-)
 delete mode 100644 src/integrationTest/java/org/opensearch/test/framework/RolesMapping.java

diff --git a/src/integrationTest/java/org/opensearch/security/http/AnonymousAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/AnonymousAuthenticationTest.java
index b1c13aeedc..99f96a388e 100644
--- a/src/integrationTest/java/org/opensearch/security/http/AnonymousAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/AnonymousAuthenticationTest.java
@@ -17,7 +17,6 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
@@ -45,9 +44,9 @@ public class AnonymousAuthenticationTest {
     /**
     * Maps {@link #ANONYMOUS_USER_CUSTOM_ROLE} to {@link #DEFAULT_ANONYMOUS_USER_BACKEND_ROLE_NAME}
     */
-    private static final RolesMapping ANONYMOUS_USER_CUSTOM_ROLE_MAPPING = new RolesMapping(ANONYMOUS_USER_CUSTOM_ROLE).backendRoles(
-        DEFAULT_ANONYMOUS_USER_BACKEND_ROLE_NAME
-    );
+    private static final TestSecurityConfig.RoleMapping ANONYMOUS_USER_CUSTOM_ROLE_MAPPING = new TestSecurityConfig.RoleMapping(
+        ANONYMOUS_USER_CUSTOM_ROLE.getName()
+    ).backendRoles(DEFAULT_ANONYMOUS_USER_BACKEND_ROLE_NAME);
 
     /**
     * User who is stored in the internal user database and can authenticate
diff --git a/src/integrationTest/java/org/opensearch/security/http/AsyncTests.java b/src/integrationTest/java/org/opensearch/security/http/AsyncTests.java
index 8103d50e74..514d2c45d1 100644
--- a/src/integrationTest/java/org/opensearch/security/http/AsyncTests.java
+++ b/src/integrationTest/java/org/opensearch/security/http/AsyncTests.java
@@ -26,7 +26,6 @@
 import org.opensearch.security.IndexOperationsHelper;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.AsyncActions;
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -44,7 +43,7 @@ public class AsyncTests {
     public static LocalCluster cluster = new LocalCluster.Builder().singleNode()
         .authc(AUTHC_HTTPBASIC_INTERNAL)
         .users(ADMIN_USER)
-        .rolesMapping(new RolesMapping(ALL_ACCESS).backendRoles("admin"))
+        .rolesMapping(new TestSecurityConfig.RoleMapping(ALL_ACCESS.getName()).backendRoles("admin"))
         .anonymousAuth(false)
         .nodeSettings(Map.of(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, List.of(ALL_ACCESS.getName())))
         .build();
diff --git a/src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java
index 975ce25efb..18ae232a91 100644
--- a/src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java
@@ -17,7 +17,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.test.framework.RolesMapping;
+import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.HttpAuthenticator;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
@@ -69,7 +69,7 @@ public class CertificateAuthenticationTest {
         .authc(AUTHC_HTTPBASIC_INTERNAL)
         .roles(ROLE_ALL_INDEX_SEARCH)
         .users(USER_ADMIN)
-        .rolesMapping(new RolesMapping(ROLE_ALL_INDEX_SEARCH).backendRoles(BACKEND_ROLE_BRIDGE))
+        .rolesMapping(new TestSecurityConfig.RoleMapping(ROLE_ALL_INDEX_SEARCH.getName()).backendRoles(BACKEND_ROLE_BRIDGE))
         .build();
 
     private static final TestCertificates TEST_CERTIFICATES = cluster.getTestCertificates();
diff --git a/src/integrationTest/java/org/opensearch/security/http/CommonProxyAuthenticationTests.java b/src/integrationTest/java/org/opensearch/security/http/CommonProxyAuthenticationTests.java
index d98acf8895..48ed08ac22 100644
--- a/src/integrationTest/java/org/opensearch/security/http/CommonProxyAuthenticationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/http/CommonProxyAuthenticationTests.java
@@ -13,7 +13,6 @@
 import java.net.InetAddress;
 import java.util.List;
 
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -84,13 +83,13 @@ abstract class CommonProxyAuthenticationTests {
         .indexPermissions("indices:data/read/search")
         .on(PERSONAL_INDEX_NAME_PATTERN);
 
-    protected static final RolesMapping ROLES_MAPPING_CAPTAIN = new RolesMapping(ROLE_PERSONAL_INDEX_SEARCH).backendRoles(
-        BACKEND_ROLE_CAPTAIN
-    );
+    protected static final TestSecurityConfig.RoleMapping ROLES_MAPPING_CAPTAIN = new TestSecurityConfig.RoleMapping(
+        ROLE_PERSONAL_INDEX_SEARCH.getName()
+    ).backendRoles(BACKEND_ROLE_CAPTAIN);
 
-    protected static final RolesMapping ROLES_MAPPING_FIRST_MATE = new RolesMapping(ROLE_ALL_INDEX_SEARCH).backendRoles(
-        BACKEND_ROLE_FIRST_MATE
-    );
+    protected static final TestSecurityConfig.RoleMapping ROLES_MAPPING_FIRST_MATE = new TestSecurityConfig.RoleMapping(
+        ROLE_ALL_INDEX_SEARCH.getName()
+    ).backendRoles(BACKEND_ROLE_FIRST_MATE);
 
     protected abstract LocalCluster getCluster();
 
diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
index 7339808d8c..090762af21 100644
--- a/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/LdapAuthenticationTest.java
@@ -27,7 +27,6 @@
 import org.opensearch.test.framework.AuthzDomain;
 import org.opensearch.test.framework.LdapAuthenticationConfigBuilder;
 import org.opensearch.test.framework.LdapAuthorizationConfigBuilder;
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AuthenticationBackend;
@@ -118,7 +117,7 @@ public class LdapAuthenticationTest {
         )
         .authc(AUTHC_HTTPBASIC_INTERNAL)
         .users(ADMIN_USER)
-        .rolesMapping(new RolesMapping(ALL_ACCESS).backendRoles(CN_GROUP_ADMIN))
+        .rolesMapping(new TestSecurityConfig.RoleMapping(ALL_ACCESS.getName()).backendRoles(CN_GROUP_ADMIN))
         .authz(
             new AuthzDomain("ldap_roles").httpEnabled(true)
                 .authorizationBackend(
diff --git a/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
index 32265f4b81..e5c1012bdc 100644
--- a/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/LdapTlsAuthenticationTest.java
@@ -30,7 +30,7 @@
 import org.opensearch.test.framework.AuthzDomain;
 import org.opensearch.test.framework.LdapAuthenticationConfigBuilder;
 import org.opensearch.test.framework.LdapAuthorizationConfigBuilder;
-import org.opensearch.test.framework.RolesMapping;
+import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AuthenticationBackend;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.HttpAuthenticator;
@@ -151,8 +151,8 @@ public class LdapTlsAuthenticationTest {
         .users(ADMIN_USER)
         .roles(ROLE_INDEX_ADMINISTRATOR, ROLE_PERSONAL_INDEX_ACCESS)
         .rolesMapping(
-            new RolesMapping(ROLE_INDEX_ADMINISTRATOR).backendRoles(CN_GROUP_ADMIN),
-            new RolesMapping(ROLE_PERSONAL_INDEX_ACCESS).backendRoles(CN_GROUP_CREW)
+            new TestSecurityConfig.RoleMapping(ROLE_INDEX_ADMINISTRATOR.getName()).backendRoles(CN_GROUP_ADMIN),
+            new TestSecurityConfig.RoleMapping(ROLE_PERSONAL_INDEX_ACCESS.getName()).backendRoles(CN_GROUP_CREW)
         )
         .authz(
             new AuthzDomain("ldap_roles").httpEnabled(true)
diff --git a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
index 7210c53ad4..1dbb10b1f8 100644
--- a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
@@ -33,7 +33,6 @@
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil;
 import org.opensearch.test.framework.OnBehalfOfConfig;
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
@@ -139,7 +138,7 @@ private static OnBehalfOfConfig defaultOnBehalfOfConfig() {
             )
         )
         .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .rolesMapping(new RolesMapping(HOST_MAPPING_ROLE).hostIPs(HOST_MAPPING_IP))
+        .rolesMapping(new TestSecurityConfig.RoleMapping(HOST_MAPPING_ROLE.getName()).hosts(HOST_MAPPING_IP))
         .onBehalfOf(defaultOnBehalfOfConfig())
         .build();
 
diff --git a/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java b/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java
index 3907be4153..828790e47b 100644
--- a/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java
+++ b/src/integrationTest/java/org/opensearch/security/http/RolesMappingTests.java
@@ -16,7 +16,6 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
@@ -48,7 +47,10 @@ public class RolesMappingTests {
         .anonymousAuth(false)
         .authc(AUTHC_DOMAIN)
         .roles(ROLE_A, ROLE_B)
-        .rolesMapping(new RolesMapping(ROLE_A).backendRoles("mapsToRoleA"), new RolesMapping(ROLE_B).backendRoles("mapsToRoleB"))
+        .rolesMapping(
+            new TestSecurityConfig.RoleMapping(ROLE_A.getName()).backendRoles("mapsToRoleA"),
+            new TestSecurityConfig.RoleMapping(ROLE_B.getName()).backendRoles("mapsToRoleB")
+        )
         .users(USER_A, USER_B)
         .build();
 
diff --git a/src/integrationTest/java/org/opensearch/test/framework/RolesMapping.java b/src/integrationTest/java/org/opensearch/test/framework/RolesMapping.java
deleted file mode 100644
index 997e7e128b..0000000000
--- a/src/integrationTest/java/org/opensearch/test/framework/RolesMapping.java
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
-* Copyright OpenSearch Contributors
-* SPDX-License-Identifier: Apache-2.0
-*
-* The OpenSearch Contributors require contributions made to
-* this file be licensed under the Apache-2.0 license or a
-* compatible open source license.
-*
-*/
-package org.opensearch.test.framework;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import org.opensearch.core.xcontent.ToXContentObject;
-import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.test.framework.TestSecurityConfig.Role;
-
-import static java.util.Objects.requireNonNull;
-
-/**
-* The class represents mapping between backend roles {@link #backendRoles} to OpenSearch role defined by field {@link #roleName}. The
-* class provides convenient builder-like methods and can be serialized to JSON. Serialization to JSON is required to store the class
-* in an OpenSearch index which contains Security plugin configuration.
-*/
-public class RolesMapping implements ToXContentObject {
-
-    /**
-    * OpenSearch role name
-    */
-    private String roleName;
-
-    /**
-    * Backend role names
-    */
-    private List<String> backendRoles;
-    private List<String> hostIPs;
-
-    private boolean reserved = false;
-
-    /**
-    * Creates roles mapping to OpenSearch role defined by parameter <code>role</code>
-    * @param role OpenSearch role, must not be <code>null</code>.
-    */
-    public RolesMapping(Role role) {
-        requireNonNull(role);
-        this.roleName = requireNonNull(role.getName());
-        this.backendRoles = new ArrayList<>();
-        this.hostIPs = new ArrayList<>();
-    }
-
-    /**
-    * Defines backend role names
-    * @param backendRoles backend roles names
-    * @return current {@link RolesMapping} instance
-    */
-    public RolesMapping backendRoles(String... backendRoles) {
-        this.backendRoles.addAll(Arrays.asList(backendRoles));
-        return this;
-    }
-
-    /**
-     * Defines host IP address
-     * @param hostIPs host IP address
-     * @return current {@link RolesMapping} instance
-     */
-    public RolesMapping hostIPs(String... hostIPs) {
-        this.hostIPs.addAll(Arrays.asList(hostIPs));
-        return this;
-    }
-
-    /**
-    * Determines if role is reserved
-    * @param reserved <code>true</code> for reserved roles
-    * @return current {@link RolesMapping} instance
-    */
-    public RolesMapping reserved(boolean reserved) {
-        this.reserved = reserved;
-        return this;
-    }
-
-    /**
-    * Returns OpenSearch role name
-    * @return role name
-    */
-    public String getRoleName() {
-        return roleName;
-    }
-
-    /**
-    * Controls serialization to JSON
-    * @param xContentBuilder must not be <code>null</code>
-    * @param params not used parameter, but required by the interface {@link ToXContentObject}
-    * @return builder form parameter <code>xContentBuilder</code>
-    * @throws IOException denotes error during serialization to JSON
-    */
-    @Override
-    public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
-        xContentBuilder.startObject();
-        xContentBuilder.field("reserved", reserved);
-        xContentBuilder.field("backend_roles", backendRoles);
-        xContentBuilder.field("hosts", hostIPs);
-        xContentBuilder.endObject();
-        return xContentBuilder;
-    }
-}
diff --git a/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java b/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
index 7957d1cfa4..22aab70521 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
@@ -53,6 +53,7 @@
 import org.opensearch.action.update.UpdateRequest;
 import org.opensearch.client.Client;
 import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.common.Strings;
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
@@ -81,7 +82,9 @@ public class TestSecurityConfig {
     private Map<String, User> internalUsers = new LinkedHashMap<>();
     private Map<String, Role> roles = new LinkedHashMap<>();
     private AuditConfiguration auditConfiguration;
-    private Map<String, RolesMapping> rolesMapping = new LinkedHashMap<>();
+    private Map<String, RoleMapping> rolesMapping = new LinkedHashMap<>();
+
+    private Map<String, ActionGroup> actionGroups = new LinkedHashMap<>();
 
     private String indexName = ".opendistro_security";
 
@@ -159,9 +162,9 @@ public TestSecurityConfig audit(AuditConfiguration auditConfiguration) {
         return this;
     }
 
-    public TestSecurityConfig rolesMapping(RolesMapping... mappings) {
-        for (RolesMapping mapping : mappings) {
-            String roleName = mapping.getRoleName();
+    public TestSecurityConfig rolesMapping(RoleMapping... mappings) {
+        for (RoleMapping mapping : mappings) {
+            String roleName = mapping.name();
             if (rolesMapping.containsKey(roleName)) {
                 throw new IllegalArgumentException("Role mapping " + roleName + " already exists");
             }
@@ -170,6 +173,13 @@ public TestSecurityConfig rolesMapping(RolesMapping... mappings) {
         return this;
     }
 
+    public TestSecurityConfig actionGroups(ActionGroup... groups) {
+        for (final var group : groups) {
+            this.actionGroups.put(group.name, group);
+        }
+        return this;
+    }
+
     public static class Config implements ToXContentObject {
         private boolean anonymousAuth;
 
@@ -252,7 +262,88 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
         }
     }
 
-    public static class User implements UserCredentialsHolder, ToXContentObject {
+    public static final class ActionGroup implements ToXContentObject {
+
+        public enum Type {
+
+            INDEX,
+
+            CLUSTER;
+
+            public String type() {
+                return name().toLowerCase();
+            }
+
+        }
+
+        private final String name;
+
+        private final String description;
+
+        private final Type type;
+
+        private final List<String> allowedActions;
+
+        private Boolean hidden = null;
+
+        private Boolean reserved = null;
+
+        public ActionGroup(String name, Type type, String... allowedActions) {
+            this(name, null, type, allowedActions);
+        }
+
+        public ActionGroup(String name, String description, Type type, String... allowedActions) {
+            this.name = name;
+            this.description = description;
+            this.type = type;
+            this.allowedActions = Arrays.asList(allowedActions);
+        }
+
+        public String name() {
+            return name;
+        }
+
+        public ActionGroup hidden(boolean hidden) {
+            this.hidden = hidden;
+            return this;
+        }
+
+        public ActionGroup reserved(boolean reserved) {
+            this.reserved = reserved;
+            return this;
+        }
+
+        @Override
+        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+            builder.startObject();
+            if (hidden != null) builder.field("hidden", hidden);
+            if (reserved != null) builder.field("reserved", reserved);
+            builder.field("type", type.type());
+            builder.field("allowed_actions", allowedActions);
+            if (description != null) builder.field("description", description);
+            return builder.endObject();
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            ActionGroup that = (ActionGroup) o;
+            return Objects.equals(name, that.name)
+                && Objects.equals(description, that.description)
+                && type == that.type
+                && Objects.equals(allowedActions, that.allowedActions)
+                && Objects.equals(hidden, that.hidden)
+                && Objects.equals(reserved, that.reserved);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(name, description, type, allowedActions, hidden, reserved);
+        }
+    }
+
+    public static final class User implements UserCredentialsHolder, ToXContentObject {
 
         public final static TestSecurityConfig.User USER_ADMIN = new TestSecurityConfig.User("admin").roles(
             new Role("allaccess").indexPermissions("*").on("*").clusterPermissions("*")
@@ -265,9 +356,20 @@ public static class User implements UserCredentialsHolder, ToXContentObject {
         String requestedTenant;
         private Map<String, String> attributes = new HashMap<>();
 
+        private Boolean hidden = null;
+
+        private Boolean reserved = null;
+
+        private String description;
+
         public User(String name) {
+            this(name, null);
+        }
+
+        public User(String name, String description) {
             this.name = name;
             this.password = "secret";
+            this.description = description;
         }
 
         public User password(String password) {
@@ -289,6 +391,16 @@ public User backendRoles(String... backendRoles) {
             return this;
         }
 
+        public User reserved(boolean reserved) {
+            this.reserved = reserved;
+            return this;
+        }
+
+        public User hidden(boolean hidden) {
+            this.hidden = hidden;
+            return this;
+        }
+
         public User attr(String key, String value) {
             this.attributes.put(key, value);
             return this;
@@ -330,9 +442,33 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
                 xContentBuilder.field("attributes", attributes);
             }
 
+            if (hidden != null) xContentBuilder.field("hidden", hidden);
+            if (reserved != null) xContentBuilder.field("reserved", reserved);
+            if (!Strings.isNullOrEmpty(description)) xContentBuilder.field("description", description);
             xContentBuilder.endObject();
             return xContentBuilder;
         }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            User user = (User) o;
+            return Objects.equals(name, user.name)
+                && Objects.equals(password, user.password)
+                && Objects.equals(roles, user.roles)
+                && Objects.equals(backendRoles, user.backendRoles)
+                && Objects.equals(requestedTenant, user.requestedTenant)
+                && Objects.equals(attributes, user.attributes)
+                && Objects.equals(hidden, user.hidden)
+                && Objects.equals(reserved, user.reserved)
+                && Objects.equals(description, user.description);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(name, password, roles, backendRoles, requestedTenant, attributes, hidden, reserved, description);
+        }
     }
 
     public static class Role implements ToXContentObject {
@@ -343,8 +479,19 @@ public static class Role implements ToXContentObject {
 
         private List<IndexPermission> indexPermissions = new ArrayList<>();
 
+        private Boolean hidden;
+
+        private Boolean reserved;
+
+        private String description;
+
         public Role(String name) {
+            this(name, null);
+        }
+
+        public Role(String name, String description) {
             this.name = name;
+            this.description = description;
         }
 
         public Role clusterPermissions(String... clusterPermissions) {
@@ -365,6 +512,16 @@ public String getName() {
             return name;
         }
 
+        public Role hidden(boolean hidden) {
+            this.hidden = hidden;
+            return this;
+        }
+
+        public Role reserved(boolean reserved) {
+            this.reserved = reserved;
+            return this;
+        }
+
         public Role clone() {
             Role role = new Role(this.name);
             role.clusterPermissions.addAll(this.clusterPermissions);
@@ -383,9 +540,117 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
             if (!indexPermissions.isEmpty()) {
                 xContentBuilder.field("index_permissions", indexPermissions);
             }
+            if (hidden != null) {
+                xContentBuilder.field("hidden", hidden);
+            }
+            if (reserved != null) {
+                xContentBuilder.field("reserved", reserved);
+            }
+            if (!Strings.isNullOrEmpty(description)) xContentBuilder.field("description", description);
+            return xContentBuilder.endObject();
+        }
 
-            xContentBuilder.endObject();
-            return xContentBuilder;
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            Role role = (Role) o;
+            return Objects.equals(name, role.name)
+                && Objects.equals(clusterPermissions, role.clusterPermissions)
+                && Objects.equals(indexPermissions, role.indexPermissions)
+                && Objects.equals(hidden, role.hidden)
+                && Objects.equals(reserved, role.reserved)
+                && Objects.equals(description, role.description);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(name, clusterPermissions, indexPermissions, hidden, reserved, description);
+        }
+    }
+
+    public static class RoleMapping implements ToXContentObject {
+
+        private List<String> users = new ArrayList<>();
+        private List<String> hosts = new ArrayList<>();
+
+        private final String name;
+
+        private Boolean hidden;
+
+        private Boolean reserved;
+
+        private final String description;
+
+        private List<String> backendRoles = new ArrayList<>();
+
+        public RoleMapping(final String name) {
+            this(name, null);
+        }
+
+        public RoleMapping(final String name, final String description) {
+            this.name = name;
+            this.description = description;
+        }
+
+        public String name() {
+            return name;
+        }
+
+        public RoleMapping hidden(boolean hidden) {
+            this.hidden = hidden;
+            return this;
+        }
+
+        public RoleMapping reserved(boolean reserved) {
+            this.reserved = reserved;
+            return this;
+        }
+
+        public RoleMapping users(String... users) {
+            this.users.addAll(Arrays.asList(users));
+            return this;
+        }
+
+        public RoleMapping hosts(String... hosts) {
+            this.users.addAll(Arrays.asList(hosts));
+            return this;
+        }
+
+        public RoleMapping backendRoles(String... backendRoles) {
+            this.backendRoles.addAll(Arrays.asList(backendRoles));
+            return this;
+        }
+
+        @Override
+        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+            builder.startObject();
+            if (hidden != null) builder.field("hidden", hidden);
+            if (reserved != null) builder.field("reserved", reserved);
+            if (users != null && !users.isEmpty()) builder.field("users", users);
+            if (hosts != null && !hosts.isEmpty()) builder.field("hosts", hosts);
+            if (description != null) builder.field("description", description);
+            builder.field("backend_roles", backendRoles);
+            return builder.endObject();
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            RoleMapping that = (RoleMapping) o;
+            return Objects.equals(users, that.users)
+                && Objects.equals(hosts, that.hosts)
+                && Objects.equals(name, that.name)
+                && Objects.equals(hidden, that.hidden)
+                && Objects.equals(reserved, that.reserved)
+                && Objects.equals(description, that.description)
+                && Objects.equals(backendRoles, that.backendRoles);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(users, hosts, name, hidden, reserved, description, backendRoles);
         }
     }
 
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
index 217ce99a81..135f1fb481 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
@@ -56,7 +56,6 @@
 import org.opensearch.test.framework.AuthFailureListeners;
 import org.opensearch.test.framework.AuthzDomain;
 import org.opensearch.test.framework.OnBehalfOfConfig;
-import org.opensearch.test.framework.RolesMapping;
 import org.opensearch.test.framework.TestIndex;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
@@ -442,7 +441,7 @@ public Builder roles(Role... roles) {
             return this;
         }
 
-        public Builder rolesMapping(RolesMapping... mappings) {
+        public Builder rolesMapping(TestSecurityConfig.RoleMapping... mappings) {
             testSecurityConfig.rolesMapping(mappings);
             return this;
         }
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
index b228fed388..5e9fd75326 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
@@ -213,17 +213,19 @@ public void stop() {
         for (Node node : nodes) {
             stopFutures.add(node.stop(2, TimeUnit.SECONDS));
         }
-        CompletableFuture.allOf(stopFutures.toArray(size -> new CompletableFuture[size])).join();
+        CompletableFuture.allOf(stopFutures.toArray(CompletableFuture[]::new)).join();
     }
 
     public void destroy() {
-        stop();
-        nodes.clear();
-
         try {
-            FileUtils.deleteDirectory(clusterHomeDir);
-        } catch (IOException e) {
-            log.warn("Error while deleting " + clusterHomeDir, e);
+            stop();
+            nodes.clear();
+        } finally {
+            try {
+                FileUtils.deleteDirectory(clusterHomeDir);
+            } catch (IOException e) {
+                log.warn("Error while deleting " + clusterHomeDir, e);
+            }
         }
     }
 
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
index b7da92b270..bd625a5c31 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
@@ -417,6 +417,14 @@ public <T> T getBodyAs(Class<T> authInfoClass) {
             }
         }
 
+        public JsonNode bodyAsJsonNode() {
+            try {
+                return DefaultObjectMapper.readTree(getBody());
+            } catch (IOException e) {
+                throw new RuntimeException("Cannot parse response body", e);
+            }
+        }
+
         public void assertStatusCode(int expectedHttpStatus) {
             String reason = format("Expected status code is '%d', but was '%d'. Response body '%s'.", expectedHttpStatus, statusCode, body);
             assertThat(reason, statusCode, equalTo(expectedHttpStatus));

From f375765d7cf27faf7a2d9944f3ff18430a339595 Mon Sep 17 00:00:00 2001
From: Andriy Redko <andriy.redko@aiven.io>
Date: Thu, 28 Mar 2024 16:48:53 -0400
Subject: [PATCH 103/143] [FEATURE] Improve built-in secure transports support
 (#4179)

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
---
 .../security/OpenSearchSecurityPlugin.java    |  22 ++--
 .../security/filter/SecurityRestFilter.java   |  20 ++--
 .../http/NonSslHttpServerTransport.java       |  27 +----
 .../http/SecureHttpServerTransport.java       | 101 ------------------
 .../ssl/OpenSearchSecureSettingsFactory.java  | 101 ++++++++++++++----
 .../ssl/OpenSearchSecuritySSLPlugin.java      |  16 +--
 .../netty/Netty4ConditionalDecompressor.java  |   7 +-
 .../Netty4HttpRequestHeaderVerifier.java      |  34 +++---
 .../ssl/OpenSearchSecuritySSLPluginTest.java  |  94 ++++++++++++++--
 9 files changed, 223 insertions(+), 199 deletions(-)
 delete mode 100644 src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index a59d1f531d..6e3c22e695 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -107,6 +107,7 @@
 import org.opensearch.extensions.ExtensionsManager;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.noop.NoopSubject;
 import org.opensearch.index.IndexModule;
@@ -117,6 +118,7 @@
 import org.opensearch.plugins.ExtensionAwarePlugin;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
+import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.repositories.RepositoriesService;
@@ -156,7 +158,6 @@
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.http.NonSslHttpServerTransport;
-import org.opensearch.security.http.SecureHttpServerTransport;
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.identity.SecurityTokenManager;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
@@ -239,7 +240,6 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile PrivilegesEvaluator evaluator;
     private volatile UserService userService;
     private volatile RestLayerPrivilegesEvaluator restLayerEvaluator;
-    private volatile ThreadPool threadPool;
     private volatile ConfigurationRepository cr;
     private volatile AdminDNs adminDns;
     private volatile ClusterService cs;
@@ -927,7 +927,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
         NetworkService networkService,
         Dispatcher dispatcher,
         ClusterSettings clusterSettings,
-        SecureTransportSettingsProvider secureTransportSettingsProvider,
+        SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider,
         Tracer tracer
     ) {
 
@@ -942,7 +942,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                 networkService,
                 dispatcher,
                 clusterSettings,
-                secureTransportSettingsProvider,
+                secureHttpTransportSettingsProvider,
                 tracer
             );
         }
@@ -958,7 +958,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                     evaluateSslExceptionHandler()
                 );
                 // TODO close odshst
-                final SecureHttpServerTransport odshst = new SecureHttpServerTransport(
+                final SecureNetty4HttpServerTransport odshst = new SecureNetty4HttpServerTransport(
                     migrateSettings(settings),
                     networkService,
                     bigArrays,
@@ -967,9 +967,8 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                     validatingDispatcher,
                     clusterSettings,
                     sharedGroupFactory,
-                    secureTransportSettingsProvider,
-                    tracer,
-                    securityRestHandler
+                    secureHttpTransportSettingsProvider,
+                    tracer
                 );
 
                 return Collections.singletonMap("org.opensearch.security.http.SecurityHttpServerTransport", () -> odshst);
@@ -985,9 +984,8 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                         dispatcher,
                         clusterSettings,
                         sharedGroupFactory,
-                        secureTransportSettingsProvider,
-                        tracer,
-                        securityRestHandler
+                        secureHttpTransportSettingsProvider,
+                        tracer
                     )
                 );
             }
@@ -2032,7 +2030,7 @@ public SecurityTokenManager getTokenManager() {
 
     @Override
     public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
-        return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, sslExceptionHandler));
+        return Optional.of(new OpenSearchSecureSettingsFactory(threadPool, sks, sslExceptionHandler, securityRestHandler));
     }
 
     public static class GuiceHolder implements LifecycleComponent {
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
index 8ccaa3041c..420211f29b 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -55,6 +55,7 @@
 import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
 import org.opensearch.security.securityconf.impl.AllowlistingSettings;
 import org.opensearch.security.securityconf.impl.WhitelistingSettings;
+import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
 import org.opensearch.security.ssl.util.ExceptionUtils;
 import org.opensearch.security.ssl.util.SSLRequestHelper;
@@ -69,10 +70,6 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
-import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
-import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;
 
 public class SecurityRestFilter {
 
@@ -128,15 +125,18 @@ public AuthczRestHandler(RestHandler original, AdminDNs adminDNs) {
 
         @Override
         public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
-            final Optional<SecurityResponse> maybeSavedResponse = NettyAttribute.popFrom(request, EARLY_RESPONSE);
+            final Optional<SecurityResponse> maybeSavedResponse = NettyAttribute.popFrom(
+                request,
+                Netty4HttpRequestHeaderVerifier.EARLY_RESPONSE
+            );
             if (maybeSavedResponse.isPresent()) {
-                NettyAttribute.clearAttribute(request, CONTEXT_TO_RESTORE);
-                NettyAttribute.clearAttribute(request, IS_AUTHENTICATED);
+                NettyAttribute.clearAttribute(request, Netty4HttpRequestHeaderVerifier.CONTEXT_TO_RESTORE);
+                NettyAttribute.clearAttribute(request, Netty4HttpRequestHeaderVerifier.IS_AUTHENTICATED);
                 channel.sendResponse(maybeSavedResponse.get().asRestResponse());
                 return;
             }
 
-            NettyAttribute.popFrom(request, CONTEXT_TO_RESTORE).ifPresent(storedContext -> {
+            NettyAttribute.popFrom(request, Netty4HttpRequestHeaderVerifier.CONTEXT_TO_RESTORE).ifPresent(storedContext -> {
                 // X_OPAQUE_ID will be overritten on restore - save to apply after restoring the saved context
                 final String xOpaqueId = threadContext.getHeader(Task.X_OPAQUE_ID);
                 storedContext.restore();
@@ -145,7 +145,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
                 }
             });
 
-            NettyAttribute.popFrom(request, UNCONSUMED_PARAMS).ifPresent(unconsumedParams -> {
+            NettyAttribute.popFrom(request, Netty4HttpRequestHeaderVerifier.UNCONSUMED_PARAMS).ifPresent(unconsumedParams -> {
                 for (String unconsumedParam : unconsumedParams) {
                     // Consume the parameter on the RestRequest
                     request.param(unconsumedParam);
@@ -155,7 +155,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
             final SecurityRequestChannel requestChannel = SecurityRequestFactory.from(request, channel);
 
             // Authenticate request
-            if (!NettyAttribute.popFrom(request, IS_AUTHENTICATED).orElse(false)) {
+            if (!NettyAttribute.popFrom(request, Netty4HttpRequestHeaderVerifier.IS_AUTHENTICATED).orElse(false)) {
                 // we aren't authenticated so we should skip this step
                 checkAndAuthenticateRequest(requestChannel);
             }
diff --git a/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java b/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
index c97d872aca..d0d1d9f09f 100644
--- a/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
+++ b/src/main/java/org/opensearch/security/http/NonSslHttpServerTransport.java
@@ -34,22 +34,15 @@
 import org.opensearch.http.HttpHandlingSettings;
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
 import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
-import org.opensearch.plugins.SecureTransportSettingsProvider;
-import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
-import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
+import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.SharedGroupFactory;
 
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelInboundHandlerAdapter;
 
 public class NonSslHttpServerTransport extends SecureNetty4HttpServerTransport {
-
-    private final ChannelInboundHandlerAdapter headerVerifier;
-
     public NonSslHttpServerTransport(
         final Settings settings,
         final NetworkService networkService,
@@ -59,9 +52,8 @@ public NonSslHttpServerTransport(
         final Dispatcher dispatcher,
         final ClusterSettings clusterSettings,
         final SharedGroupFactory sharedGroupFactory,
-        final SecureTransportSettingsProvider secureTransportSettingsProvider,
-        final Tracer tracer,
-        final SecurityRestFilter restFilter
+        final SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider,
+        final Tracer tracer
     ) {
         super(
             settings,
@@ -72,10 +64,9 @@ public NonSslHttpServerTransport(
             dispatcher,
             clusterSettings,
             sharedGroupFactory,
-            secureTransportSettingsProvider,
+            secureHttpTransportSettingsProvider,
             tracer
         );
-        headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
     }
 
     @Override
@@ -94,14 +85,4 @@ protected void initChannel(Channel ch) throws Exception {
             super.initChannel(ch);
         }
     }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createHeaderVerifier() {
-        return headerVerifier;
-    }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createDecompressor() {
-        return new Netty4ConditionalDecompressor();
-    }
 }
diff --git a/src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java
deleted file mode 100644
index 170f39ffd6..0000000000
--- a/src/main/java/org/opensearch/security/http/SecureHttpServerTransport.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright 2015-2018 _floragunn_ GmbH
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.http;
-
-import java.util.Set;
-
-import org.opensearch.common.network.NetworkService;
-import org.opensearch.common.settings.ClusterSettings;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.util.BigArrays;
-import org.opensearch.common.util.concurrent.ThreadContext;
-import org.opensearch.core.xcontent.NamedXContentRegistry;
-import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
-import org.opensearch.plugins.SecureTransportSettingsProvider;
-import org.opensearch.security.filter.SecurityResponse;
-import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
-import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
-import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
-import org.opensearch.telemetry.tracing.Tracer;
-import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.SharedGroupFactory;
-
-import io.netty.channel.ChannelInboundHandlerAdapter;
-import io.netty.util.AttributeKey;
-
-public class SecureHttpServerTransport extends SecureNetty4HttpServerTransport {
-
-    public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
-    public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
-    public static final AttributeKey<ThreadContext.StoredContext> CONTEXT_TO_RESTORE = AttributeKey.newInstance(
-        "opensearch-http-request-thread-context"
-    );
-    public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
-    public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");
-
-    private final ChannelInboundHandlerAdapter headerVerifier;
-
-    public SecureHttpServerTransport(
-        final Settings settings,
-        final NetworkService networkService,
-        final BigArrays bigArrays,
-        final ThreadPool threadPool,
-        final NamedXContentRegistry namedXContentRegistry,
-        final ValidatingDispatcher dispatcher,
-        final ClusterSettings clusterSettings,
-        SharedGroupFactory sharedGroupFactory,
-        final SecureTransportSettingsProvider secureTransportSettingsProvider,
-        Tracer tracer,
-        SecurityRestFilter restFilter
-    ) {
-        super(
-            settings,
-            networkService,
-            bigArrays,
-            threadPool,
-            namedXContentRegistry,
-            dispatcher,
-            clusterSettings,
-            sharedGroupFactory,
-            secureTransportSettingsProvider,
-            tracer
-        );
-
-        headerVerifier = new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings);
-    }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createHeaderVerifier() {
-        return headerVerifier;
-    }
-
-    @Override
-    protected ChannelInboundHandlerAdapter createDecompressor() {
-        return new Netty4ConditionalDecompressor();
-    }
-}
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
index d85f490d0c..5351eea57e 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecureSettingsFactory.java
@@ -11,63 +11,124 @@
 
 package org.opensearch.security.ssl;
 
+import java.util.Collection;
+import java.util.List;
 import java.util.Optional;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.http.HttpServerTransport;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
-import org.opensearch.transport.TcpTransport;
+import org.opensearch.plugins.TransportExceptionHandler;
+import org.opensearch.security.filter.SecurityRestFilter;
+import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
+import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
+import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.transport.Transport;
+import org.opensearch.transport.TransportAdapterProvider;
+
+import io.netty.channel.ChannelInboundHandlerAdapter;
 
 public class OpenSearchSecureSettingsFactory implements SecureSettingsFactory {
-    private final Settings settings;
+    private final ThreadPool threadPool;
     private final SecurityKeyStore sks;
     private final SslExceptionHandler sslExceptionHandler;
+    private final SecurityRestFilter restFilter;
 
-    public OpenSearchSecureSettingsFactory(Settings settings, SecurityKeyStore sks, SslExceptionHandler sslExceptionHandler) {
-        this.settings = settings;
+    public OpenSearchSecureSettingsFactory(
+        ThreadPool threadPool,
+        SecurityKeyStore sks,
+        SslExceptionHandler sslExceptionHandler,
+        SecurityRestFilter restFilter
+    ) {
+        this.threadPool = threadPool;
         this.sks = sks;
         this.sslExceptionHandler = sslExceptionHandler;
+        this.restFilter = restFilter;
     }
 
     @Override
     public Optional<SecureTransportSettingsProvider> getSecureTransportSettingsProvider(Settings settings) {
         return Optional.of(new SecureTransportSettingsProvider() {
             @Override
-            public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
-                return Optional.of(new ServerExceptionHandler() {
+            public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(Settings settings, Transport transport) {
+                return Optional.of(new TransportExceptionHandler() {
                     @Override
                     public void onError(Throwable t) {
-                        sslExceptionHandler.logError(t, true);
+                        sslExceptionHandler.logError(t, false);
                     }
                 });
             }
 
             @Override
-            public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
-                return Optional.of(new ServerExceptionHandler() {
-                    @Override
-                    public void onError(Throwable t) {
-                        sslExceptionHandler.logError(t, false);
-                    }
-                });
+            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
+                return Optional.of(sks.createServerTransportSSLEngine());
             }
 
             @Override
-            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
-                return Optional.of(sks.createHTTPSSLEngine());
+            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
+                return Optional.of(sks.createClientTransportSSLEngine(hostname, port));
             }
+        });
+    }
 
+    @Override
+    public Optional<SecureHttpTransportSettingsProvider> getSecureHttpTransportSettingsProvider(Settings settings) {
+        return Optional.of(new SecureHttpTransportSettingsProvider() {
             @Override
-            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
-                return Optional.of(sks.createServerTransportSSLEngine());
+            public Collection<TransportAdapterProvider<HttpServerTransport>> getHttpTransportAdapterProviders(Settings settings) {
+                return List.of(new TransportAdapterProvider<HttpServerTransport>() {
+                    @Override
+                    public String name() {
+                        return SecureNetty4HttpServerTransport.REQUEST_DECOMPRESSOR;
+                    }
+
+                    @SuppressWarnings("unchecked")
+                    @Override
+                    public <C> Optional<C> create(Settings settings, HttpServerTransport transport, Class<C> adapterClass) {
+                        if (transport instanceof SecureNetty4HttpServerTransport
+                            && ChannelInboundHandlerAdapter.class.isAssignableFrom(adapterClass)) {
+                            return Optional.of((C) new Netty4ConditionalDecompressor());
+                        } else {
+                            return Optional.empty();
+                        }
+                    }
+                }, new TransportAdapterProvider<HttpServerTransport>() {
+                    @Override
+                    public String name() {
+                        return SecureNetty4HttpServerTransport.REQUEST_HEADER_VERIFIER;
+                    }
+
+                    @SuppressWarnings("unchecked")
+                    @Override
+                    public <C> Optional<C> create(Settings settings, HttpServerTransport transport, Class<C> adapterClass) {
+                        if (transport instanceof SecureNetty4HttpServerTransport
+                            && ChannelInboundHandlerAdapter.class.isAssignableFrom(adapterClass)) {
+                            return Optional.of((C) new Netty4HttpRequestHeaderVerifier(restFilter, threadPool, settings));
+                        } else {
+                            return Optional.empty();
+                        }
+                    }
+                });
             }
 
             @Override
-            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
-                return Optional.of(sks.createClientTransportSSLEngine(hostname, port));
+            public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+                return Optional.of(new TransportExceptionHandler() {
+                    @Override
+                    public void onError(Throwable t) {
+                        sslExceptionHandler.logError(t, true);
+                    }
+                });
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+                return Optional.of(sks.createHTTPSSLEngine());
             }
         });
     }
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 3acbce21cf..073193e9d4 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -61,8 +61,10 @@
 import org.opensearch.env.NodeEnvironment;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
 import org.opensearch.plugins.NetworkPlugin;
 import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.plugins.SystemIndexPlugin;
@@ -73,7 +75,6 @@
 import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.NonValidatingObjectMapper;
 import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.http.SecureHttpServerTransport;
 import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
 import org.opensearch.security.ssl.rest.SecuritySSLInfoAction;
 import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
@@ -131,6 +132,7 @@ public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPl
     private final static SslExceptionHandler NOOP_SSL_EXCEPTION_HANDLER = new SslExceptionHandler() {
     };
     protected final SSLConfig SSLConfig;
+    protected volatile ThreadPool threadPool;
 
     // public OpenSearchSecuritySSLPlugin(final Settings settings, final Path configPath) {
     // this(settings, configPath, false);
@@ -266,7 +268,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
         NetworkService networkService,
         Dispatcher dispatcher,
         ClusterSettings clusterSettings,
-        SecureTransportSettingsProvider secureTransportSettingsProvider,
+        SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider,
         Tracer tracer
     ) {
 
@@ -279,7 +281,7 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                 configPath,
                 NOOP_SSL_EXCEPTION_HANDLER
             );
-            final SecureHttpServerTransport sgsnht = new SecureHttpServerTransport(
+            final SecureNetty4HttpServerTransport sgsnht = new SecureNetty4HttpServerTransport(
                 migrateSettings(settings),
                 networkService,
                 bigArrays,
@@ -288,9 +290,8 @@ public Map<String, Supplier<HttpServerTransport>> getSecureHttpTransports(
                 validatingDispatcher,
                 clusterSettings,
                 sharedGroupFactory,
-                secureTransportSettingsProvider,
-                tracer,
-                securityRestHandler
+                secureHttpTransportSettingsProvider,
+                tracer
             );
 
             return Collections.singletonMap("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport", () -> sgsnht);
@@ -381,6 +382,7 @@ public Collection<Object> createComponents(
         Supplier<RepositoriesService> repositoriesServiceSupplier
     ) {
 
+        this.threadPool = threadPool;
         final List<Object> components = new ArrayList<>(1);
 
         if (client) {
@@ -676,7 +678,7 @@ public List<String> getSettingsFilter() {
 
     @Override
     public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings) {
-        return Optional.of(new OpenSearchSecureSettingsFactory(settings, sks, NOOP_SSL_EXCEPTION_HANDLER));
+        return Optional.of(new OpenSearchSecureSettingsFactory(threadPool, sks, NOOP_SSL_EXCEPTION_HANDLER, securityRestHandler));
     }
 
     protected Settings migrateSettings(Settings settings) {
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
index 8b2d4bb1d2..b36a12da48 100644
--- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
+++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4ConditionalDecompressor.java
@@ -13,15 +13,12 @@
 import io.netty.channel.embedded.EmbeddedChannel;
 import io.netty.handler.codec.http.HttpContentDecompressor;
 
-import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecureHttpServerTransport.SHOULD_DECOMPRESS;
-
 public class Netty4ConditionalDecompressor extends HttpContentDecompressor {
 
     @Override
     protected EmbeddedChannel newContentDecoder(String contentEncoding) throws Exception {
-        final boolean hasAnEarlyReponse = NettyAttribute.peekFrom(ctx, EARLY_RESPONSE).isPresent();
-        final boolean shouldDecompress = NettyAttribute.popFrom(ctx, SHOULD_DECOMPRESS).orElse(false);
+        final boolean hasAnEarlyReponse = NettyAttribute.peekFrom(ctx, Netty4HttpRequestHeaderVerifier.EARLY_RESPONSE).isPresent();
+        final boolean shouldDecompress = NettyAttribute.popFrom(ctx, Netty4HttpRequestHeaderVerifier.SHOULD_DECOMPRESS).orElse(false);
         if (hasAnEarlyReponse || !shouldDecompress) {
             // If there was an error prompting an early response,... don't decompress
             // If there is no explicit decompress flag,... don't decompress
diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
index 052f1961e2..9afd6b0e22 100644
--- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
+++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java
@@ -8,6 +8,8 @@
 
 package org.opensearch.security.ssl.http.netty;
 
+import java.util.Set;
+
 import org.opensearch.ExceptionsHelper;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
@@ -30,16 +32,19 @@
 import io.netty.channel.SimpleChannelInboundHandler;
 import io.netty.handler.codec.http.DefaultHttpRequest;
 import io.netty.handler.codec.http.HttpRequest;
+import io.netty.util.AttributeKey;
 import io.netty.util.ReferenceCountUtil;
 
-import static org.opensearch.security.http.SecureHttpServerTransport.CONTEXT_TO_RESTORE;
-import static org.opensearch.security.http.SecureHttpServerTransport.EARLY_RESPONSE;
-import static org.opensearch.security.http.SecureHttpServerTransport.IS_AUTHENTICATED;
-import static org.opensearch.security.http.SecureHttpServerTransport.SHOULD_DECOMPRESS;
-import static org.opensearch.security.http.SecureHttpServerTransport.UNCONSUMED_PARAMS;
-
 @Sharable
 public class Netty4HttpRequestHeaderVerifier extends SimpleChannelInboundHandler<DefaultHttpRequest> {
+    public static final AttributeKey<Boolean> IS_AUTHENTICATED = AttributeKey.newInstance("opensearch-http-is-authenticated");
+    public static final AttributeKey<Boolean> SHOULD_DECOMPRESS = AttributeKey.newInstance("opensearch-http-should-decompress");
+    public static final AttributeKey<ThreadContext.StoredContext> CONTEXT_TO_RESTORE = AttributeKey.newInstance(
+        "opensearch-http-request-thread-context"
+    );
+    public static final AttributeKey<Set<String>> UNCONSUMED_PARAMS = AttributeKey.newInstance("opensearch-http-request-consumed-params");
+    public static final AttributeKey<SecurityResponse> EARLY_RESPONSE = AttributeKey.newInstance("opensearch-http-early-response");
+
     private final SecurityRestFilter restFilter;
     private final ThreadPool threadPool;
     private final SSLConfig sslConfig;
@@ -72,8 +77,8 @@ public void channelRead0(ChannelHandlerContext ctx, DefaultHttpRequest msg) thro
         }
 
         // Start by setting this value to false, only requests that meet all the criteria will be decompressed
-        ctx.channel().attr(SHOULD_DECOMPRESS).set(Boolean.FALSE);
-        ctx.channel().attr(IS_AUTHENTICATED).set(Boolean.FALSE);
+        ctx.channel().attr(Netty4HttpRequestHeaderVerifier.SHOULD_DECOMPRESS).set(Boolean.FALSE);
+        ctx.channel().attr(Netty4HttpRequestHeaderVerifier.IS_AUTHENTICATED).set(Boolean.FALSE);
 
         final Netty4HttpChannel httpChannel = ctx.channel().attr(Netty4HttpServerTransport.HTTP_CHANNEL_KEY).get();
 
@@ -85,24 +90,25 @@ public void channelRead0(ChannelHandlerContext ctx, DefaultHttpRequest msg) thro
             // If request channel is completed and a response is sent, then there was a failure during authentication
             restFilter.checkAndAuthenticateRequest(requestChannel);
 
-            ctx.channel().attr(UNCONSUMED_PARAMS).set(requestChannel.getUnconsumedParams());
+            ctx.channel().attr(Netty4HttpRequestHeaderVerifier.UNCONSUMED_PARAMS).set(requestChannel.getUnconsumedParams());
 
             ThreadContext.StoredContext contextToRestore = threadPool.getThreadContext().newStoredContext(false);
-            ctx.channel().attr(CONTEXT_TO_RESTORE).set(contextToRestore);
+            ctx.channel().attr(Netty4HttpRequestHeaderVerifier.CONTEXT_TO_RESTORE).set(contextToRestore);
 
-            requestChannel.getQueuedResponse().ifPresent(response -> ctx.channel().attr(EARLY_RESPONSE).set(response));
+            requestChannel.getQueuedResponse()
+                .ifPresent(response -> ctx.channel().attr(Netty4HttpRequestHeaderVerifier.EARLY_RESPONSE).set(response));
 
             boolean shouldSkipAuthentication = SecurityRestUtils.shouldSkipAuthentication(requestChannel);
             boolean shouldDecompress = !shouldSkipAuthentication && requestChannel.getQueuedResponse().isEmpty();
 
             if (requestChannel.getQueuedResponse().isEmpty() || shouldSkipAuthentication) {
                 // Only allow decompression on authenticated requests that also aren't one of those ^
-                ctx.channel().attr(SHOULD_DECOMPRESS).set(Boolean.valueOf(shouldDecompress));
-                ctx.channel().attr(IS_AUTHENTICATED).set(Boolean.TRUE);
+                ctx.channel().attr(Netty4HttpRequestHeaderVerifier.SHOULD_DECOMPRESS).set(Boolean.valueOf(shouldDecompress));
+                ctx.channel().attr(Netty4HttpRequestHeaderVerifier.IS_AUTHENTICATED).set(Boolean.TRUE);
             }
         } catch (final OpenSearchSecurityException e) {
             final SecurityResponse earlyResponse = new SecurityResponse(ExceptionsHelper.status(e).getStatus(), e);
-            ctx.channel().attr(EARLY_RESPONSE).set(earlyResponse);
+            ctx.channel().attr(Netty4HttpRequestHeaderVerifier.EARLY_RESPONSE).set(earlyResponse);
         } catch (final SecurityRequestChannelUnsupported srcu) {
             // Use defaults for unsupported channels
         } finally {
diff --git a/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
index 03488fe17c..aefb12c0db 100644
--- a/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
+++ b/src/test/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPluginTest.java
@@ -13,6 +13,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
@@ -26,16 +27,22 @@
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.http.HttpServerTransport;
+import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
+import org.opensearch.plugins.TransportExceptionHandler;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 import org.opensearch.security.support.SecuritySettings;
 import org.opensearch.security.test.AbstractSecurityUnitTest;
 import org.opensearch.security.test.helper.file.FileHelper;
 import org.opensearch.telemetry.tracing.noop.NoopTracer;
-import org.opensearch.transport.TcpTransport;
 import org.opensearch.transport.Transport;
+import org.opensearch.transport.TransportAdapterProvider;
+
+import io.netty.channel.ChannelInboundHandlerAdapter;
 
 import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.nullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -44,6 +51,7 @@
 
 public class OpenSearchSecuritySSLPluginTest extends AbstractSecurityUnitTest {
     private Settings settings;
+    private SecureHttpTransportSettingsProvider secureHttpTransportSettingsProvider;
     private SecureTransportSettingsProvider secureTransportSettingsProvider;
     private ClusterSettings clusterSettings;
 
@@ -76,27 +84,29 @@ public void setUp() {
 
         secureTransportSettingsProvider = new SecureTransportSettingsProvider() {
             @Override
-            public Optional<ServerExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+            public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(Settings settings, Transport transport) {
                 return Optional.empty();
             }
 
             @Override
-            public Optional<ServerExceptionHandler> buildServerTransportExceptionHandler(Settings settings, TcpTransport transport) {
+            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
                 return Optional.empty();
             }
 
             @Override
-            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
                 return Optional.empty();
             }
+        };
 
+        secureHttpTransportSettingsProvider = new SecureHttpTransportSettingsProvider() {
             @Override
-            public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, TcpTransport transport) throws SSLException {
+            public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
                 return Optional.empty();
             }
 
             @Override
-            public Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException {
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 return Optional.empty();
             }
         };
@@ -117,10 +127,14 @@ public void testRegisterSecureHttpTransport() throws IOException {
                 null,
                 null,
                 clusterSettings,
-                secureTransportSettingsProvider,
+                secureHttpTransportSettingsProvider,
                 NoopTracer.INSTANCE
             );
             assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport"));
+            assertThat(
+                transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport").get(),
+                not(nullValue())
+            );
         }
     }
 
@@ -138,6 +152,7 @@ public void testRegisterSecureTransport() throws IOException {
                 NoopTracer.INSTANCE
             );
             assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"));
+            assertThat(transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport").get(), not(nullValue()));
         }
     }
 
@@ -243,4 +258,69 @@ public void testRegisterSecureTransportWithDuplicateSettings() throws IOExceptio
             }
         }
     }
+
+    @Test
+    public void testRegisterSecureHttpTransportWithRequestHeaderVerifier() throws IOException {
+        final AtomicBoolean created = new AtomicBoolean(false);
+
+        class LocalHeaderVerifier extends ChannelInboundHandlerAdapter {
+            public LocalHeaderVerifier() {
+                created.set(true);
+            }
+        }
+
+        final SecureHttpTransportSettingsProvider provider = new SecureHttpTransportSettingsProvider() {
+            @Override
+            public Collection<TransportAdapterProvider<HttpServerTransport>> getHttpTransportAdapterProviders(Settings settings) {
+                return List.of(new TransportAdapterProvider<HttpServerTransport>() {
+
+                    @Override
+                    public String name() {
+                        return SecureNetty4HttpServerTransport.REQUEST_HEADER_VERIFIER;
+                    }
+
+                    @SuppressWarnings("unchecked")
+                    @Override
+                    public <C> Optional<C> create(Settings settings, HttpServerTransport transport, Class<C> adapterClass) {
+                        return Optional.of((C) new LocalHeaderVerifier());
+                    }
+
+                });
+            }
+
+            @Override
+            public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Settings settings, HttpServerTransport transport) {
+                return Optional.empty();
+            }
+
+            @Override
+            public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
+                return Optional.empty();
+            }
+        };
+
+        try (OpenSearchSecuritySSLPlugin plugin = new OpenSearchSecuritySSLPlugin(settings, null, false)) {
+            final Map<String, Supplier<HttpServerTransport>> transports = plugin.getSecureHttpTransports(
+                settings,
+                MOCK_POOL,
+                null,
+                null,
+                null,
+                null,
+                null,
+                null,
+                clusterSettings,
+                provider,
+                NoopTracer.INSTANCE
+            );
+            assertThat(transports, hasKey("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport"));
+
+            assertThat(
+                transports.get("org.opensearch.security.ssl.http.netty.SecuritySSLNettyHttpServerTransport").get(),
+                not(nullValue())
+            );
+
+            assertThat(created.get(), is(true));
+        }
+    }
 }

From ef72e4c1e539a98a83dd9882e5f3d10d33ad3a2d Mon Sep 17 00:00:00 2001
From: Sicheng Song <sicheng.song@outlook.com>
Date: Fri, 29 Mar 2024 13:09:26 -0700
Subject: [PATCH 104/143] Refactor and update existing ml roles (#4151)

Signed-off-by: Sicheng Song <sicheng.song@outlook.com>
---
 config/roles.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/config/roles.yml b/config/roles.yml
index e90a4e62a6..1b4c13745f 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -272,25 +272,39 @@ cross_cluster_search_remote_full_access:
         - 'indices:data/read/search'
 
 # Allow users to operate query assistant
-ml_query_assistant_access:
+query_assistant_access:
   reserved: true
   cluster_permissions:
+    - 'cluster:admin/opensearch/ml/config/get'
     - 'cluster:admin/opensearch/ml/execute'
-    - 'cluster:admin/opensearch/ml/memory/conversation/create'
-    - 'cluster:admin/opensearch/ml/memory/interaction/create'
     - 'cluster:admin/opensearch/ml/predict'
+    - 'cluster:admin/opensearch/ppl'
 
 # Allow users to read ML stats/models/tasks
 ml_read_access:
   reserved: true
   cluster_permissions:
+    - 'cluster:admin/opensearch/ml/config/get'
     - 'cluster:admin/opensearch/ml/connectors/get'
     - 'cluster:admin/opensearch/ml/connectors/search'
+    - 'cluster:admin/opensearch/ml/controllers/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/get'
+    - 'cluster:admin/opensearch/ml/memory/conversation/interaction/search'
+    - 'cluster:admin/opensearch/ml/memory/conversation/list'
+    - 'cluster:admin/opensearch/ml/memory/conversation/search'
+    - 'cluster:admin/opensearch/ml/memory/interaction/get'
+    - 'cluster:admin/opensearch/ml/memory/interaction/list'
+    - 'cluster:admin/opensearch/ml/memory/trace/get'
+    - 'cluster:admin/opensearch/ml/model_groups/get'
     - 'cluster:admin/opensearch/ml/model_groups/search'
     - 'cluster:admin/opensearch/ml/models/get'
     - 'cluster:admin/opensearch/ml/models/search'
+    - 'cluster:admin/opensearch/ml/profile/nodes'
+    - 'cluster:admin/opensearch/ml/stats/nodes'
     - 'cluster:admin/opensearch/ml/tasks/get'
     - 'cluster:admin/opensearch/ml/tasks/search'
+    - 'cluster:admin/opensearch/ml/tools/get'
+    - 'cluster:admin/opensearch/ml/tools/list'
 
 # Allows users to use all ML functionality
 ml_full_access:

From 49bb15fb45854b61b3d34af1e4a05eda02deb077 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Apr 2024 07:50:11 -0400
Subject: [PATCH 105/143] Bump com.fasterxml.woodstox:woodstox-core from 6.6.1
 to 6.6.2 (#4191)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 607649d082..a1c901fbb4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -644,7 +644,7 @@ dependencies {
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'
     runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.2'
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
-    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.6.1'
+    runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.6.2'
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"

From 065eaffe97f7ca51b8fd66aeefa3531b23fb4db3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Apr 2024 07:51:30 -0400
Subject: [PATCH 106/143] Bump commons-io:commons-io from 2.15.1 to 2.16.0
 (#4192)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a1c901fbb4..fe4785d8dd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -720,7 +720,7 @@ dependencies {
     integrationTestImplementation 'junit:junit:4.13.2'
     integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
     integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
-    integrationTestImplementation 'commons-io:commons-io:2.15.1'
+    integrationTestImplementation 'commons-io:commons-io:2.16.0'
     integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'

From 98080f836a51bdbc0aa381c399730b2c90f94032 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Apr 2024 07:52:01 -0400
Subject: [PATCH 107/143] Bump io.dropwizard.metrics:metrics-core from 4.2.15
 to 4.2.25 (#4193)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index fe4785d8dd..17a801d82b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -613,7 +613,7 @@ dependencies {
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.1'
-    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.15"
+    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.25"
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
     implementation "org.opensaml:opensaml-core:${open_saml_version}"

From 759ef7e991a277c43d98fe6326b4f88f42853849 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Apr 2024 12:12:53 +0000
Subject: [PATCH 108/143] Bump Wandalen/wretry.action from 2.1.0 to 3.0.0
 (#4194)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d1873fba2a..90ad1614da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v2.1.0
+        uses: Wandalen/wretry.action@v3.0.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

From 4e8297aa4253c675526a803651a9214fe4e02962 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 2 Apr 2024 14:08:54 -0400
Subject: [PATCH 109/143] Remove date from release notes (#4203)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 release-notes/opensearch-security.release-notes-2.13.0.0.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/opensearch-security.release-notes-2.13.0.0.md b/release-notes/opensearch-security.release-notes-2.13.0.0.md
index 42ccd8fff0..48ecfa9b87 100644
--- a/release-notes/opensearch-security.release-notes-2.13.0.0.md
+++ b/release-notes/opensearch-security.release-notes-2.13.0.0.md
@@ -1,4 +1,4 @@
-## 2024-03-19 Version 2.13.0.0
+## Version 2.13.0.0
 
 Compatible with OpenSearch 2.13.0
 

From 90fe3bb65dda815bbcf9b9ce87c1044f631d8a8b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Apr 2024 08:21:08 -0400
Subject: [PATCH 110/143] Bump com.nulab-inc:zxcvbn from 1.8.2 to 1.9.0 (#4217)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 17a801d82b..6b3f2ebfed 100644
--- a/build.gradle
+++ b/build.gradle
@@ -631,7 +631,7 @@ dependencies {
     runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-storage-api:${open_saml_version}"
 
-    implementation "com.nulab-inc:zxcvbn:1.8.2"
+    implementation "com.nulab-inc:zxcvbn:1.9.0"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.2'
     runtimeOnly 'org.apache.commons:commons-text:1.11.0'

From b9f864672e52847ea3d1922215302bd3bd85bc50 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Apr 2024 08:21:16 -0400
Subject: [PATCH 111/143] Bump com.google.googlejavaformat:google-java-format
 from 1.21.0 to 1.22.0 (#4216)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 6b3f2ebfed..51d9fedb7a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -737,7 +737,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.21.0') {
+    implementation('com.google.googlejavaformat:google-java-format:1.22.0') {
         exclude group: 'com.google.guava'
     }
 }

From 02947dd009c052cea6ccca1926d701019b192edb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Apr 2024 08:21:59 -0400
Subject: [PATCH 112/143] Bump Wandalen/wretry.action from 3.0.0 to 3.1.0
 (#4218)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 90ad1614da..45f306318e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v3.0.0
+        uses: Wandalen/wretry.action@v3.1.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

From ba74d1493edba694441786519fdbec5161849a16 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Mon, 8 Apr 2024 14:46:23 +0200
Subject: [PATCH 113/143] Fix bug for PATCH in EndpointValidator (#4190)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../dlic/rest/api/AbstractApiAction.java      |   2 +-
 .../dlic/rest/api/RolesApiAction.java         |   9 +-
 .../dlic/rest/api/RolesMappingApiAction.java  |  11 +-
 .../rest/validation/EndpointValidator.java    |  12 +-
 .../dlic/rest/api/ActionGroupsApiTest.java    |  72 +++++++---
 .../api/RolesApiActionValidationTest.java     |  14 +-
 .../security/dlic/rest/api/RolesApiTest.java  | 113 ++++++----------
 .../RolesMappingApiActionValidationTest.java  |   5 +-
 .../dlic/rest/api/RolesMappingApiTest.java    | 125 ++++++++----------
 src/test/resources/restapi/action_groups.yml  |  13 ++
 src/test/resources/restapi/roles.yml          |  26 ++++
 src/test/resources/restapi/roles_mapping.yml  |   3 +
 12 files changed, 214 insertions(+), 191 deletions(-)

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
index a38d618da0..157d44da73 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
@@ -241,7 +241,7 @@ protected ValidationResult<SecurityConfiguration> patchEntities(
             for (final var entityName : patchEntityNames(patchContent)) {
                 final var beforePatchEntity = configurationAsJson.get(entityName);
                 final var patchedEntity = patchedConfigurationAsJson.get(entityName);
-                // verify we can process exising or updated entities
+                // verify we can process existing or updated entities
                 if (beforePatchEntity != null && !Objects.equals(beforePatchEntity, patchedEntity)) {
                     final var checkEntityCanBeProcess = endpointValidator.isAllowedToChangeImmutableEntity(
                         SecurityConfiguration.of(entityName, configuration)
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
index 50fac9b80c..8b25fd5702 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesApiAction.java
@@ -141,12 +141,9 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() {
             @Override
             public ValidationResult<SecurityConfiguration> isAllowedToChangeImmutableEntity(SecurityConfiguration securityConfiguration)
                 throws IOException {
-                return EndpointValidator.super.isAllowedToChangeImmutableEntity(securityConfiguration).map(ignore -> {
-                    if (isCurrentUserAdmin()) {
-                        return ValidationResult.success(securityConfiguration);
-                    }
-                    return isAllowedToChangeEntityWithRestAdminPermissions(securityConfiguration);
-                });
+                return EndpointValidator.super.isAllowedToChangeImmutableEntity(securityConfiguration).map(
+                    ignore -> isAllowedToChangeEntityWithRestAdminPermissions(securityConfiguration)
+                );
             }
 
             @Override
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
index b980a1e4ba..bc2e515e09 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RolesMappingApiAction.java
@@ -106,14 +106,11 @@ public ValidationResult<SecurityConfiguration> isAllowedToChangeImmutableEntity(
             public ValidationResult<SecurityConfiguration> isAllowedToChangeRoleMappingWithRestAdminPermissions(
                 SecurityConfiguration securityConfiguration
             ) throws IOException {
-                return loadConfiguration(CType.ROLES, false, false).map(rolesConfiguration -> {
-                    if (isCurrentUserAdmin()) {
-                        return ValidationResult.success(securityConfiguration);
-                    }
-                    return isAllowedToChangeEntityWithRestAdminPermissions(
+                return loadConfiguration(CType.ROLES, false, false).map(
+                    rolesConfiguration -> isAllowedToChangeEntityWithRestAdminPermissions(
                         SecurityConfiguration.of(securityConfiguration.entityName(), rolesConfiguration)
-                    );
-                }).map(ignore -> ValidationResult.success(securityConfiguration));
+                    )
+                ).map(ignore -> ValidationResult.success(securityConfiguration));
             }
 
             @Override
diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java
index 5879272b30..17c8b1f2ba 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java
@@ -156,21 +156,19 @@ default ValidationResult<SecurityDynamicConfiguration<?>> validateRoles(
     default ValidationResult<SecurityConfiguration> isAllowedToChangeEntityWithRestAdminPermissions(
         final SecurityConfiguration securityConfiguration
     ) throws IOException {
+        final var configuration = securityConfiguration.configuration();
         if (securityConfiguration.entityExists()) {
-            final var configuration = securityConfiguration.configuration();
             final var existingEntity = configuration.getCEntry(securityConfiguration.entityName());
             if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(existingEntity)) {
-
                 return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
             }
-        } else {
-            final var configuration = securityConfiguration.configuration();
-            final var configEntityContent = Utils.toConfigObject(
+        }
+        if (securityConfiguration.requestContent() != null) {
+            final var newConfigEntityContent = Utils.toConfigObject(
                 securityConfiguration.requestContent(),
                 configuration.getImplementingClass()
             );
-            if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(configEntityContent)) {
-
+            if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(newConfigEntityContent)) {
                 return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
             }
         }
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java
index fb166779ac..fbeb3473fc 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java
@@ -441,25 +441,46 @@ public void testActionGroupsApiForActionGroupsRestApiAdmin() throws Exception {
     }
 
     @Test
-    public void testCreateActionGroupWithRestAdminPermissionsForbidden() throws Exception {
+    public void testCreateOrUpdateRestApiAdminActionGroupForbidden() throws Exception {
         setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
         rh.sendAdminCertificate = false;
-        final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
-        final Header restApiAdminActionGroupsHeader = encodeBasicHeader("rest_api_admin_actiongroups", "rest_api_admin_actiongroups");
-        final Header restApiHeader = encodeBasicHeader("test", "test");
+        final var userHeaders = List.of(
+            encodeBasicHeader("admin", "admin"),
+            encodeBasicHeader("test", "test"),
+            encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"),
+            encodeBasicHeader("rest_api_admin_actiongroups", "rest_api_admin_actiongroups")
+        );
+        for (final var userHeader : userHeaders) {
+            // attempt to create new action group with REST admin permissions
+            verifyPutForbidden("new_rest_api_admin_group", restAdminAllowedActions(), userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("new_rest_api_admin_group", "add"), userHeader);
+
+            // attempt to update existing action group which has REST admin permissions
+            verifyPutForbidden("rest_admin_action_group", restAdminAllowedActions(), userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("rest_admin_action_group", "replace"), userHeader);
+
+            // attempt to update existing action group with REST admin permissions
+            verifyPutForbidden("OPENDISTRO_SECURITY_CLUSTER_ALL", restAdminAllowedActions(), userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("OPENDISTRO_SECURITY_CLUSTER_ALL", "replace"), userHeader);
+
+            // attempt to delete
+            verifyDeleteForbidden("rest_admin_action_group", userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("rest_admin_action_group", "remove"), userHeader);
+        }
+    }
 
-        HttpResponse response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), restApiAdminHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), restApiAdminActionGroupsHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePutRequest(ENDPOINT + "/rest_api_admin_group", restAdminAllowedActions(), restApiHeader);
+    void verifyPutForbidden(final String actionGroupName, final String payload, final Header... header) {
+        HttpResponse response = rh.executePutRequest(ENDPOINT + "/" + actionGroupName, payload, header);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+    }
 
-        response = rh.executePatchRequest(ENDPOINT, restAdminPatchBody(), restApiAdminHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePatchRequest(ENDPOINT, restAdminPatchBody(), restApiAdminActionGroupsHeader);
+    void verifyPatchForbidden(final String payload, final Header... header) {
+        HttpResponse response = rh.executePatchRequest(ENDPOINT, payload, header);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePatchRequest(ENDPOINT, restAdminPatchBody(), restApiHeader);
+    }
+
+    void verifyDeleteForbidden(final String actionGroupName, final Header... header) {
+        HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/" + actionGroupName, header);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
     }
 
@@ -469,13 +490,30 @@ String restAdminAllowedActions() throws JsonProcessingException {
         return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode);
     }
 
-    String restAdminPatchBody() throws JsonProcessingException {
+    private String createPatchRestAdminPermissionsPayload(final String actionGroup, final String op) throws JsonProcessingException {
         final ArrayNode rootNode = DefaultObjectMapper.objectMapper.createArrayNode();
-        final ObjectNode opAddRootNode = DefaultObjectMapper.objectMapper.createObjectNode();
+        final ObjectNode opAddObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
         final ObjectNode allowedActionsNode = DefaultObjectMapper.objectMapper.createObjectNode();
         allowedActionsNode.set("allowed_actions", clusterPermissionsForRestAdmin("cluster/*"));
-        opAddRootNode.put("op", "add").put("path", "/rest_api_admin_group").set("value", allowedActionsNode);
-        rootNode.add(opAddRootNode);
+        if ("add".equals(op)) {
+            opAddObjectNode.put("op", "add").put("path", "/" + actionGroup).set("value", allowedActionsNode);
+            rootNode.add(opAddObjectNode);
+        }
+
+        if ("remove".equals(op)) {
+            final ObjectNode opRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
+            opRemoveObjectNode.put("op", "remove").put("path", "/" + actionGroup);
+            rootNode.add(opRemoveObjectNode);
+        }
+
+        if ("replace".equals(op)) {
+            final ObjectNode replaceRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
+            replaceRemoveObjectNode.put("op", "replace")
+                .put("path", "/" + actionGroup + "/allowed_actions")
+                .set("value", clusterPermissionsForRestAdmin("*"));
+
+            rootNode.add(replaceRemoveObjectNode);
+        }
         return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode);
     }
 
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java
index 88a358dcb2..7fe089c0ba 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiActionValidationTest.java
@@ -28,21 +28,18 @@ public class RolesApiActionValidationTest extends AbstractApiActionValidationTes
 
     @Test
     public void isAllowedToChangeImmutableEntity() throws Exception {
-        when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.ROLES)).thenReturn(true);
-
         final var role = new RoleV7();
         role.setCluster_permissions(restApiAdminPermissions());
 
-        final var rolesApiActionEndpointValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies).createEndpointValidator();
-        final var result = rolesApiActionEndpointValidator.isAllowedToChangeImmutableEntity(SecurityConfiguration.of( "sss", configuration));
+        final var rolesApiActionEndpointValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies)
+            .createEndpointValidator();
+        final var result = rolesApiActionEndpointValidator.isAllowedToChangeImmutableEntity(SecurityConfiguration.of("sss", configuration));
 
         assertTrue(result.isValid());
     }
 
     @Test
     public void isNotAllowedRightsToChangeImmutableEntity() throws Exception {
-        when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.ROLES)).thenReturn(false);
-
         final var role = new RoleV7();
         role.setCluster_permissions(restApiAdminPermissions());
 
@@ -50,8 +47,9 @@ public void isNotAllowedRightsToChangeImmutableEntity() throws Exception {
         Mockito.<Object>when(configuration.getCEntry("sss")).thenReturn(role);
 
         when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod();
-        final var rolesApiActionEndpointValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies).createEndpointValidator();
-        final var result = rolesApiActionEndpointValidator.isAllowedToChangeImmutableEntity(SecurityConfiguration.of( "sss", configuration));
+        final var rolesApiActionEndpointValidator = new RolesApiAction(clusterService, threadPool, securityApiDependencies)
+            .createEndpointValidator();
+        final var result = rolesApiActionEndpointValidator.isAllowedToChangeImmutableEntity(SecurityConfiguration.of("sss", configuration));
 
         assertFalse(result.isValid());
         assertEquals(RestStatus.FORBIDDEN, result.status());
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java
index bb11bb2226..eb3ad7d4e5 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java
@@ -691,105 +691,74 @@ public void testRolesApiWithRestApiRolePermission() throws Exception {
     }
 
     @Test
-    public void testCreateOrUpdateRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception {
+    public void testCrudRestApiAdminRoleForbidden() throws Exception {
         setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
         rh.sendAdminCertificate = false;
 
-        final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
-        final Header adminHeader = encodeBasicHeader("admin", "admin");
-        final Header restApiHeader = encodeBasicHeader("test", "test");
-
-        final String restAdminPermissionsPayload = createRestAdminPermissionsPayload("cluster/*");
-        HttpResponse response = rh.executePutRequest(
-            ENDPOINT + "/roles/new_rest_admin_role",
-            restAdminPermissionsPayload,
-            restApiAdminHeader
-        );
-        Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
-        response = rh.executePutRequest(ENDPOINT + "/roles/rest_admin_role_to_delete", restAdminPermissionsPayload, restApiAdminHeader);
-        Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
-
-        // attempt to create a new rest admin role by admin
-        response = rh.executePutRequest(ENDPOINT + "/roles/some_rest_admin_role", restAdminPermissionsPayload, adminHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // attempt to update exiting admin role
-        response = rh.executePutRequest(ENDPOINT + "/roles/new_rest_admin_role", restAdminPermissionsPayload, adminHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // attempt to patch exiting admin role
-        response = rh.executePatchRequest(
-            ENDPOINT + "/roles/new_rest_admin_role",
-            createPatchRestAdminPermissionsPayload("replace"),
-            adminHeader
-        );
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // attempt to update exiting admin role
-        response = rh.executePutRequest(ENDPOINT + "/roles/new_rest_admin_role", restAdminPermissionsPayload, restApiHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // attempt to create a new rest admin role by admin
-        response = rh.executePutRequest(ENDPOINT + "/roles/some_rest_admin_role", restAdminPermissionsPayload, restApiHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // attempt to patch exiting admin role and crate a new one
-        response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("replace"), restApiHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+        final var userHeaders = List.of(
+            encodeBasicHeader("admin", "admin"),
+            encodeBasicHeader("test", "test"),
+            encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"),
+            encodeBasicHeader("rest_api_admin_roles", "rest_api_admin_roles")
+        );
+        for (final var userHeader : userHeaders) {
+            final String restAdminPermissionsPayload = createRestAdminPermissionsPayload("cluster/*");
+            // attempt to create a new role
+            verifyPutForbidden("new_rest_admin_role", restAdminPermissionsPayload, userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("new_rest_admin_role", "add"), userHeader);
+
+            // attempt to update existing rest admin role
+            verifyPutForbidden("rest_api_admin_full_access", restAdminPermissionsPayload, userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("rest_api_admin_full_access", "replace"), userHeader);
+
+            // attempt to update non rest admin role with REST admin permissions
+            verifyPutForbidden("opendistro_security_role_starfleet_captains", restAdminPermissionsPayload, userHeader);
+            verifyPatchForbidden(
+                createPatchRestAdminPermissionsPayload("opendistro_security_role_starfleet_captains", "replace"),
+                userHeader
+            );
+
+            // attempt to remove REST admin role
+            verifyDeleteForbidden("rest_api_admin_full_access", userHeader);
+            verifyPatchForbidden(createPatchRestAdminPermissionsPayload("rest_api_admin_full_access", "remove"), userHeader);
+        }
+    }
 
-        response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("add"), restApiHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePatchRequest(ENDPOINT + "/roles", createPatchRestAdminPermissionsPayload("remove"), restApiHeader);
+    void verifyPutForbidden(final String roleName, final String restAdminPermissionsPayload, final Header... header) {
+        HttpResponse response = rh.executePutRequest(ENDPOINT + "/roles/" + roleName, restAdminPermissionsPayload, header);
         Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
     }
 
-    @Test
-    public void testDeleteRestApiAdminRoleForbiddenForNonSuperAdmin() throws Exception {
-        setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
-        rh.sendAdminCertificate = false;
-
-        final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
-        final Header adminHeader = encodeBasicHeader("admin", "admin");
-        final Header restApiHeader = encodeBasicHeader("test", "test");
-
-        final String allRestAdminPermissionsPayload = createRestAdminPermissionsPayload("cluster/*");
-
-        HttpResponse response = rh.executePutRequest(
-            ENDPOINT + "/roles/new_rest_admin_role",
-            allRestAdminPermissionsPayload,
-            restApiAdminHeader
-        );
-        Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
-
-        // attempt to update exiting admin role
-        response = rh.executeDeleteRequest(ENDPOINT + "/roles/new_rest_admin_role", adminHeader);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+    void verifyPatchForbidden(final String restAdminPermissionsPayload, final Header... header) {
+        HttpResponse response = rh.executePatchRequest(ENDPOINT + "/roles", restAdminPermissionsPayload, header);
+        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+    }
 
-        // true to change
-        response = rh.executeDeleteRequest(ENDPOINT + "/roles/new_rest_admin_role", allRestAdminPermissionsPayload, restApiHeader);
+    void verifyDeleteForbidden(final String roleName, final Header... header) {
+        HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/roles/" + roleName, header);
         Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
     }
 
-    private String createPatchRestAdminPermissionsPayload(final String op) throws JsonProcessingException {
+    private String createPatchRestAdminPermissionsPayload(final String roleName, final String op) throws JsonProcessingException {
         final ArrayNode rootNode = DefaultObjectMapper.objectMapper.createArrayNode();
         final ObjectNode opAddObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
         final ObjectNode clusterPermissionsNode = DefaultObjectMapper.objectMapper.createObjectNode();
         clusterPermissionsNode.set("cluster_permissions", clusterPermissionsForRestAdmin("cluster/*"));
         if ("add".equals(op)) {
-            opAddObjectNode.put("op", "add").put("path", "/some_rest_admin_role").set("value", clusterPermissionsNode);
+            opAddObjectNode.put("op", "add").put("path", "/" + roleName).set("value", clusterPermissionsNode);
             rootNode.add(opAddObjectNode);
         }
 
         if ("remove".equals(op)) {
             final ObjectNode opRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
-            opRemoveObjectNode.put("op", "remove").put("path", "/rest_admin_role_to_delete");
+            opRemoveObjectNode.put("op", "remove").put("path", "/" + roleName);
             rootNode.add(opRemoveObjectNode);
         }
 
         if ("replace".equals(op)) {
             final ObjectNode replaceRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
             replaceRemoveObjectNode.put("op", "replace")
-                .put("path", "/new_rest_admin_role/cluster_permissions")
+                .put("path", "/" + roleName + "/cluster_permissions")
                 .set("value", clusterPermissionsForRestAdmin("*"));
 
             rootNode.add(replaceRemoveObjectNode);
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java
index 5c041989a6..f7d1d4da0b 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiActionValidationTest.java
@@ -35,18 +35,16 @@ public void setupRoles() throws Exception {
 
     @Test
     public void isAllowedRightsToChangeRoleEntity() throws Exception {
-        when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.ROLESMAPPING)).thenReturn(true);
         final var rolesMappingApiActionEndpointValidator = new RolesMappingApiAction(clusterService, threadPool, securityApiDependencies)
             .createEndpointValidator();
         final var result = rolesMappingApiActionEndpointValidator.isAllowedToChangeImmutableEntity(
-                SecurityConfiguration.of("rest_api_admin_role", configuration)
+            SecurityConfiguration.of("rest_api_admin_role", configuration)
         );
         assertTrue(result.isValid());
     }
 
     @Test
     public void isNotAllowedNoRightsToChangeRoleEntity() throws Exception {
-        when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.ROLESMAPPING)).thenReturn(false);
         when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod();
 
          final var rolesApiActionEndpointValidator =
@@ -61,7 +59,6 @@ public void isNotAllowedNoRightsToChangeRoleEntity() throws Exception {
 
     @Test
     public void onConfigChangeShouldCheckRoles() throws Exception {
-        when(restApiAdminPrivilegesEvaluator.isCurrentUserAdminFor(Endpoint.ROLESMAPPING)).thenReturn(false);
         when(restApiAdminPrivilegesEvaluator.containsRestApiAdminPermissions(any(Object.class))).thenCallRealMethod();
         when(configurationRepository.getConfigurationsFromIndex(List.of(CType.ROLES), false))
                 .thenReturn(Map.of(CType.ROLES, rolesConfiguration));
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java
index 077c852466..dc2ba33e6e 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesMappingApiTest.java
@@ -14,6 +14,7 @@
 import java.util.List;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.apache.hc.core5.http.Header;
@@ -558,97 +559,83 @@ void verifyNonSuperAdminUser(final Header[] header) throws Exception {
     }
 
     @Test
-    public void testChangeRestApiAdminRoleMappingForbiddenForNonSuperAdmin() throws Exception {
+    public void testChangeRestApiAdminRoleMappingForbidden() throws Exception {
         setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
         rh.sendAdminCertificate = false;
 
-        final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
-        final Header adminHeader = encodeBasicHeader("admin", "admin");
-        final Header restApiHeader = encodeBasicHeader("test", "test");
-
-        HttpResponse response = rh.executePutRequest(
-            ENDPOINT + "/roles/new_rest_api_role",
-            createRestAdminPermissionsPayload(),
-            restApiAdminHeader
-        );
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode());
-        response = rh.executePutRequest(
-            ENDPOINT + "/roles/new_rest_api_role_without_mapping",
-            createRestAdminPermissionsPayload(),
-            restApiAdminHeader
+        final var userHeaders = List.of(
+            encodeBasicHeader("admin", "admin"),
+            encodeBasicHeader("test", "test"),
+            encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user"),
+            encodeBasicHeader("rest_api_admin_rolesmapping", "rest_api_admin_rolesmapping")
         );
-        Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
-        response = rh.executePutRequest(
-            ENDPOINT + "/rolesmapping/new_rest_api_role",
-            createUsersPayload("a", "b", "c"),
-            restApiAdminHeader
-        );
-        Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
 
-        verifyRestApiPutAndDeleteForNonRestApiAdmin(adminHeader);
-        verifyRestApiPutAndDeleteForNonRestApiAdmin(restApiHeader);
-        verifyRestApiPatchForNonRestApiAdmin(adminHeader, false);
-        verifyRestApiPatchForNonRestApiAdmin(restApiHeader, false);
-        verifyRestApiPatchForNonRestApiAdmin(adminHeader, true);
-        verifyRestApiPatchForNonRestApiAdmin(restApiHeader, true);
-    }
+        for (final var userHeader : userHeaders) {
+            // create new mapping for existing group
+            verifyPutForbidden("rest_api_admin_roles_mapping_test_without_mapping", createUsers("c", "d"), userHeader);
+            verifyPatchForbidden(createPatchPayload("rest_api_admin_roles_mapping_test_without_mapping", "add"), userHeader);
 
-    private void verifyRestApiPutAndDeleteForNonRestApiAdmin(final Header header) throws Exception {
-        HttpResponse response = rh.executePutRequest(
-            ENDPOINT + "/rolesmapping/new_rest_api_role",
-            createUsersPayload("a", "b", "c"),
-            header
-        );
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+            // update existing mapping with additional users
+            verifyPutForbidden("rest_api_admin_roles_mapping_test_with_mapping", createUsers("c", "d"), userHeader);
+            verifyPatchForbidden(createPatchPayload("rest_api_admin_roles_mapping_test_with_mapping", "replace"), userHeader);
 
-        response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/new_rest_api_role", "", header);
-        Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+            // delete existing role mapping forbidden
+            verifyDeleteForbidden("rest_api_admin_roles_mapping_test_with_mapping", userHeader);
+            verifyPatchForbidden(createPatchPayload("rest_api_admin_roles_mapping_test_with_mapping", "remove"), userHeader);
+        }
     }
 
-    private void verifyRestApiPatchForNonRestApiAdmin(final Header header, boolean bulk) throws Exception {
-        String path = ENDPOINT + "/rolesmapping";
-        if (!bulk) {
-            path += "/new_rest_api_role";
-        }
-        HttpResponse response = rh.executePatchRequest(path, createPathPayload("add"), header);
-        System.err.println(response.getBody());
+    void verifyPutForbidden(final String roleMappingName, final String payload, final Header... header) {
+        HttpResponse response = rh.executePutRequest(ENDPOINT + "/rolesmapping/" + roleMappingName, payload, header);
         Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+    }
 
-        response = rh.executePatchRequest(path, createPathPayload("replace"), header);
+    void verifyPatchForbidden(final String payload, final Header... header) {
+        HttpResponse response = rh.executePatchRequest(ENDPOINT + "/rolesmapping", payload, header);
         Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
+    }
 
-        response = rh.executePatchRequest(path, createPathPayload("remove"), header);
+    void verifyDeleteForbidden(final String roleMappingName, final Header... header) {
+        HttpResponse response = rh.executeDeleteRequest(ENDPOINT + "/rolesmapping/" + roleMappingName, header);
         Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
     }
 
-    private ObjectNode createUsersObjectNode(final String... users) {
-        final ArrayNode usersArray = DefaultObjectMapper.objectMapper.createArrayNode();
-        for (final String user : users) {
-            usersArray.add(user);
+    private String createPatchPayload(final String roleName, final String op) throws JsonProcessingException {
+        final ArrayNode rootNode = DefaultObjectMapper.objectMapper.createArrayNode();
+        final ObjectNode opAddObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
+        final ObjectNode clusterPermissionsNode = DefaultObjectMapper.objectMapper.createObjectNode();
+        clusterPermissionsNode.set("users", createUsersArray("c", "d"));
+        if ("add".equals(op)) {
+            opAddObjectNode.put("op", "add").put("path", "/" + roleName).set("value", clusterPermissionsNode);
+            rootNode.add(opAddObjectNode);
         }
-        return DefaultObjectMapper.objectMapper.createObjectNode().set("users", usersArray);
-    }
 
-    private String createUsersPayload(final String... users) throws JsonProcessingException {
-        return DefaultObjectMapper.objectMapper.writeValueAsString(createUsersObjectNode(users));
-    }
-
-    private String createPathPayload(final String op) throws JsonProcessingException {
-        final ArrayNode arrayNode = DefaultObjectMapper.objectMapper.createArrayNode();
-        final ObjectNode opNode = DefaultObjectMapper.objectMapper.createObjectNode();
-        opNode.put("op", op);
-        if ("add".equals(op)) {
-            opNode.put("path", "/new_rest_api_role_without_mapping");
-            opNode.set("value", createUsersObjectNode("d", "e", "f"));
+        if ("remove".equals(op)) {
+            final ObjectNode opRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
+            opRemoveObjectNode.put("op", "remove").put("path", "/" + roleName);
+            rootNode.add(opRemoveObjectNode);
         }
+
         if ("replace".equals(op)) {
-            opNode.put("path", "/new_rest_api_role");
-            opNode.set("value", createUsersObjectNode("g", "h", "i"));
+            final ObjectNode replaceRemoveObjectNode = DefaultObjectMapper.objectMapper.createObjectNode();
+            replaceRemoveObjectNode.put("op", "replace").put("path", "/" + roleName + "/users").set("value", createUsersArray("c", "d"));
+
+            rootNode.add(replaceRemoveObjectNode);
         }
-        if ("remove".equals(op)) {
-            opNode.put("path", "/new_rest_api_role");
+        return DefaultObjectMapper.objectMapper.writeValueAsString(rootNode);
+    }
+
+    private String createUsers(final String... users) throws JsonProcessingException {
+        final var o = DefaultObjectMapper.objectMapper.createObjectNode().set("users", createUsersArray("c", "d"));
+        return DefaultObjectMapper.writeValueAsString(o, false);
+    }
+
+    private JsonNode createUsersArray(final String... users) {
+        final ArrayNode usersArray = DefaultObjectMapper.objectMapper.createArrayNode();
+        for (final String user : users) {
+            usersArray.add(user);
         }
-        return DefaultObjectMapper.objectMapper.writeValueAsString(arrayNode.add(opNode));
+        return usersArray;
     }
 
     @Test
diff --git a/src/test/resources/restapi/action_groups.yml b/src/test/resources/restapi/action_groups.yml
index 638f65f72f..4ec858a69e 100644
--- a/src/test/resources/restapi/action_groups.yml
+++ b/src/test/resources/restapi/action_groups.yml
@@ -132,3 +132,16 @@ OPENDISTRO_SECURITY_SUGGEST:
   - "indices:data/read/suggest*"
   type: "index"
   description: "Migrated from v6"
+rest_admin_action_group:
+  allowed_actions:
+    - 'restapi:admin/actiongroups'
+    - 'restapi:admin/allowlist'
+    - 'restapi:admin/config/update'
+    - 'restapi:admin/internalusers'
+    - 'restapi:admin/nodesdn'
+    - 'restapi:admin/roles'
+    - 'restapi:admin/rolesmapping'
+    - 'restapi:admin/ssl/certs/info'
+    - 'restapi:admin/ssl/certs/reload'
+    - 'restapi:admin/tenants'
+  type: "cluster"
diff --git a/src/test/resources/restapi/roles.yml b/src/test/resources/restapi/roles.yml
index 1c3756cb4d..925b051bb3 100644
--- a/src/test/resources/restapi/roles.yml
+++ b/src/test/resources/restapi/roles.yml
@@ -393,6 +393,32 @@ opendistro_security_role_starfleet_captains:
       allowed_actions:
         - "CRUD_UT"
   tenant_permissions: []
+rest_api_admin_roles_mapping_test_without_mapping:
+  reserved: true
+  cluster_permissions:
+    - 'restapi:admin/actiongroups'
+    - 'restapi:admin/allowlist'
+    - 'restapi:admin/config/update'
+    - 'restapi:admin/internalusers'
+    - 'restapi:admin/nodesdn'
+    - 'restapi:admin/roles'
+    - 'restapi:admin/rolesmapping'
+    - 'restapi:admin/ssl/certs/info'
+    - 'restapi:admin/ssl/certs/reload'
+    - 'restapi:admin/tenants'
+rest_api_admin_roles_mapping_test_with_mapping:
+  reserved: true
+  cluster_permissions:
+    - 'restapi:admin/actiongroups'
+    - 'restapi:admin/allowlist'
+    - 'restapi:admin/config/update'
+    - 'restapi:admin/internalusers'
+    - 'restapi:admin/nodesdn'
+    - 'restapi:admin/roles'
+    - 'restapi:admin/rolesmapping'
+    - 'restapi:admin/ssl/certs/info'
+    - 'restapi:admin/ssl/certs/reload'
+    - 'restapi:admin/tenants'
 rest_api_admin_full_access:
   reserved: true
   cluster_permissions:
diff --git a/src/test/resources/restapi/roles_mapping.yml b/src/test/resources/restapi/roles_mapping.yml
index 8bfe826247..73673ae3ff 100644
--- a/src/test/resources/restapi/roles_mapping.yml
+++ b/src/test/resources/restapi/roles_mapping.yml
@@ -217,6 +217,9 @@ opendistro_security_role_host2:
   - "opendistro_security_host_localhost"
   and_backend_roles: []
   description: "Migrated from v6"
+rest_api_admin_roles_mapping_test_with_mapping:
+  reserved: true
+  users: [a, b]
 rest_api_admin_full_access:
   reserved: false
   hidden: true

From d87ab3f7372ff799ca75fbf9741f5111e12d84dd Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com>
Date: Tue, 9 Apr 2024 11:10:53 -0400
Subject: [PATCH 114/143] Adds saml auth header to differentiate saml requests
 and prevents auto login as anonymous user when basic authentication fails
 (#4152)

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 .../http/BasicWithAnonymousAuthTests.java     | 112 ++++++++++++++++++
 .../security/auth/BackendRegistry.java        |  47 +++++---
 .../security/rest/SecurityInfoAction.java     |   3 +
 3 files changed, 147 insertions(+), 15 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java

diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java
new file mode 100644
index 0000000000..842d5c4dd5
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java
@@ -0,0 +1,112 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
+package org.opensearch.security.http;
+
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
+import org.opensearch.test.framework.TestSecurityConfig.User;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.apache.http.HttpStatus.SC_OK;
+import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class BasicWithAnonymousAuthTests {
+    static final User TEST_USER = new User("test_user").password("s3cret");
+
+    public static final String CUSTOM_ATTRIBUTE_NAME = "superhero";
+    static final User SUPER_USER = new User("super-user").password("super-password").attr(CUSTOM_ATTRIBUTE_NAME, "true");
+    public static final String NOT_EXISTING_USER = "not-existing-user";
+    public static final String INVALID_PASSWORD = "secret-password";
+
+    public static final AuthcDomain AUTHC_DOMAIN = new AuthcDomain("basic", 0).httpAuthenticatorWithChallenge("basic").backend("internal");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(true)
+        .authc(AUTHC_DOMAIN)
+        .users(TEST_USER, SUPER_USER)
+        .build();
+
+    /** No automatic login post anonymous auth request **/
+    @Test
+    public void testShouldRespondWith401WhenUserDoesNotExist() {
+        try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, INVALID_PASSWORD)) {
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+        }
+    }
+
+    @Test
+    public void testShouldRespondWith401WhenUserNameIsIncorrect() {
+        try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, TEST_USER.getPassword())) {
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+        }
+    }
+
+    @Test
+    public void testShouldRespondWith401WhenPasswordIsIncorrect() {
+        try (TestRestClient client = cluster.getRestClient(TEST_USER.getName(), INVALID_PASSWORD)) {
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+        }
+    }
+
+    /** Test `?auth_type=""` param to authinfo request **/
+    @Test
+    public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() {
+        try (TestRestClient client = cluster.getRestClient()) {
+
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_OK);
+
+            HttpResponse response2 = client.getAuthInfo(Map.of("auth_type", "anonymous"));
+
+            assertThat(response2, is(notNullValue()));
+            response2.assertStatusCode(SC_OK);
+        }
+    }
+
+    @Test
+    public void testShouldNotAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLogin() {
+        try (TestRestClient client = cluster.getRestClient()) {
+
+            HttpResponse response = client.getAuthInfo(Map.of("auth_type", "saml"));
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+
+            // should contain a redirect link
+            assertThat(response.containHeader("WWW-Authenticate"), is(true));
+        }
+    }
+}
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index 3ab9a2afc9..97c060be35 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -32,6 +32,7 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.SortedSet;
@@ -44,6 +45,7 @@
 import com.google.common.cache.RemovalListener;
 import com.google.common.cache.RemovalNotification;
 import com.google.common.collect.Multimap;
+import org.apache.http.HttpHeaders;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -190,7 +192,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
      * @param request
      * @return The authenticated user, null means another roundtrip
      * @throws OpenSearchSecurityException
-     */
+    */
     public boolean authenticate(final SecurityRequestChannel request) {
         final boolean isDebugEnabled = log.isDebugEnabled();
         final boolean isBlockedBasedOnAddress = request.getRemoteAddress()
@@ -286,7 +288,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
             if (ac == null) {
                 // no credentials found in request
-                if (anonymousAuthEnabled) {
+                if (anonymousAuthEnabled && isRequestForAnonymousLogin(request.params(), request.getHeaders())) {
                     continue;
                 }
 
@@ -386,19 +388,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
             }
 
-            if (authCredentials == null && anonymousAuthEnabled) {
-                final String tenant = resolveTenantFrom(request);
-                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
-                anonymousUser.setRequestedTenant(tenant);
-
-                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
-                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
-                if (isDebugEnabled) {
-                    log.debug("Anonymous User is authenticated");
-                }
-                return true;
-            }
-
             Optional<SecurityResponse> challengeResponse = Optional.empty();
 
             if (firstChallengingHttpAuthenticator != null) {
@@ -415,6 +404,19 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 }
             }
 
+            if (authCredentials == null && anonymousAuthEnabled && isRequestForAnonymousLogin(request.params(), request.getHeaders())) {
+                final String tenant = resolveTenantFrom(request);
+                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
+                anonymousUser.setRequestedTenant(tenant);
+
+                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
+                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
+                if (isDebugEnabled) {
+                    log.debug("Anonymous User is authenticated");
+                }
+                return true;
+            }
+
             log.warn(
                 "Authentication finally failed for {} from {}",
                 authCredentials == null ? null : authCredentials.getUsername(),
@@ -432,6 +434,21 @@ public boolean authenticate(final SecurityRequestChannel request) {
         return authenticated;
     }
 
+    /**
+     * Checks if incoming auth request is from an anonymous user
+     * Defaults all requests to yes, to allow anonymous authentication to succeed
+     * @param params the query parameters passed in this request
+     * @return false only if an explicit `auth_type` param is supplied, and its value is not anonymous, OR
+     * if request contains no authorization headers
+     * otherwise returns true
+     */
+    private boolean isRequestForAnonymousLogin(Map<String, String> params, Map<String, List<String>> headers) {
+        if (params.containsKey("auth_type")) {
+            return params.get("auth_type").equals("anonymous");
+        }
+        return !headers.containsKey(HttpHeaders.AUTHORIZATION);
+    }
+
     private String resolveTenantFrom(final SecurityRequest request) {
         return Optional.ofNullable(request.header("securitytenant")).orElse(request.header("security_tenant"));
     }
diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
index f6cf7f82ee..64075d5d0e 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
@@ -91,6 +91,9 @@ public List<Route> routes() {
     @Override
     protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
         final boolean verbose = request.paramAsBoolean("verbose", false);
+        // need to consume `auth_type` param, without which a 500 is thrown on front-end
+        final String authType = request.param("auth_type", "");
+
         return new RestChannelConsumer() {
 
             @Override

From a5a5e032bd491c42c54d8d313d7359c366093cd1 Mon Sep 17 00:00:00 2001
From: Chenyang Ji <cyji@amazon.com>
Date: Thu, 11 Apr 2024 05:52:20 -0700
Subject: [PATCH 115/143] Add index permissions for query insights exporters
 (#4229)

Signed-off-by: Chenyang Ji <cyji@amazon.com>
---
 config/roles.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/roles.yml b/config/roles.yml
index 1b4c13745f..7b45deb813 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -429,3 +429,8 @@ query_insights_full_access:
   reserved: true
   cluster_permissions:
     - 'cluster:admin/opensearch/insights/top_queries/*'
+  index_permissions:
+    - index_patterns:
+        - 'top_queries_by_*'
+      allowed_actions:
+        - "indices_all"

From a5b891463699b1cded2acdf55fd44fd4b5bcac63 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 11 Apr 2024 14:25:02 -0400
Subject: [PATCH 116/143] Upgrade codecov/codecov-action to v4 (#4236)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 45f306318e..9a656e02b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -85,7 +85,7 @@ jobs:
         with:
           attempt_limit: 5
           attempt_delay: 2000
-          action: codecov/codecov-action@v3
+          action: codecov/codecov-action@v4
           with: |
             token: ${{ secrets.CODECOV_TOKEN }}
             fail_ci_if_error: true

From e4786673e041a1db83abf839e89d5a3b980c510d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 07:41:06 -0400
Subject: [PATCH 117/143] Bump open_saml_version from 4.3.1 to 4.3.2 (#4239)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 51d9fedb7a..8c4b17bcc6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -27,7 +27,7 @@ buildscript {
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
         kafka_version  = '3.7.0'
         apache_cxf_version = '4.0.4'
-        open_saml_version = '4.3.1'
+        open_saml_version = '4.3.2'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'

From 276fc016ea95fcd2d43a6327769331cfa5311377 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 07:42:13 -0400
Subject: [PATCH 118/143] Bump net.shibboleth.utilities:java-support from 8.4.1
 to 8.4.2 (#4240)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 8c4b17bcc6..c38da1dbb0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -612,7 +612,7 @@ dependencies {
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'
 
     //OpenSAML
-    implementation 'net.shibboleth.utilities:java-support:8.4.1'
+    implementation 'net.shibboleth.utilities:java-support:8.4.2'
     runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.25"
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"

From f539650eb2acf423450ccf612e96d6641939793d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 07:43:31 -0400
Subject: [PATCH 119/143] Bump commons-io:commons-io from 2.16.0 to 2.16.1
 (#4242)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index c38da1dbb0..7cf0c9c361 100644
--- a/build.gradle
+++ b/build.gradle
@@ -720,7 +720,7 @@ dependencies {
     integrationTestImplementation 'junit:junit:4.13.2'
     integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
     integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
-    integrationTestImplementation 'commons-io:commons-io:2.16.0'
+    integrationTestImplementation 'commons-io:commons-io:2.16.1'
     integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'

From c33be3fb99f708f17762415e44b18aeb8b582298 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 07:44:00 -0400
Subject: [PATCH 120/143] Bump Wandalen/wretry.action from 3.1.0 to 3.3.0
 (#4243)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9a656e02b6..94fbf11765 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v3.1.0
+        uses: Wandalen/wretry.action@v3.3.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

From 1862787d5ba4e8c1d7dea6ca4c865c4f9606d5fc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 07:44:37 -0400
Subject: [PATCH 121/143] Bump ch.qos.logback:logback-classic from 1.5.3 to
 1.5.5 (#4244)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 7cf0c9c361..a668c38adc 100644
--- a/build.gradle
+++ b/build.gradle
@@ -496,7 +496,7 @@ configurations {
             force "org.apache.httpcomponents:httpcore:4.4.16"
             force "com.google.errorprone:error_prone_annotations:2.26.1"
             force "org.checkerframework:checker-qual:3.42.0"
-            force "ch.qos.logback:logback-classic:1.5.3"
+            force "ch.qos.logback:logback-classic:1.5.5"
         }
     }
 

From dc855137125ce2dc39236eb8276fdb6d71ab5f89 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Apr 2024 08:40:21 -0400
Subject: [PATCH 122/143] Bump spring_version from 5.3.33 to 5.3.34 (#4241)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a668c38adc..a4e4a7d037 100644
--- a/build.gradle
+++ b/build.gradle
@@ -32,7 +32,7 @@ buildscript {
         jjwt_version = '0.12.5'
         guava_version = '32.1.3-jre'
         jaxb_version = '2.3.9'
-        spring_version = '5.3.33'
+        spring_version = '5.3.34'
 
         if (buildVersionQualifier) {
             opensearch_build += "-${buildVersionQualifier}"

From a6b04ae751c5233aeaf50ff63a918fccb58caa31 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Mon, 15 Apr 2024 18:02:12 +0200
Subject: [PATCH 123/143] Move REST API tests into integration tests (Part 1)
 (#4153)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../security/ConfigurationFiles.java          |  44 ++-
 .../security/SecurityConfigurationTests.java  |   5 +-
 .../api/AbstractApiIntegrationTest.java       | 353 ++++++++++++++++++
 .../api/AccountRestApiIntegrationTest.java    | 174 +++++++++
 .../security/api/DashboardsInfoTest.java      |  54 +--
 .../api/DashboardsInfoWithSettingsTest.java   |  53 +--
 ...DefaultApiAvailabilityIntegrationTest.java | 134 +++++++
 .../test/framework/TestSecurityConfig.java    |  25 ++
 .../framework/cluster/TestRestClient.java     |   8 +
 .../security/securityconf/impl/CType.java     |   4 +
 .../dlic/rest/api/AccountApiTest.java         | 227 -----------
 .../rest/api/DashboardsInfoActionTest.java    |  49 ---
 .../dlic/rest/api/FlushCacheApiTest.java      |  70 ----
 .../api/legacy/LegacyAccountApiTests.java     |  23 --
 .../LegacyDashboardsInfoActionTests.java      |  23 --
 .../api/legacy/LegacyFlushCacheApiTests.java  |  23 --
 16 files changed, 763 insertions(+), 506 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
 create mode 100644 src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java
 create mode 100644 src/integrationTest/java/org/opensearch/security/api/DefaultApiAvailabilityIntegrationTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java

diff --git a/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java b/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
index f3b7613aa1..04f2892eeb 100644
--- a/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
+++ b/src/integrationTest/java/org/opensearch/security/ConfigurationFiles.java
@@ -9,38 +9,34 @@
 */
 package org.opensearch.security;
 
-import java.io.File;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
 import java.util.Objects;
 
-class ConfigurationFiles {
+import org.opensearch.core.common.Strings;
+import org.opensearch.security.securityconf.impl.CType;
 
-    public static void createRoleMappingFile(File destination) {
-        String resource = "roles_mapping.yml";
-        copyResourceToFile(resource, destination);
-    }
+public class ConfigurationFiles {
 
     public static Path createConfigurationDirectory() {
         try {
             Path tempDirectory = Files.createTempDirectory("test-security-config");
             String[] configurationFiles = {
-                "config.yml",
-                "action_groups.yml",
-                "internal_users.yml",
-                "nodes_dn.yml",
-                "roles.yml",
-                "roles_mapping.yml",
+                CType.ACTIONGROUPS.configFileName(),
+                CType.CONFIG.configFileName(),
+                CType.INTERNALUSERS.configFileName(),
+                CType.NODESDN.configFileName(),
+                CType.ROLES.configFileName(),
+                CType.ROLESMAPPING.configFileName(),
                 "security_tenants.yml",
-                "tenants.yml",
-                "whitelist.yml" };
+                CType.TENANTS.configFileName(),
+                CType.WHITELIST.configFileName() };
             for (String fileName : configurationFiles) {
-                Path configFileDestination = tempDirectory.resolve(fileName);
-                copyResourceToFile(fileName, configFileDestination.toFile());
+                copyResourceToFile(fileName, tempDirectory.resolve(fileName));
             }
             return tempDirectory.toAbsolutePath();
         } catch (IOException ex) {
@@ -48,10 +44,18 @@ public static Path createConfigurationDirectory() {
         }
     }
 
-    private static void copyResourceToFile(String resource, File destination) {
+    public static void writeToConfig(final CType cType, final Path configFolder, final String content) throws IOException {
+        if (Strings.isNullOrEmpty(content)) return;
+        try (final var out = Files.newOutputStream(cType.configFile(configFolder), StandardOpenOption.APPEND)) {
+            out.write(content.getBytes(StandardCharsets.UTF_8));
+            out.flush();
+        }
+    }
+
+    public static void copyResourceToFile(String resource, Path destination) {
         try (InputStream input = ConfigurationFiles.class.getClassLoader().getResourceAsStream(resource)) {
             Objects.requireNonNull(input, "Cannot find source resource " + resource);
-            try (OutputStream output = new FileOutputStream(destination)) {
+            try (final var output = Files.newOutputStream(destination)) {
                 input.transferTo(output);
             }
         } catch (IOException e) {
diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
index 3889fa2a3c..73c55bc667 100644
--- a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
+++ b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
@@ -29,6 +29,7 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.client.Client;
+import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.test.framework.AsyncActions;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
 import org.opensearch.test.framework.TestSecurityConfig.User;
@@ -225,8 +226,8 @@ public void shouldAccessIndexWithPlaceholder_negative() {
     @Test
     public void shouldUseSecurityAdminTool() throws Exception {
         SecurityAdminLauncher securityAdminLauncher = new SecurityAdminLauncher(cluster.getHttpPort(), cluster.getTestCertificates());
-        File rolesMapping = configurationDirectory.newFile("roles_mapping.yml");
-        ConfigurationFiles.createRoleMappingFile(rolesMapping);
+        File rolesMapping = configurationDirectory.newFile(CType.ROLESMAPPING.configFileName());
+        ConfigurationFiles.copyResourceToFile(CType.ROLESMAPPING.configFileName(), rolesMapping.toPath());
 
         int exitCode = securityAdminLauncher.updateRoleMappings(rolesMapping);
 
diff --git a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
new file mode 100644
index 0000000000..678b1df161
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java
@@ -0,0 +1,353 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.api;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.List;
+import java.util.StringJoiner;
+
+import com.carrotsearch.randomizedtesting.RandomizedTest;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.google.common.collect.ImmutableMap;
+import org.apache.commons.io.FileUtils;
+import org.apache.http.HttpStatus;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.awaitility.Awaitility;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+
+import org.opensearch.common.CheckedConsumer;
+import org.opensearch.common.CheckedSupplier;
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.security.ConfigurationFiles;
+import org.opensearch.security.dlic.rest.api.Endpoint;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.certificate.CertificateData;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.opensearch.security.CrossClusterSearchTests.PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED;
+import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
+import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE;
+import static org.opensearch.test.framework.TestSecurityConfig.REST_ADMIN_REST_API_ACCESS;
+
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+public abstract class AbstractApiIntegrationTest extends RandomizedTest {
+
+    private static final Logger LOGGER = LogManager.getLogger(TestSecurityConfig.class);
+
+    public static final String NEW_USER = "new-user";
+
+    public static final String REST_ADMIN_USER = "rest-api-admin";
+
+    public static final String ADMIN_USER_NAME = "admin";
+
+    public static final String DEFAULT_PASSWORD = "secret";
+
+    public static final ToXContentObject EMPTY_BODY = (builder, params) -> builder.startObject().endObject();
+
+    public static Path configurationFolder;
+
+    public static ImmutableMap.Builder<String, Object> clusterSettings = ImmutableMap.builder();
+
+    protected static TestSecurityConfig testSecurityConfig = new TestSecurityConfig();
+
+    public static LocalCluster localCluster;
+
+    @BeforeClass
+    public static void startCluster() throws IOException {
+        configurationFolder = ConfigurationFiles.createConfigurationDirectory();
+        extendConfiguration();
+        clusterSettings.put(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true)
+            .put(PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_admin__all_access", REST_ADMIN_REST_API_ACCESS))
+            .put(SECURITY_ALLOW_DEFAULT_INIT_USE_CLUSTER_STATE, randomBoolean());
+        final var clusterManager = randomFrom(List.of(ClusterManager.THREE_CLUSTER_MANAGERS, ClusterManager.SINGLENODE));
+        final var localClusterBuilder = new LocalCluster.Builder().clusterManager(clusterManager)
+            .nodeSettings(clusterSettings.buildKeepingLast())
+            .defaultConfigurationInitDirectory(configurationFolder.toString())
+            .loadConfigurationIntoIndex(false);
+        localCluster = localClusterBuilder.build();
+        localCluster.before();
+        try (TestRestClient client = localCluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
+            Awaitility.await()
+                .alias("Load default configuration")
+                .until(() -> client.securityHealth().getTextFromJsonBody("/status"), equalTo("UP"));
+        }
+    }
+
+    private static void extendConfiguration() throws IOException {
+        extendActionGroups(configurationFolder, testSecurityConfig.actionGroups());
+        extendRoles(configurationFolder, testSecurityConfig.roles());
+        extendRolesMapping(configurationFolder, testSecurityConfig.rolesMapping());
+        extendUsers(configurationFolder, testSecurityConfig.getUsers());
+    }
+
+    private static void extendUsers(final Path configFolder, final List<TestSecurityConfig.User> users) throws IOException {
+        if (users == null) return;
+        if (users.isEmpty()) return;
+        LOGGER.info("Adding users to the default configuration: ");
+        try (final var contentBuilder = XContentFactory.yamlBuilder()) {
+            contentBuilder.startObject();
+            for (final var u : users) {
+                LOGGER.info("\t\t - {}", u.getName());
+                contentBuilder.field(u.getName());
+                u.toXContent(contentBuilder, ToXContent.EMPTY_PARAMS);
+            }
+            contentBuilder.endObject();
+            ConfigurationFiles.writeToConfig(CType.INTERNALUSERS, configFolder, removeDashes(contentBuilder.toString()));
+        }
+    }
+
+    private static void extendActionGroups(final Path configFolder, final List<TestSecurityConfig.ActionGroup> actionGroups)
+        throws IOException {
+        if (actionGroups == null) return;
+        if (actionGroups.isEmpty()) return;
+        LOGGER.info("Adding action groups to the default configuration: ");
+        try (final var contentBuilder = XContentFactory.yamlBuilder()) {
+            contentBuilder.startObject();
+            for (final var ag : actionGroups) {
+                LOGGER.info("\t\t - {}", ag.name());
+                contentBuilder.field(ag.name());
+                ag.toXContent(contentBuilder, ToXContent.EMPTY_PARAMS);
+            }
+            contentBuilder.endObject();
+            ConfigurationFiles.writeToConfig(CType.ACTIONGROUPS, configFolder, removeDashes(contentBuilder.toString()));
+        }
+    }
+
+    private static void extendRoles(final Path configFolder, final List<TestSecurityConfig.Role> roles) throws IOException {
+        if (roles == null) return;
+        if (roles.isEmpty()) return;
+        LOGGER.info("Adding roles to the default configuration: ");
+        try (final var contentBuilder = XContentFactory.yamlBuilder()) {
+            contentBuilder.startObject();
+            for (final var r : roles) {
+                LOGGER.info("\t\t - {}", r.getName());
+                contentBuilder.field(r.getName());
+                r.toXContent(contentBuilder, ToXContent.EMPTY_PARAMS);
+            }
+            contentBuilder.endObject();
+            ConfigurationFiles.writeToConfig(CType.ROLES, configFolder, removeDashes(contentBuilder.toString()));
+        }
+    }
+
+    private static void extendRolesMapping(final Path configFolder, final List<TestSecurityConfig.RoleMapping> rolesMapping)
+        throws IOException {
+        if (rolesMapping == null) return;
+        if (rolesMapping.isEmpty()) return;
+        LOGGER.info("Adding roles mapping to the default configuration: ");
+        try (final var contentBuilder = XContentFactory.yamlBuilder()) {
+            contentBuilder.startObject();
+            for (final var rm : rolesMapping) {
+                LOGGER.info("\t\t - {}", rm.name());
+                contentBuilder.field(rm.name());
+                rm.toXContent(contentBuilder, ToXContent.EMPTY_PARAMS);
+            }
+            contentBuilder.endObject();
+            ConfigurationFiles.writeToConfig(CType.ROLESMAPPING, configFolder, removeDashes(contentBuilder.toString()));
+        }
+    }
+
+    private static String removeDashes(final String content) {
+        return content.replace("---", "");
+    }
+
+    protected static String[] allRestAdminPermissions() {
+        final var permissions = new String[ENDPOINTS_WITH_PERMISSIONS.size() + 3]; // 2 actions for SSL + update config action
+        var counter = 0;
+        for (final var e : ENDPOINTS_WITH_PERMISSIONS.entrySet()) {
+            if (e.getKey() == Endpoint.SSL) {
+                permissions[counter] = e.getValue().build(CERTS_INFO_ACTION);
+                permissions[++counter] = e.getValue().build(RELOAD_CERTS_ACTION);
+            } else if (e.getKey() == Endpoint.CONFIG) {
+                permissions[counter++] = e.getValue().build(SECURITY_CONFIG_UPDATE);
+            } else {
+                permissions[counter++] = e.getValue().build();
+            }
+        }
+        return permissions;
+    }
+
+    protected static String restAdminPermission(Endpoint endpoint) {
+        return restAdminPermission(endpoint, null);
+    }
+
+    protected static String restAdminPermission(Endpoint endpoint, String action) {
+        if (action != null) {
+            return ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build(action);
+        } else {
+            return ENDPOINTS_WITH_PERMISSIONS.get(endpoint).build();
+        }
+    }
+
+    @AfterClass
+    public static void stopCluster() throws IOException {
+        if (localCluster != null) localCluster.close();
+        FileUtils.deleteDirectory(configurationFolder.toFile());
+    }
+
+    protected void withUser(final String user, final CheckedConsumer<TestRestClient, Exception> restClientHandler) throws Exception {
+        withUser(user, DEFAULT_PASSWORD, restClientHandler);
+    }
+
+    protected void withUser(final String user, final String password, final CheckedConsumer<TestRestClient, Exception> restClientHandler)
+        throws Exception {
+        try (TestRestClient client = localCluster.getRestClient(user, password)) {
+            restClientHandler.accept(client);
+        }
+    }
+
+    protected void withUser(
+        final String user,
+        final CertificateData certificateData,
+        final CheckedConsumer<TestRestClient, Exception> restClientHandler
+    ) throws Exception {
+        withUser(user, DEFAULT_PASSWORD, certificateData, restClientHandler);
+    }
+
+    protected void withUser(
+        final String user,
+        final String password,
+        final CertificateData certificateData,
+        final CheckedConsumer<TestRestClient, Exception> restClientHandler
+    ) throws Exception {
+        try (TestRestClient client = localCluster.getRestClient(user, password, certificateData)) {
+            restClientHandler.accept(client);
+        }
+    }
+
+    protected String securityPath(String... path) {
+        final var fullPath = new StringJoiner("/");
+        fullPath.add(randomFrom(List.of(LEGACY_OPENDISTRO_PREFIX, PLUGINS_PREFIX)));
+        if (path != null) {
+            for (final var p : path)
+                fullPath.add(p);
+        }
+        return fullPath.toString();
+    }
+
+    protected String api() {
+        return String.format("%s/api", securityPath());
+    }
+
+    protected String apiPath(final String... path) {
+
+        final var fullPath = new StringJoiner("/");
+        fullPath.add(api());
+
+        for (final var p : path) {
+            fullPath.add(p);
+        }
+        return fullPath.toString();
+    }
+
+    TestRestClient.HttpResponse badRequest(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback)
+        throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse created(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback) throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_CREATED));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse forbidden(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback) throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse methodNotAllowed(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback)
+        throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_METHOD_NOT_ALLOWED));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse notImplemented(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback)
+        throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), is(HttpStatus.SC_NOT_IMPLEMENTED));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse notFound(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback) throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_NOT_FOUND));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse ok(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback) throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        assertResponseBody(response.getBody());
+        return response;
+    }
+
+    TestRestClient.HttpResponse unauthorized(final CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback)
+        throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getStatusCode(), equalTo(HttpStatus.SC_UNAUTHORIZED));
+        // TODO assert response body here
+        return response;
+    }
+
+    void assertResponseBody(final String responseBody) {
+        assertThat(responseBody, notNullValue());
+        assertThat(responseBody, not(equalTo("")));
+    }
+
+    void assertInvalidKeys(final TestRestClient.HttpResponse response, final String expectedInvalidKeys) {
+        assertThat(response.getBody(), response.getTextFromJsonBody("/reason"), equalTo("Invalid configuration"));
+        assertThat(response.getBody(), response.getTextFromJsonBody("/invalid_keys/keys"), equalTo(expectedInvalidKeys));
+    }
+
+    void assertSpecifyOneOf(final TestRestClient.HttpResponse response, final String expectedSpecifyOneOfKeys) {
+        assertThat(response.getBody(), response.getTextFromJsonBody("/reason"), equalTo("Invalid configuration"));
+        assertThat(response.getBody(), response.getTextFromJsonBody("/specify_one_of/keys"), containsString(expectedSpecifyOneOfKeys));
+    }
+
+    void assertNullValuesInArray(CheckedSupplier<TestRestClient.HttpResponse, Exception> endpointCallback) throws Exception {
+        final var response = endpointCallback.get();
+        assertThat(response.getBody(), response.getTextFromJsonBody("/reason"), equalTo("`null` is not allowed as json array element"));
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java
new file mode 100644
index 0000000000..7fa298c1e4
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/api/AccountRestApiIntegrationTest.java
@@ -0,0 +1,174 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+
+package org.opensearch.security.api;
+
+import org.junit.Test;
+
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.test.framework.TestSecurityConfig;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.not;
+import static org.opensearch.security.dlic.rest.support.Utils.hash;
+
+public class AccountRestApiIntegrationTest extends AbstractApiIntegrationTest {
+
+    private final static String TEST_USER = "test-user";
+
+    private final static String RESERVED_USER = "reserved-user";
+
+    private final static String HIDDEN_USERS = "hidden-user";
+
+    public final static String TEST_USER_PASSWORD = randomAlphabetic(10);
+
+    public final static String TEST_USER_NEW_PASSWORD = randomAlphabetic(10);
+
+    static {
+        testSecurityConfig.user(new TestSecurityConfig.User(TEST_USER).password(TEST_USER_PASSWORD))
+            .user(new TestSecurityConfig.User(RESERVED_USER).reserved(true))
+            .user(new TestSecurityConfig.User(HIDDEN_USERS).hidden(true));
+    }
+
+    private String accountPath() {
+        return super.apiPath("account");
+    }
+
+    @Test
+    public void accountInfo() throws Exception {
+        withUser(NEW_USER, client -> {
+            var response = ok(() -> client.get(accountPath()));
+            final var account = response.bodyAsJsonNode();
+            assertThat(response.getBody(), account.get("user_name").asText(), is(NEW_USER));
+            assertThat(response.getBody(), not(account.get("is_reserved").asBoolean()));
+            assertThat(response.getBody(), not(account.get("is_hidden").asBoolean()));
+            assertThat(response.getBody(), account.get("is_internal_user").asBoolean());
+            assertThat(response.getBody(), account.get("user_requested_tenant").isNull());
+            assertThat(response.getBody(), account.get("backend_roles").isArray());
+            assertThat(response.getBody(), account.get("custom_attribute_names").isArray());
+            assertThat(response.getBody(), account.get("tenants").isObject());
+            assertThat(response.getBody(), account.get("roles").isArray());
+        });
+        withUser(NEW_USER, "a", client -> unauthorized(() -> client.get(accountPath())));
+        withUser("a", "b", client -> unauthorized(() -> client.get(accountPath())));
+    }
+
+    @Test
+    public void changeAccountPassword() throws Exception {
+        withUser(TEST_USER, TEST_USER_PASSWORD, this::verifyWrongPayload);
+        verifyPasswordCanBeChanged();
+
+        withUser(RESERVED_USER, client -> {
+            var response = ok(() -> client.get(accountPath()));
+            assertThat(response.getBody(), response.getBooleanFromJsonBody("/is_reserved"));
+            forbidden(() -> client.putJson(accountPath(), changePasswordPayload(DEFAULT_PASSWORD, randomAlphabetic(10))));
+        });
+        withUser(HIDDEN_USERS, client -> {
+            var response = ok(() -> client.get(accountPath()));
+            assertThat(response.getBody(), response.getBooleanFromJsonBody("/is_hidden"));
+            notFound(() -> client.putJson(accountPath(), changePasswordPayload(DEFAULT_PASSWORD, randomAlphabetic(10))));
+        });
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), client -> {
+            ok(() -> client.get(accountPath()));
+            notFound(() -> client.putJson(accountPath(), changePasswordPayload(DEFAULT_PASSWORD, randomAlphabetic(10))));
+        });
+    }
+
+    private void verifyWrongPayload(final TestRestClient client) throws Exception {
+        badRequest(() -> client.putJson(accountPath(), EMPTY_BODY));
+        badRequest(() -> client.putJson(accountPath(), changePasswordPayload(null, "new_password")));
+        badRequest(() -> client.putJson(accountPath(), changePasswordPayload("wrong-password", "some_new_pwd")));
+        badRequest(() -> client.putJson(accountPath(), changePasswordPayload(TEST_USER_PASSWORD, null)));
+        badRequest(() -> client.putJson(accountPath(), changePasswordPayload(TEST_USER_PASSWORD, "")));
+        badRequest(() -> client.putJson(accountPath(), changePasswordWithHashPayload(TEST_USER_PASSWORD, null)));
+        badRequest(() -> client.putJson(accountPath(), changePasswordWithHashPayload(TEST_USER_PASSWORD, "")));
+        badRequest(
+            () -> client.putJson(
+                accountPath(),
+                (builder, params) -> builder.startObject()
+                    .field("current_password", TEST_USER_PASSWORD)
+                    .startArray("backend_roles")
+                    .endArray()
+                    .endObject()
+            )
+        );
+    }
+
+    private void verifyPasswordCanBeChanged() throws Exception {
+        final var newPassword = randomAlphabetic(10);
+        withUser(
+            TEST_USER,
+            TEST_USER_PASSWORD,
+            client -> ok(
+                () -> client.putJson(accountPath(), changePasswordWithHashPayload(TEST_USER_PASSWORD, hash(newPassword.toCharArray())))
+            )
+        );
+        withUser(
+            TEST_USER,
+            newPassword,
+            client -> ok(() -> client.putJson(accountPath(), changePasswordPayload(newPassword, TEST_USER_NEW_PASSWORD)))
+        );
+    }
+
+    @Test
+    public void testPutAccountRetainsAccountInformation() throws Exception {
+        final var username = "test";
+        final String password = randomAlphabetic(10);
+        final String newPassword = randomAlphabetic(10);
+        withUser(
+            ADMIN_USER_NAME,
+            client -> created(
+                () -> client.putJson(
+                    apiPath("internalusers", username),
+                    (builder, params) -> builder.startObject()
+                        .field("password", password)
+                        .field("backend_roles")
+                        .startArray()
+                        .value("test-backend-role")
+                        .endArray()
+                        .field("opendistro_security_roles")
+                        .startArray()
+                        .value("user_limited-user__limited-role")
+                        .endArray()
+                        .field("attributes")
+                        .startObject()
+                        .field("foo", "bar")
+                        .endObject()
+                        .endObject()
+                )
+            )
+        );
+        withUser(username, password, client -> ok(() -> client.putJson(accountPath(), changePasswordPayload(password, newPassword))));
+        withUser(ADMIN_USER_NAME, client -> {
+            final var response = ok(() -> client.get(apiPath("internalusers", username)));
+            final var user = response.bodyAsJsonNode().get(username);
+            assertThat(user.toPrettyString(), user.get("backend_roles").get(0).asText(), is("test-backend-role"));
+            assertThat(user.toPrettyString(), user.get("opendistro_security_roles").get(0).asText(), is("user_limited-user__limited-role"));
+            assertThat(user.toPrettyString(), user.get("attributes").get("foo").asText(), is("bar"));
+        });
+    }
+
+    private ToXContentObject changePasswordPayload(final String currentPassword, final String newPassword) {
+        return (builder, params) -> {
+            builder.startObject();
+            if (currentPassword != null) builder.field("current_password", currentPassword);
+            if (newPassword != null) builder.field("password", newPassword);
+            return builder.endObject();
+        };
+    }
+
+    private ToXContentObject changePasswordWithHashPayload(final String currentPassword, final String hash) {
+        return (builder, params) -> builder.startObject().field("current_password", currentPassword).field("hash", hash).endObject();
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
index 15634e8890..635d9ecff4 100644
--- a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
+++ b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java
@@ -11,58 +11,40 @@
 
 package org.opensearch.security.api;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import org.apache.http.HttpStatus;
-import org.junit.ClassRule;
+import java.util.List;
+
 import org.junit.Test;
-import org.junit.runner.RunWith;
 
-import org.opensearch.security.securityconf.impl.DashboardSignInOption;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
-import org.opensearch.test.framework.cluster.ClusterManager;
-import org.opensearch.test.framework.cluster.LocalCluster;
-import org.opensearch.test.framework.cluster.TestRestClient;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
+import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
+import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_MESSAGE;
 import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_REGEX;
-import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 
-@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
-@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
-public class DashboardsInfoTest {
+public class DashboardsInfoTest extends AbstractApiIntegrationTest {
 
-    protected final static TestSecurityConfig.User DASHBOARDS_USER = new TestSecurityConfig.User("dashboards_user").roles(
-        new Role("dashboards_role").indexPermissions("read").on("*").clusterPermissions("cluster_composite_ops")
-    );
+    static {
+        testSecurityConfig.user(
+            new TestSecurityConfig.User("dashboards_user").roles(
+                new Role("dashboards_role").indexPermissions("read").on("*").clusterPermissions("cluster_composite_ops")
+            )
+        );
+    }
 
-    @ClassRule
-    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
-        .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(DASHBOARDS_USER)
-        .build();
+    private String apiPath() {
+        return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo"));
+    }
 
     @Test
     public void testDashboardsInfoValidationMessage() throws Exception {
-
-        try (TestRestClient client = cluster.getRestClient(DASHBOARDS_USER)) {
-            TestRestClient.HttpResponse response = client.get("_plugins/_security/dashboardsinfo");
-            assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        withUser("dashboards_user", client -> {
+            final var response = ok(() -> client.get(apiPath()));
             assertThat(response.getTextFromJsonBody("/password_validation_error_message"), equalTo(DEFAULT_PASSWORD_MESSAGE));
             assertThat(response.getTextFromJsonBody("/password_validation_regex"), equalTo(DEFAULT_PASSWORD_REGEX));
-        }
-    }
-
-    @Test
-    public void testDashboardsInfoContainsSignInOptions() throws Exception {
-
-        try (TestRestClient client = cluster.getRestClient(DASHBOARDS_USER)) {
-            TestRestClient.HttpResponse response = client.get("_plugins/_security/dashboardsinfo");
-            assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK));
-            assertThat(response.getTextArrayFromJsonBody("/sign_in_options").contains(DashboardSignInOption.BASIC.toString()), is(true));
-        }
+        });
     }
 }
diff --git a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java
index 6e4444d049..96aed9ddd8 100644
--- a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java
+++ b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java
@@ -11,60 +11,47 @@
 
 package org.opensearch.security.api;
 
-import java.util.Map;
+import java.util.List;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import org.apache.http.HttpStatus;
-import org.junit.ClassRule;
 import org.junit.Test;
-import org.junit.runner.RunWith;
 
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.TestSecurityConfig.Role;
-import org.opensearch.test.framework.cluster.ClusterManager;
-import org.opensearch.test.framework.cluster.LocalCluster;
-import org.opensearch.test.framework.cluster.TestRestClient;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
-import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
+import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
+import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 
-@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
-@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
-public class DashboardsInfoWithSettingsTest {
+public class DashboardsInfoWithSettingsTest extends AbstractApiIntegrationTest {
 
-    protected final static TestSecurityConfig.User DASHBOARDS_USER = new TestSecurityConfig.User("dashboards_user").roles(
-        new Role("dashboards_role").indexPermissions("read").on("*").clusterPermissions("cluster_composite_ops")
-    );
+    private static final String CUSTOM_PASSWORD_REGEX = "(?=.*[A-Z])(?=.*[^a-zA-Z\\d])(?=.*[0-9])(?=.*[a-z]).{5,}";
 
     private static final String CUSTOM_PASSWORD_MESSAGE =
         "Password must be minimum 5 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character.";
 
-    private static final String CUSTOM_PASSWORD_REGEX = "(?=.*[A-Z])(?=.*[^a-zA-Z\\d])(?=.*[0-9])(?=.*[a-z]).{5,}";
-
-    @ClassRule
-    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
-        .authc(AUTHC_HTTPBASIC_INTERNAL)
-        .users(DASHBOARDS_USER)
-        .nodeSettings(
-            Map.of(
-                ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX,
-                CUSTOM_PASSWORD_REGEX,
-                ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE,
-                CUSTOM_PASSWORD_MESSAGE
+    static {
+        clusterSettings.put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, CUSTOM_PASSWORD_REGEX)
+            .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, CUSTOM_PASSWORD_MESSAGE);
+        testSecurityConfig.user(
+            new TestSecurityConfig.User("dashboards_user").roles(
+                new Role("dashboards_role").indexPermissions("read").on("*").clusterPermissions("cluster_composite_ops")
             )
-        )
-        .build();
+        );
+    }
+
+    private String apiPath() {
+        return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo"));
+    }
 
     @Test
     public void testDashboardsInfoValidationMessageWithCustomMessage() throws Exception {
 
-        try (TestRestClient client = cluster.getRestClient(DASHBOARDS_USER)) {
-            TestRestClient.HttpResponse response = client.get("_plugins/_security/dashboardsinfo");
-            assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK));
+        withUser("dashboards_user", client -> {
+            final var response = ok(() -> client.get(apiPath()));
             assertThat(response.getTextFromJsonBody("/password_validation_error_message"), equalTo(CUSTOM_PASSWORD_MESSAGE));
             assertThat(response.getTextFromJsonBody("/password_validation_regex"), equalTo(CUSTOM_PASSWORD_REGEX));
-        }
+        });
     }
 }
diff --git a/src/integrationTest/java/org/opensearch/security/api/DefaultApiAvailabilityIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/DefaultApiAvailabilityIntegrationTest.java
new file mode 100644
index 0000000000..eaecb275db
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/api/DefaultApiAvailabilityIntegrationTest.java
@@ -0,0 +1,134 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.api;
+
+import org.junit.Test;
+
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.Is.is;
+
+public class DefaultApiAvailabilityIntegrationTest extends AbstractApiIntegrationTest {
+
+    @Test
+    public void nodesDnApiIsNotAvailableByDefault() throws Exception {
+        withUser(NEW_USER, this::verifyNodesDnApi);
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifyNodesDnApi);
+    }
+
+    private void verifyNodesDnApi(final TestRestClient client) throws Exception {
+        badRequest(() -> client.get(apiPath("nodesdn")));
+        badRequest(() -> client.putJson(apiPath("nodesdn", "cluster_1"), EMPTY_BODY));
+        badRequest(() -> client.delete(apiPath("nodesdn", "cluster_1")));
+        badRequest(() -> client.patch(apiPath("nodesdn", "cluster_1"), EMPTY_BODY));
+    }
+
+    @Test
+    public void securityConfigIsNotAvailableByDefault() throws Exception {
+        withUser(NEW_USER, client -> {
+            forbidden(() -> client.get(apiPath("securityconfig")));
+            verifySecurityConfigApi(client);
+        });
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), client -> {
+            ok(() -> client.get(apiPath("securityconfig")));
+            verifySecurityConfigApi(client);
+        });
+    }
+
+    private void verifySecurityConfigApi(final TestRestClient client) throws Exception {
+        methodNotAllowed(() -> client.putJson(apiPath("securityconfig"), EMPTY_BODY));
+        methodNotAllowed(() -> client.postJson(apiPath("securityconfig"), EMPTY_BODY));
+        methodNotAllowed(() -> client.delete(apiPath("securityconfig")));
+        forbidden(
+            () -> client.patch(
+                apiPath("securityconfig"),
+                (builder, params) -> builder.startArray()
+                    .startObject()
+                    .field("op", "replace")
+                    .field("path", "/a/b/c")
+                    .field("value", "other")
+                    .endObject()
+                    .endArray()
+            )
+        );
+    }
+
+    @Test
+    public void securityHealth() throws Exception {
+        withUser(NEW_USER, client -> ok(() -> client.get(securityPath("health"))));
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), client -> ok(() -> client.get(securityPath("health"))));
+    }
+
+    @Test
+    public void securityAuthInfo() throws Exception {
+        withUser(NEW_USER, this::verifyAuthInfoApi);
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifyAuthInfoApi);
+    }
+
+    private void verifyAuthInfoApi(final TestRestClient client) throws Exception {
+        final var verbose = randomBoolean();
+
+        final TestRestClient.HttpResponse response;
+        if (verbose) response = ok(() -> client.get(securityPath("authinfo?verbose=" + verbose)));
+        else response = ok(() -> client.get(securityPath("authinfo")));
+        final var body = response.bodyAsJsonNode();
+        assertThat(response.getBody(), body.has("user"));
+        assertThat(response.getBody(), body.has("user_name"));
+        assertThat(response.getBody(), body.has("user_requested_tenant"));
+        assertThat(response.getBody(), body.has("remote_address"));
+        assertThat(response.getBody(), body.has("backend_roles"));
+        assertThat(response.getBody(), body.has("custom_attribute_names"));
+        assertThat(response.getBody(), body.has("roles"));
+        assertThat(response.getBody(), body.has("tenants"));
+        assertThat(response.getBody(), body.has("principal"));
+        assertThat(response.getBody(), body.has("peer_certificates"));
+        assertThat(response.getBody(), body.has("sso_logout_url"));
+
+        if (verbose) {
+            assertThat(response.getBody(), body.has("size_of_user"));
+            assertThat(response.getBody(), body.has("size_of_custom_attributes"));
+            assertThat(response.getBody(), body.has("size_of_backendroles"));
+        }
+
+    }
+
+    @Test
+    public void flushCache() throws Exception {
+        withUser(NEW_USER, client -> {
+            forbidden(() -> client.get(apiPath("cache")));
+            forbidden(() -> client.postJson(apiPath("cache"), EMPTY_BODY));
+            forbidden(() -> client.putJson(apiPath("cache"), EMPTY_BODY));
+            forbidden(() -> client.delete(apiPath("cache")));
+        });
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), client -> {
+            notImplemented(() -> client.get(apiPath("cache")));
+            notImplemented(() -> client.postJson(apiPath("cache"), EMPTY_BODY));
+            notImplemented(() -> client.putJson(apiPath("cache"), EMPTY_BODY));
+            final var response = ok(() -> client.delete(apiPath("cache")));
+            assertThat(response.getBody(), response.getTextFromJsonBody("/message"), is("Cache flushed successfully."));
+        });
+    }
+
+    @Test
+    public void reloadSSLCertsNotAvailable() throws Exception {
+        withUser(NEW_USER, client -> {
+            forbidden(() -> client.putJson(apiPath("ssl", "http", "reloadcerts"), EMPTY_BODY));
+            forbidden(() -> client.putJson(apiPath("ssl", "transport", "reloadcerts"), EMPTY_BODY));
+        });
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), client -> {
+            badRequest(() -> client.putJson(apiPath("ssl", "http", "reloadcerts"), EMPTY_BODY));
+            badRequest(() -> client.putJson(apiPath("ssl", "transport", "reloadcerts"), EMPTY_BODY));
+        });
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java b/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
index 22aab70521..79f10a76cf 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/TestSecurityConfig.java
@@ -78,6 +78,8 @@ public class TestSecurityConfig {
 
     private static final Logger log = LogManager.getLogger(TestSecurityConfig.class);
 
+    public final static String REST_ADMIN_REST_API_ACCESS = "rest_admin__rest_api_access";
+
     private Config config = new Config();
     private Map<String, User> internalUsers = new LinkedHashMap<>();
     private Map<String, Role> roles = new LinkedHashMap<>();
@@ -142,6 +144,17 @@ public TestSecurityConfig user(User user) {
         return this;
     }
 
+    public TestSecurityConfig withRestAdminUser(final String name, final String... permissions) {
+        if (internalUsers.containsKey(name)) throw new RuntimeException("REST Admin " + name + " already exists");
+        user(new User(name, "REST Admin with permissions: " + Arrays.toString(permissions)).reserved(true));
+        final var roleName = name + "__rest_admin_role";
+        roles(new Role(roleName).clusterPermissions(permissions));
+
+        rolesMapping.computeIfAbsent(roleName, RoleMapping::new).users(name);
+        rolesMapping.computeIfAbsent(REST_ADMIN_REST_API_ACCESS, RoleMapping::new).users(name);
+        return this;
+    }
+
     public List<User> getUsers() {
         return new ArrayList<>(internalUsers.values());
     }
@@ -157,6 +170,10 @@ public TestSecurityConfig roles(Role... roles) {
         return this;
     }
 
+    public List<Role> roles() {
+        return List.copyOf(roles.values());
+    }
+
     public TestSecurityConfig audit(AuditConfiguration auditConfiguration) {
         this.auditConfiguration = auditConfiguration;
         return this;
@@ -173,6 +190,10 @@ public TestSecurityConfig rolesMapping(RoleMapping... mappings) {
         return this;
     }
 
+    public List<RoleMapping> rolesMapping() {
+        return List.copyOf(rolesMapping.values());
+    }
+
     public TestSecurityConfig actionGroups(ActionGroup... groups) {
         for (final var group : groups) {
             this.actionGroups.put(group.name, group);
@@ -180,6 +201,10 @@ public TestSecurityConfig actionGroups(ActionGroup... groups) {
         return this;
     }
 
+    public List<ActionGroup> actionGroups() {
+        return List.copyOf(actionGroups.values());
+    }
+
     public static class Config implements ToXContentObject {
         private boolean anonymousAuth;
 
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
index bd625a5c31..e7355711fc 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java
@@ -114,6 +114,10 @@ public HttpResponse getAuthInfo(Header... headers) {
         return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo?pretty"), headers);
     }
 
+    public HttpResponse securityHealth(Header... headers) {
+        return executeRequest(new HttpGet(getHttpServerUri() + "/_plugins/_security/health"), headers);
+    }
+
     public HttpResponse getAuthInfo(Map<String, String> urlParams, Header... headers) {
         String urlParamsString = "?"
             + urlParams.entrySet().stream().map(e -> e.getKey() + "=" + e.getValue()).collect(Collectors.joining("&"));
@@ -183,6 +187,10 @@ public HttpResponse post(String path) {
         return executeRequest(uriRequest);
     }
 
+    public HttpResponse patch(String path, ToXContentObject body) {
+        return patch(path, Strings.toString(XContentType.JSON, body));
+    }
+
     public HttpResponse patch(String path, String body) {
         HttpPatch uriRequest = new HttpPatch(getHttpServerUri() + "/" + path);
         uriRequest.setEntity(new StringEntity(body));
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/CType.java b/src/main/java/org/opensearch/security/securityconf/impl/CType.java
index 23158e5850..8a51686225 100644
--- a/src/main/java/org/opensearch/security/securityconf/impl/CType.java
+++ b/src/main/java/org/opensearch/security/securityconf/impl/CType.java
@@ -112,6 +112,10 @@ public Path configFile(final Path configDir) {
         return configDir.resolve(this.configFileName);
     }
 
+    public String configFileName() {
+        return configFileName;
+    }
+
     private static Map<Integer, Class<?>> toMap(Object... objects) {
         final ImmutableMap.Builder<Integer, Class<?>> map = ImmutableMap.builder();
         for (int i = 0; i < objects.length; i = i + 2) {
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java
deleted file mode 100644
index 21f68d11df..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/AccountApiTest.java
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api;
-
-import org.apache.hc.core5.http.Header;
-import org.apache.http.HttpStatus;
-import org.junit.Assert;
-import org.junit.Test;
-
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.security.securityconf.impl.CType;
-import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-
-public class AccountApiTest extends AbstractRestApiUnitTest {
-    private final String BASE_ENDPOINT;
-    private final String ENDPOINT;
-
-    protected String getEndpointPrefix() {
-        return PLUGINS_PREFIX;
-    }
-
-    public AccountApiTest() {
-        BASE_ENDPOINT = getEndpointPrefix() + "/api/";
-        ENDPOINT = getEndpointPrefix() + "/api/account";
-    }
-
-    @Test
-    public void testGetAccount() throws Exception {
-        // arrange
-        setup();
-        final String testUser = "test-user";
-        final String testPass = "some password for user";
-        addUserWithPassword(testUser, testPass, HttpStatus.SC_CREATED);
-
-        // test - unauthorized access as credentials are missing.
-        HttpResponse response = rh.executeGetRequest(ENDPOINT, new Header[0]);
-        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        // test - incorrect password
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader(testUser, "wrong-pass"));
-        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        // test - incorrect user
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader("wrong-user", testPass));
-        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        // test - valid request
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader(testUser, testPass));
-        Settings body = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-        assertEquals(testUser, body.get("user_name"));
-        assertFalse(body.getAsBoolean("is_reserved", true));
-        assertFalse(body.getAsBoolean("is_hidden", true));
-        assertTrue(body.getAsBoolean("is_internal_user", false));
-        assertNull(body.get("user_requested_tenant"));
-        assertNotNull(body.getAsList("backend_roles").size());
-        assertNotNull(body.getAsList("custom_attribute_names").size());
-        assertNotNull(body.getAsSettings("tenants"));
-        assertNotNull(body.getAsList("roles"));
-    }
-
-    @Test
-    public void testPutAccount() throws Exception {
-        // arrange
-        setup();
-        final String testUser = "test-user";
-        final String testPass = "test-old-pass";
-        final String testPassHash = "$2y$12$b7TNPn2hgl0nS7gXJ.beuOd8JGl6Nz5NsTyxofglGCItGNyDdwivK"; // hash for test-old-pass
-        final String testNewPass = "test-new-pass";
-        final String testNewPassHash = "$2y$12$cclJJdVdXMMVzkhqQhEoE.hoERKE8bDzctR0S3aYj2EPHq45Y.GXC"; // hash for test-old-pass
-        addUserWithPassword(testUser, testPass, HttpStatus.SC_CREATED);
-
-        // test - unauthorized access as credentials are missing.
-        HttpResponse response = rh.executePutRequest(ENDPOINT, "", new Header[0]);
-        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        // test - bad request as body is missing
-        response = rh.executePutRequest(ENDPOINT, "", encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as current password is missing
-        String payload = "{\"password\":\"new-pass\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as current password is incorrect
-        payload = "{\"password\":\"" + testNewPass + "\", \"current_password\":\"" + "wrong-pass" + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as hash/password is missing
-        payload = "{\"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as password is empty
-        payload = "{\"password\":\"" + "" + "\", \"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as hash is empty
-        payload = "{\"hash\":\"" + "" + "\", \"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as hash and password are empty
-        payload = "{\"hash\": \"\", \"password\": \"\", \"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - bad request as invalid parameters are present
-        payload = "{\"password\":\"new-pass\", \"current_password\":\"" + testPass + "\", \"backend_roles\": []}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
-
-        // test - invalid user
-        payload = "{\"password\":\"" + testNewPass + "\", \"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader("wrong-user", testPass));
-        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        // test - valid password change with hash
-        payload = "{\"hash\":\"" + testNewPassHash + "\", \"current_password\":\"" + testPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testPass));
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-
-        // test - valid password change
-        payload = "{\"password\":\"" + testPass + "\", \"current_password\":\"" + testNewPass + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader(testUser, testNewPass));
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-
-        // create users from - resources/restapi/internal_users.yml
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-        response = rh.executeGetRequest(BASE_ENDPOINT + CType.INTERNALUSERS.toLCString());
-        rh.sendAdminCertificate = false;
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
-
-        // test - reserved user - sarek
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader("sarek", "sarek"));
-        Settings body = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        // check reserved user exists
-        assertTrue(body.getAsBoolean("is_reserved", false));
-        payload = "{\"password\":\"" + testPass + "\", \"current_password\":\"" + "sarek" + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader("sarek", "sarek"));
-        assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        // test - hidden user - hide
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader("hide", "hide"));
-        body = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        // check hidden user exists
-        assertTrue(body.getAsBoolean("is_hidden", false));
-        payload = "{\"password\":\"" + testPass + "\", \"current_password\":\"" + "hide" + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader("hide", "hide"));
-        assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode());
-
-        // test - admin with admin cert - internal user does not exist
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-        response = rh.executeGetRequest(ENDPOINT, encodeBasicHeader("admin", "admin"));
-        body = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        assertEquals("CN=kirk,OU=client,O=client,L=Test,C=DE", body.get("user_name"));
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());        // check admin user exists
-        payload = "{\"password\":\"" + testPass + "\", \"current_password\":\"" + "admin" + "\"}";
-        response = rh.executePutRequest(ENDPOINT, payload, encodeBasicHeader("admin", "admin"));
-        assertEquals(HttpStatus.SC_NOT_FOUND, response.getStatusCode());
-    }
-
-    @Test
-    public void testPutAccountRetainsAccountInformation() throws Exception {
-        // arrange
-        setup();
-        final String testUsername = "test";
-        final String testPassword = "test-password";
-        final String newPassword = "new-password";
-        final String createInternalUserPayload = "{\n"
-            + "  \"password\": \""
-            + testPassword
-            + "\",\n"
-            + "  \"backend_roles\": [\"test-backend-role-1\"],\n"
-            + "  \"opendistro_security_roles\": [\"opendistro_security_all_access\"],\n"
-            + "  \"attributes\": {\n"
-            + "    \"attribute1\": \"value1\"\n"
-            + "  }\n"
-            + "}";
-        final String changePasswordPayload = "{\"password\":\"" + newPassword + "\", \"current_password\":\"" + testPassword + "\"}";
-        final String internalUserEndpoint = BASE_ENDPOINT + "internalusers/" + testUsername;
-
-        // create user
-        rh.sendAdminCertificate = true;
-        HttpResponse response = rh.executePutRequest(internalUserEndpoint, createInternalUserPayload);
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-        rh.sendAdminCertificate = false;
-
-        // change password to new-password
-        response = rh.executePutRequest(ENDPOINT, changePasswordPayload, encodeBasicHeader(testUsername, testPassword));
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-
-        // assert account information has not changed
-        rh.sendAdminCertificate = true;
-        response = rh.executeGetRequest(internalUserEndpoint);
-        assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-        Settings responseBody = Settings.builder()
-            .loadFromSource(response.getBody(), XContentType.JSON)
-            .build()
-            .getAsSettings(testUsername);
-        assertTrue(responseBody.getAsList("backend_roles").contains("test-backend-role-1"));
-        assertTrue(responseBody.getAsList("opendistro_security_roles").contains("opendistro_security_all_access"));
-        assertEquals(responseBody.getAsSettings("attributes").get("attribute1"), "value1");
-    }
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java
deleted file mode 100644
index 647e7a2a33..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/DashboardsInfoActionTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api;
-
-import org.apache.http.HttpStatus;
-import org.junit.Assert;
-import org.junit.Test;
-
-import org.opensearch.common.settings.Settings;
-import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.security.test.helper.rest.RestHelper;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-
-public class DashboardsInfoActionTest extends AbstractRestApiUnitTest {
-    private final String ENDPOINT;
-
-    protected String getEndpoint() {
-        return PLUGINS_PREFIX + "/dashboardsinfo";
-    }
-
-    public DashboardsInfoActionTest() {
-        ENDPOINT = getEndpoint();
-    }
-
-    @Test
-    public void testDashboardsInfo() throws Exception {
-        Settings settings = Settings.builder()
-            .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true)
-            .build();
-        setup(settings);
-
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-
-        RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT);
-        Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-    }
-
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java
deleted file mode 100644
index ee75ccc984..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/FlushCacheApiTest.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api;
-
-import org.apache.hc.core5.http.Header;
-import org.apache.http.HttpStatus;
-import org.junit.Assert;
-import org.junit.Test;
-
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.xcontent.XContentType;
-import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-
-public class FlushCacheApiTest extends AbstractRestApiUnitTest {
-    private final String ENDPOINT;
-
-    protected String getEndpointPrefix() {
-        return PLUGINS_PREFIX;
-    }
-
-    public FlushCacheApiTest() {
-        ENDPOINT = getEndpointPrefix() + "/api/cache";
-    }
-
-    @Test
-    public void testFlushCache() throws Exception {
-
-        setup();
-
-        // Only DELETE is allowed for flush cache
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-
-        // GET
-        HttpResponse response = rh.executeGetRequest(ENDPOINT);
-        Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode());
-        Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(settings.get("message"), "Method GET not supported for this action.");
-
-        // PUT
-        response = rh.executePutRequest(ENDPOINT, "{}", new Header[0]);
-        Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode());
-        settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(settings.get("message"), "Method PUT not supported for this action.");
-
-        // POST
-        response = rh.executePostRequest(ENDPOINT, "{}", new Header[0]);
-        Assert.assertEquals(HttpStatus.SC_NOT_IMPLEMENTED, response.getStatusCode());
-        settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(settings.get("message"), "Method POST not supported for this action.");
-
-        // DELETE
-        response = rh.executeDeleteRequest(ENDPOINT, new Header[0]);
-        Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-        settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(settings.get("message"), "Cache flushed successfully.");
-
-    }
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java
deleted file mode 100644
index 925d90ccba..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAccountApiTests.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api.legacy;
-
-import org.opensearch.security.dlic.rest.api.AccountApiTest;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-
-public class LegacyAccountApiTests extends AccountApiTest {
-    @Override
-    protected String getEndpointPrefix() {
-        return LEGACY_OPENDISTRO_PREFIX;
-    }
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java
deleted file mode 100644
index ee39f93ee0..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyDashboardsInfoActionTests.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api.legacy;
-
-import org.opensearch.security.dlic.rest.api.DashboardsInfoActionTest;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-
-public class LegacyDashboardsInfoActionTests extends DashboardsInfoActionTest {
-    @Override
-    protected String getEndpoint() {
-        return LEGACY_OPENDISTRO_PREFIX + "/kibanainfo";
-    }
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java
deleted file mode 100644
index df9cc3d59d..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyFlushCacheApiTests.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api.legacy;
-
-import org.opensearch.security.dlic.rest.api.FlushCacheApiTest;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-
-public class LegacyFlushCacheApiTests extends FlushCacheApiTest {
-    @Override
-    protected String getEndpointPrefix() {
-        return LEGACY_OPENDISTRO_PREFIX;
-    }
-}

From cb3496234268d900aa1fb2b1c33d47ff2bdf80a8 Mon Sep 17 00:00:00 2001
From: Derek Ho <dxho@amazon.com>
Date: Mon, 15 Apr 2024 14:08:04 -0400
Subject: [PATCH 124/143] Move Dave Lago to emeritus (#4235)

Signed-off-by: Derek Ho <dxho@amazon.com>
---
 .github/CODEOWNERS | 2 +-
 MAINTAINERS.md     | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 5041f4b625..3b3a442b83 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1 @@
-* @cliu123 @cwperks @DarshitChanpura @davidlago @peternied @RyanL1997 @scrawfor99 @reta @willyborankin
+* @cliu123 @cwperks @DarshitChanpura @peternied @RyanL1997 @scrawfor99 @reta @willyborankin
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index f27e192923..bafadc11bd 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -16,7 +16,6 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
 | ---------------- | ----------------------------------------------------- | ----------- |
 | Chang Liu        | [cliu123](https://github.com/cliu123)                 | Amazon      |
 | Darshit Chanpura | [DarshitChanpura](https://github.com/DarshitChanpura) | Amazon      |
-| Dave Lago        | [davidlago](https://github.com/davidlago)             | Amazon      |
 | Peter Nied       | [peternied](https://github.com/peternied)             | Amazon      |
 | Craig Perkins    | [cwperks](https://github.com/cwperks)                 | Amazon      |
 | Ryan Liang       | [RyanL1997](https://github.com/RyanL1997)             | Amazon      |
@@ -24,6 +23,12 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
 | Andriy Redko     | [reta](https://github.com/reta)                       | Aiven       |
 | Andrey Pleskach  | [willyborankin](https://github.com/willyborankin)     | Aiven       |
 
+## Emeritus
+
+| Maintainer    | GitHub ID                                           | Affiliation |
+| ------------- | --------------------------------------------------- | ----------- |
+| Dave Lago     | [davidlago](https://github.com/davidlago)           | Contributor |
+
 ## Practices
 
 ### Updating Practices

From 0bfe7653b0f50ff6b6757411af4e49d9784a063b Mon Sep 17 00:00:00 2001
From: Aayush Singhal <42822023+Aayush8394@users.noreply.github.com>
Date: Tue, 16 Apr 2024 20:16:04 +0530
Subject: [PATCH 125/143] Handle exceptions for adding request body audit log
 if rest request is invalid (#4232)

Signed-off-by: Aayush Singhal <siaayush@amazon.com>
---
 .../security/auditlog/impl/AuditMessage.java  |  7 ++-
 .../auditlog/impl/AuditMessageTest.java       | 44 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 716e141ffd..bf3395f193 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -27,6 +27,8 @@
 import com.google.common.annotations.VisibleForTesting;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.hc.core5.net.URIBuilder;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import org.opensearch.ExceptionsHelper;
 import org.opensearch.cluster.service.ClusterService;
@@ -59,6 +61,8 @@
 
 public final class AuditMessage {
 
+    private static final Logger log = LogManager.getLogger(AuditMessage.class);
+
     // clustername and cluster uuid
     private static final WildcardMatcher AUTHORIZATION_HEADER = WildcardMatcher.from("Authorization", false);
     private static final String SENSITIVE_KEY = "password";
@@ -417,8 +421,9 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
                     } else {
                         auditInfo.put(REQUEST_BODY, requestBody);
                     }
-                } catch (IOException e) {
+                } catch (Exception e) {
                     auditInfo.put(REQUEST_BODY, "ERROR: Unable to generate request body");
+                    log.error("Error while generating request body for audit log", e);
                 }
             }
         }
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index 3b7fc916ef..08e4c2ea61 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -26,9 +26,16 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.common.bytes.BytesArray;
 import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.http.HttpChannel;
+import org.opensearch.http.HttpRequest;
+import org.opensearch.rest.RestRequest;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.auditlog.config.AuditConfig;
+import org.opensearch.security.filter.SecurityRequest;
+import org.opensearch.security.filter.SecurityRequestFactory;
 import org.opensearch.security.securityconf.impl.CType;
 
 import static org.junit.Assert.assertEquals;
@@ -155,4 +162,41 @@ public void testBCryptHashIsRedacted() {
         message.addSecurityConfigTupleToRequestBody(new Tuple<>(XContentType.JSON, ref), internalUsersDocId);
         assertEquals("Hash in tuple is __HASH__", message.getAsMap().get(AuditMessage.REQUEST_BODY));
     }
+
+    @Test
+    public void testRequestBodyLoggingWithInvalidSourceOrContentTypeParam() {
+        when(auditConfig.getFilter().shouldLogRequestBody()).thenReturn(true);
+
+        HttpRequest httpRequest = mock(HttpRequest.class);
+
+        // No content or Source paramater
+        when(httpRequest.uri()).thenReturn("");
+        when(httpRequest.content()).thenReturn(new BytesArray(new byte[0]));
+
+        RestRequest restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
+        SecurityRequest request = SecurityRequestFactory.from(restRequest);
+
+        message.addRestRequestInfo(request, auditConfig.getFilter());
+        assertNull(message.getAsMap().get(AuditMessage.REQUEST_BODY));
+
+        // No source parameter, content present but Invalid content-type header
+        when(httpRequest.uri()).thenReturn("");
+        when(httpRequest.content()).thenReturn(new BytesArray(new byte[1]));
+
+        restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
+        request = SecurityRequestFactory.from(restRequest);
+
+        message.addRestRequestInfo(request, auditConfig.getFilter());
+        assertEquals("ERROR: Unable to generate request body", message.getAsMap().get(AuditMessage.REQUEST_BODY));
+
+        // No content, source parameter present but Invalid source-content-type parameter
+        when(httpRequest.uri()).thenReturn("/aaaa?source=request_body");
+        when(httpRequest.content()).thenReturn(new BytesArray(new byte[0]));
+
+        restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
+        request = SecurityRequestFactory.from(restRequest);
+
+        message.addRestRequestInfo(request, auditConfig.getFilter());
+        assertEquals("ERROR: Unable to generate request body", message.getAsMap().get(AuditMessage.REQUEST_BODY));
+    }
 }

From 9a85f23e88725f7447a407e180f3536539fb5736 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 18 Apr 2024 03:09:11 -0400
Subject: [PATCH 126/143] Add getProperty.org.bouncycastle.pkcs12.default to
 plugin-security.policy (#4265)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 plugin-security.policy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plugin-security.policy b/plugin-security.policy
index 2969e47b04..d4e1fe6998 100644
--- a/plugin-security.policy
+++ b/plugin-security.policy
@@ -63,6 +63,7 @@ grant {
   permission java.security.SecurityPermission "removeProviderProperty.BC";
   permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
   permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default";
 
   permission java.lang.RuntimePermission "accessUserInformation";
   

From a528c9135f48dfa07c058d7ff6dbc21d9fe1eb4d Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Thu, 18 Apr 2024 15:12:49 -0400
Subject: [PATCH 127/143] Ensure that challenge response contains body (#4233)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../opensearch/security/ResourceFocusedTests.java   | 10 +++++++---
 .../opensearch/security/http/BasicAuthTests.java    | 13 +++++++++++++
 .../security/http/HTTPBasicAuthenticator.java       |  6 +++++-
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java b/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java
index 61a1e32023..7264a33542 100644
--- a/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java
+++ b/src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java
@@ -41,6 +41,8 @@
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
@@ -127,11 +129,13 @@ private void runResourceTest(
             final var requests = AsyncActions.generate(() -> {
                 final HttpPost post = new HttpPost(client.getHttpServerUri() + requestPath);
                 post.setEntity(new ByteArrayEntity(compressedRequestBody, ContentType.APPLICATION_JSON));
-                return client.executeRequest(post);
+                TestRestClient.HttpResponse response = client.executeRequest(post);
+                return response.getStatusCode();
             }, parrallelism, totalNumberOfRequests);
 
-            AsyncActions.getAll(requests, 2, TimeUnit.MINUTES)
-                .forEach((response) -> { response.assertStatusCode(HttpStatus.SC_UNAUTHORIZED); });
+            AsyncActions.getAll(requests, 2, TimeUnit.MINUTES).forEach((responseCode) -> {
+                assertThat(responseCode, equalTo(HttpStatus.SC_UNAUTHORIZED));
+            });
         }
     }
 
diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicAuthTests.java
index 1e424ab115..a9888d281e 100644
--- a/src/integrationTest/java/org/opensearch/security/http/BasicAuthTests.java
+++ b/src/integrationTest/java/org/opensearch/security/http/BasicAuthTests.java
@@ -106,6 +106,19 @@ public void testBrowserShouldRequestForCredentials() {
         }
     }
 
+    @Test
+    public void shouldRespondWithChallengeWhenNoCredentialsArePresent() {
+        try (TestRestClient client = cluster.getRestClient()) {
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+            assertThat(response.getHeader("WWW-Authenticate"), is(notNullValue()));
+            assertThat(response.getHeader("WWW-Authenticate").getValue(), equalTo("Basic realm=\"OpenSearch Security\""));
+            assertThat(response.getBody(), equalTo("Unauthorized"));
+        }
+    }
+
     @Test
     public void testUserShouldNotHaveAssignedCustomAttributes() {
         try (TestRestClient client = cluster.getRestClient(TEST_USER)) {
diff --git a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
index ff07db147e..4aec26db3d 100644
--- a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java
@@ -68,7 +68,11 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
     @Override
     public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials creds) {
         return Optional.of(
-            new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""), "")
+            new SecurityResponse(
+                HttpStatus.SC_UNAUTHORIZED,
+                Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""),
+                "Unauthorized"
+            )
         );
     }
 

From b2142552bf876f4f1a252967e06d5201b8493cee Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 19 Apr 2024 10:21:58 -0400
Subject: [PATCH 128/143] Add
 getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy
 (#4269)

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 plugin-security.policy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugin-security.policy b/plugin-security.policy
index d4e1fe6998..6a78a5cc91 100644
--- a/plugin-security.policy
+++ b/plugin-security.policy
@@ -61,9 +61,10 @@ grant {
   permission java.security.SecurityPermission "putProviderProperty.BC";
   permission java.security.SecurityPermission "insertProvider.BC";
   permission java.security.SecurityPermission "removeProviderProperty.BC";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default";
   permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
   permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";
-  permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default";
 
   permission java.lang.RuntimePermission "accessUserInformation";
   

From 9cf5cdfb38fce6b47c1710c17a58a9b521680d69 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Apr 2024 10:48:17 -0400
Subject: [PATCH 129/143] Bump ch.qos.logback:logback-classic from 1.5.5 to
 1.5.6 (#4277)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a4e4a7d037..bbba0600da 100644
--- a/build.gradle
+++ b/build.gradle
@@ -496,7 +496,7 @@ configurations {
             force "org.apache.httpcomponents:httpcore:4.4.16"
             force "com.google.errorprone:error_prone_annotations:2.26.1"
             force "org.checkerframework:checker-qual:3.42.0"
-            force "ch.qos.logback:logback-classic:1.5.5"
+            force "ch.qos.logback:logback-classic:1.5.6"
         }
     }
 

From 630f40b7bfeef392c1e4acbf80b1eb5d05acdc3e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Apr 2024 10:48:48 -0400
Subject: [PATCH 130/143] Bump Wandalen/wretry.action from 3.3.0 to 3.4.0
 (#4276)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 94fbf11765..75174cd260 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v3.3.0
+        uses: Wandalen/wretry.action@v3.4.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

From c09fad59f26b56e0e4f43086b0709571d2aedaf1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Apr 2024 10:49:07 -0400
Subject: [PATCH 131/143] Bump org.apache.commons:commons-text from 1.11.0 to
 1.12.0 (#4278)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index bbba0600da..445a6457b2 100644
--- a/build.gradle
+++ b/build.gradle
@@ -634,7 +634,7 @@ dependencies {
     implementation "com.nulab-inc:zxcvbn:1.9.0"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.2'
-    runtimeOnly 'org.apache.commons:commons-text:1.11.0'
+    runtimeOnly 'org.apache.commons:commons-text:1.12.0'
     runtimeOnly "org.glassfish.jaxb:jaxb-runtime:${jaxb_version}"
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'

From 0d7af4d37e1f1b6dca25ed8edbf8c2cf3f131742 Mon Sep 17 00:00:00 2001
From: Terry Quigley <77437788+terryquigleysas@users.noreply.github.com>
Date: Tue, 23 Apr 2024 15:50:08 +0100
Subject: [PATCH 132/143] Replace bouncy castle blake2b (#4275)

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 build.gradle                                             | 1 +
 .../opensearch/security/configuration/MaskedField.java   | 9 ++++++---
 .../opensearch/security/test/helper/rest/RestHelper.java | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 445a6457b2..ad0a58313f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -580,6 +580,7 @@ dependencies {
     implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
     implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
+    implementation 'com.rfksystems:blake2b:2.0.0'
 
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"
diff --git a/src/main/java/org/opensearch/security/configuration/MaskedField.java b/src/main/java/org/opensearch/security/configuration/MaskedField.java
index 8cb20ccdfe..2636047568 100644
--- a/src/main/java/org/opensearch/security/configuration/MaskedField.java
+++ b/src/main/java/org/opensearch/security/configuration/MaskedField.java
@@ -21,9 +21,10 @@
 
 import com.google.common.base.Splitter;
 import org.apache.lucene.util.BytesRef;
-import org.bouncycastle.crypto.digests.Blake2bDigest;
 import org.bouncycastle.util.encoders.Hex;
 
+import com.rfksystems.blake2b.Blake2b;
+
 public class MaskedField {
 
     private final String name;
@@ -164,10 +165,12 @@ private String customHash(String in) {
     }
 
     private byte[] blake2bHash(byte[] in) {
-        final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt);
+        // Salt is passed incorrectly but order of parameters is retained at present to ensure full backwards compatibility
+        // Tracking with https://github.com/opensearch-project/security/issues/4274
+        final Blake2b hash = new Blake2b(null, 32, null, defaultSalt);
         hash.update(in, 0, in.length);
         final byte[] out = new byte[hash.getDigestSize()];
-        hash.doFinal(out, 0);
+        hash.digest(out, 0);
         return Hex.encode(out);
     }
 
diff --git a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
index c137591825..1710a93875 100644
--- a/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
+++ b/src/test/java/org/opensearch/security/test/helper/rest/RestHelper.java
@@ -397,7 +397,7 @@ public static class HttpResponse {
         public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException {
             super();
             this.inner = inner;
-            if (inner.getBody() == null) { // head request does not have a entity
+            if (inner.getBody() == null) { // head request does not have an entity
                 this.body = "";
             } else {
                 this.body = inner.getBodyText();

From 6b9762b17ac109c268b7cfc58ad42e39c4349615 Mon Sep 17 00:00:00 2001
From: lily <easytdnow@gmail.com>
Date: Fri, 26 Apr 2024 08:41:53 +0900
Subject: [PATCH 133/143] System index permission grants reading access to
 documents in the index (#4201)

Signed-off-by: llilyy <easytdnow@gmail.com>
Co-authored-by: hyeonyoung-na <hyeonyoung.na@navercorp.com>
---
 .../SecurityIndexSearcherWrapper.java         | 19 ++++++++++++++++++
 .../privileges/PrivilegesEvaluator.java       |  2 +-
 .../security/securityconf/ConfigModelV6.java  | 20 +++++++++++++++++++
 .../security/securityconf/ConfigModelV7.java  | 18 +++++++++++++++++
 .../security/securityconf/SecurityRoles.java  |  2 ++
 .../SecurityRolesPermissionsV6Test.java       | 11 ++++++++++
 .../SystemIndexPermissionEnabledTests.java    |  3 ++-
 7 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
index b2008861aa..0602cb0bed 100644
--- a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
+++ b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
@@ -41,6 +41,7 @@
 import org.opensearch.index.IndexService;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.securityconf.ConfigModel;
+import org.opensearch.security.securityconf.SecurityRoles;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.HeaderHelper;
 import org.opensearch.security.support.WildcardMatcher;
@@ -64,6 +65,8 @@ public class SecurityIndexSearcherWrapper implements CheckedFunction<DirectoryRe
     private final Boolean systemIndexEnabled;
     private final WildcardMatcher systemIndexMatcher;
 
+    private final Boolean systemIndexPermissionEnabled;
+
     // constructor is called per index, so avoid costly operations here
     public SecurityIndexSearcherWrapper(
         final IndexService indexService,
@@ -91,6 +94,11 @@ public SecurityIndexSearcherWrapper(
             ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT
         );
         this.systemIndexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY));
+
+        this.systemIndexPermissionEnabled = settings.getAsBoolean(
+            ConfigConstants.SECURITY_SYSTEM_INDICES_PERMISSIONS_ENABLED_KEY,
+            ConfigConstants.SECURITY_SYSTEM_INDICES_PERMISSIONS_DEFAULT
+        );
     }
 
     @Subscribe
@@ -144,6 +152,17 @@ protected final boolean isBlockedProtectedIndexRequest() {
     }
 
     protected final boolean isBlockedSystemIndexRequest() {
+        if (systemIndexPermissionEnabled) {
+            final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+            if (user == null) {
+                // allow request without user from plugin.
+                return systemIndexMatcher.test(index.getName());
+            }
+            final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
+            final Set<String> mappedRoles = evaluator.mapRoles(user, caller);
+            final SecurityRoles securityRoles = evaluator.getSecurityRoles(mappedRoles);
+            return !securityRoles.isPermittedOnSystemIndex(index.getName());
+        }
         return systemIndexMatcher.test(index.getName());
     }
 
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 06e41a2aaa..872c2c37f2 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -193,7 +193,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
         this.dcm = dcm;
     }
 
-    private SecurityRoles getSecurityRoles(Set<String> roles) {
+    public SecurityRoles getSecurityRoles(Set<String> roles) {
         return configModel.getSecurityRoles().filter(roles);
     }
 
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
index 3650057d63..e35fb40a24 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
@@ -542,6 +542,26 @@ public boolean impliesTypePermGlobal(
             roles.stream().forEach(p -> ipatterns.addAll(p.getIpatterns()));
             return ConfigModelV6.impliesTypePerm(ipatterns, resolved, user, actions, resolver, cs);
         }
+
+        @Override
+        public boolean isPermittedOnSystemIndex(String indexName) {
+            boolean isPatternMatched = false;
+            boolean isPermitted = false;
+            for (SecurityRole role : roles) {
+                for (IndexPattern ip : role.getIpatterns()) {
+                    WildcardMatcher wildcardMatcher = WildcardMatcher.from(ip.indexPattern);
+                    if (wildcardMatcher.test(indexName)) {
+                        isPatternMatched = true;
+                    }
+                    for (TypePerm tp : ip.getTypePerms()) {
+                        if (tp.perms.contains(ConfigConstants.SYSTEM_INDEX_PERMISSION)) {
+                            isPermitted = true;
+                        }
+                    }
+                }
+            }
+            return isPatternMatched && isPermitted;
+        }
     }
 
     public static class SecurityRole {
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
index 473e224538..5c776dffa9 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
@@ -563,6 +563,24 @@ private boolean containsDlsFlsConfig() {
 
             return false;
         }
+
+        @Override
+        public boolean isPermittedOnSystemIndex(String indexName) {
+            boolean isPatternMatched = false;
+            boolean isPermitted = false;
+            for (SecurityRole role : roles) {
+                for (IndexPattern ip : role.getIpatterns()) {
+                    WildcardMatcher wildcardMatcher = WildcardMatcher.from(ip.indexPattern);
+                    if (wildcardMatcher.test(indexName)) {
+                        isPatternMatched = true;
+                    }
+                    if (ip.perms.contains(ConfigConstants.SYSTEM_INDEX_PERMISSION)) {
+                        isPermitted = true;
+                    }
+                }
+            }
+            return isPatternMatched && isPermitted;
+        }
     }
 
     public static class SecurityRole {
diff --git a/src/main/java/org/opensearch/security/securityconf/SecurityRoles.java b/src/main/java/org/opensearch/security/securityconf/SecurityRoles.java
index 079853d581..fb25e1a21f 100644
--- a/src/main/java/org/opensearch/security/securityconf/SecurityRoles.java
+++ b/src/main/java/org/opensearch/security/securityconf/SecurityRoles.java
@@ -96,4 +96,6 @@ Set<String> getAllPermittedIndicesForDashboards(
     );
 
     SecurityRoles filter(Set<String> roles);
+
+    boolean isPermittedOnSystemIndex(String indexName);
 }
diff --git a/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsV6Test.java b/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsV6Test.java
index ace182bcda..530db3211b 100644
--- a/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsV6Test.java
+++ b/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsV6Test.java
@@ -126,6 +126,17 @@ public void hasExplicitIndexPermission() {
         );
     }
 
+    @Test
+    public void isPermittedOnSystemIndex() {
+        final SecurityRoles securityRoleWithExplicitAccess = configModel.getSecurityRoles()
+            .filter(ImmutableSet.of("has_system_index_permission"));
+        Assert.assertTrue(securityRoleWithExplicitAccess.isPermittedOnSystemIndex(TEST_INDEX));
+
+        final SecurityRoles securityRoleWithStarAccess = configModel.getSecurityRoles()
+            .filter(ImmutableSet.of("all_access_without_system_index_permission"));
+        Assert.assertFalse(securityRoleWithStarAccess.isPermittedOnSystemIndex(TEST_INDEX));
+    }
+
     static <T> SecurityDynamicConfiguration<T> createRolesConfig() throws IOException {
         final ObjectNode rolesNode = DefaultObjectMapper.objectMapper.createObjectNode();
         NO_EXPLICIT_SYSTEM_INDEX_PERMISSION.forEach(rolesNode::set);
diff --git a/src/test/java/org/opensearch/security/system_indices/SystemIndexPermissionEnabledTests.java b/src/test/java/org/opensearch/security/system_indices/SystemIndexPermissionEnabledTests.java
index b44b014d17..7db072761f 100644
--- a/src/test/java/org/opensearch/security/system_indices/SystemIndexPermissionEnabledTests.java
+++ b/src/test/java/org/opensearch/security/system_indices/SystemIndexPermissionEnabledTests.java
@@ -79,7 +79,8 @@ public void testSearchAsNormalUser() throws Exception {
             if (index.equals(ACCESSIBLE_ONLY_BY_SUPER_ADMIN) || index.equals(SYSTEM_INDEX_WITH_NO_ASSOCIATED_ROLE_PERMISSIONS)) {
                 validateForbiddenResponse(response, "", normalUser);
             } else {
-                validateSearchResponse(response, 0);
+                // got 1 hits because system index permissions are enabled
+                validateSearchResponse(response, 1);
             }
         }
 

From b3bfbd4752ec24a2d33d3f6dedb9f2deb002a585 Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Fri, 26 Apr 2024 11:03:59 -0500
Subject: [PATCH 134/143] Use predictable serialization logic for transport
 headers (#4264)

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../transport/SecuritySSLRequestHandler.java  |  3 +-
 .../security/support/ConfigConstants.java     |  2 --
 .../security/support/SerializationFormat.java | 35 +++++++++++++++++++
 .../transport/SecurityInterceptor.java        | 30 +++++++++-------
 .../security/support/Base64HelperTest.java    | 23 ++++++++++++
 .../transport/SecurityInterceptorTests.java   | 28 ++++++++-------
 .../SecuritySSLRequestHandlerTests.java       | 24 +++++++++++--
 7 files changed, 115 insertions(+), 30 deletions(-)
 create mode 100644 src/main/java/org/opensearch/security/support/SerializationFormat.java

diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
index 078c822357..7002171595 100644
--- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
+++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java
@@ -34,6 +34,7 @@
 import org.opensearch.security.ssl.util.ExceptionUtils;
 import org.opensearch.security.ssl.util.SSLRequestHelper;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.SerializationFormat;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportChannel;
@@ -92,7 +93,7 @@ public final void messageReceived(T request, TransportChannel channel, Task task
 
         threadContext.putTransient(
             ConfigConstants.USE_JDK_SERIALIZATION,
-            channel.getVersion().before(ConfigConstants.FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION)
+            SerializationFormat.determineFormat(channel.getVersion()) == SerializationFormat.JDK
         );
 
         if (SSLRequestHelper.containsBadHeader(threadContext, "_opendistro_security_ssl_")) {
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index 5169d02d20..9c671a80f9 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -35,7 +35,6 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 
-import org.opensearch.Version;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auditlog.impl.AuditCategory;
 
@@ -334,7 +333,6 @@ public enum RolesMappingResolution {
     public static final String TENANCY_GLOBAL_TENANT_DEFAULT_NAME = "";
 
     public static final String USE_JDK_SERIALIZATION = "plugins.security.use_jdk_serialization";
-    public static final Version FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION = Version.V_2_11_0;
 
     // On-behalf-of endpoints settings
     // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
diff --git a/src/main/java/org/opensearch/security/support/SerializationFormat.java b/src/main/java/org/opensearch/security/support/SerializationFormat.java
new file mode 100644
index 0000000000..210a5cf6a5
--- /dev/null
+++ b/src/main/java/org/opensearch/security/support/SerializationFormat.java
@@ -0,0 +1,35 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.support;
+
+import org.opensearch.Version;
+
+public enum SerializationFormat {
+    /** Uses Java's native serialization system */
+    JDK,
+    /** Uses a custom serializer built ontop of OpenSearch 2.11 */
+    CustomSerializer_2_11;
+
+    private static final Version FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION = Version.V_2_11_0;
+    private static final Version CUSTOM_SERIALIZATION_NO_LONGER_SUPPORTED_OS_VERSION = Version.V_2_14_0;
+
+    /**
+     * Determines the format of serialization that should be used from a version identifier
+     */
+    public static SerializationFormat determineFormat(final Version version) {
+        if (version.onOrAfter(FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION)
+            && version.before(CUSTOM_SERIALIZATION_NO_LONGER_SUPPORTED_OS_VERSION)) {
+            return SerializationFormat.CustomSerializer_2_11;
+        }
+        return SerializationFormat.JDK;
+    }
+}
diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
index f791cd013a..f55d9ac338 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
@@ -62,6 +62,7 @@
 import org.opensearch.security.support.Base64Helper;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.HeaderHelper;
+import org.opensearch.security.support.SerializationFormat;
 import org.opensearch.security.user.User;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.Transport.Connection;
@@ -150,7 +151,8 @@ public <T extends TransportResponse> void sendRequestDecorate(
         final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS);
 
         final boolean isDebugEnabled = log.isDebugEnabled();
-        final boolean useJDKSerialization = connection.getVersion().before(ConfigConstants.FIRST_CUSTOM_SERIALIZATION_SUPPORTED_OS_VERSION);
+
+        final var serializationFormat = SerializationFormat.determineFormat(connection.getVersion());
         final boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode());
 
         try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) {
@@ -228,17 +230,20 @@ && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROL
                 );
             }
 
-            if (useJDKSerialization) {
-                Map<String, String> jdkSerializedHeaders = new HashMap<>();
-                HeaderHelper.getAllSerializedHeaderNames()
-                    .stream()
-                    .filter(k -> headerMap.get(k) != null)
-                    .forEach(k -> jdkSerializedHeaders.put(k, Base64Helper.ensureJDKSerialized(headerMap.get(k))));
-                headerMap.putAll(jdkSerializedHeaders);
+            try {
+                if (serializationFormat == SerializationFormat.JDK) {
+                    Map<String, String> jdkSerializedHeaders = new HashMap<>();
+                    HeaderHelper.getAllSerializedHeaderNames()
+                        .stream()
+                        .filter(k -> headerMap.get(k) != null)
+                        .forEach(k -> jdkSerializedHeaders.put(k, Base64Helper.ensureJDKSerialized(headerMap.get(k))));
+                    headerMap.putAll(jdkSerializedHeaders);
+                }
+                getThreadContext().putHeader(headerMap);
+            } catch (IllegalArgumentException iae) {
+                log.debug("Failed to add headers information onto on thread context", iae);
             }
 
-            getThreadContext().putHeader(headerMap);
-
             ensureCorrectHeaders(
                 remoteAddress0,
                 user0,
@@ -246,7 +251,7 @@ && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROL
                 injectedUserString,
                 injectedRolesString,
                 isSameNodeRequest,
-                useJDKSerialization
+                serializationFormat
             );
 
             if (actionTraceEnabled.get()) {
@@ -275,7 +280,7 @@ private void ensureCorrectHeaders(
         final String injectedUserString,
         final String injectedRolesString,
         final boolean isSameNodeRequest,
-        final boolean useJDKSerialization
+        final SerializationFormat format
     ) {
         // keep original address
 
@@ -313,6 +318,7 @@ && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADE
                 getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUserString);
             }
         } else {
+            final var useJDKSerialization = format == SerializationFormat.JDK;
             if (transportAddress != null) {
                 getThreadContext().putHeader(
                     ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER,
diff --git a/src/test/java/org/opensearch/security/support/Base64HelperTest.java b/src/test/java/org/opensearch/security/support/Base64HelperTest.java
index 3bc81aaebc..32d96767d8 100644
--- a/src/test/java/org/opensearch/security/support/Base64HelperTest.java
+++ b/src/test/java/org/opensearch/security/support/Base64HelperTest.java
@@ -11,12 +11,17 @@
 package org.opensearch.security.support;
 
 import java.io.Serializable;
+import java.util.HashMap;
+import java.util.stream.IntStream;
 
 import org.junit.Assert;
 import org.junit.Test;
 
+import static org.hamcrest.Matchers.closeTo;
+import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.security.support.Base64Helper.deserializeObject;
 import static org.opensearch.security.support.Base64Helper.serializeObject;
+import static org.junit.Assert.assertThat;
 
 public class Base64HelperTest {
 
@@ -48,4 +53,22 @@ public void testEnsureJDKSerialized() {
         Assert.assertEquals(jdkSerialized, Base64Helper.ensureJDKSerialized(jdkSerialized));
         Assert.assertEquals(jdkSerialized, Base64Helper.ensureJDKSerialized(customSerialized));
     }
+
+    @Test
+    public void testDuplicatedItemSizes() {
+        var largeObject = new HashMap<String, Object>();
+        var hm = new HashMap<>();
+        IntStream.range(0, 100).forEach(i -> { hm.put("c" + i, "cvalue" + i); });
+        IntStream.range(0, 100).forEach(i -> { largeObject.put("b" + i, hm); });
+
+        final var jdkSerialized = Base64Helper.serializeObject(largeObject, true);
+        final var customSerialized = Base64Helper.serializeObject(largeObject, false);
+        final var customSerializedOnlyHashMap = Base64Helper.serializeObject(hm, false);
+
+        assertThat(jdkSerialized.length(), equalTo(3832));
+        // The custom serializer is ~50x larger than the jdk serialized version
+        assertThat(customSerialized.length(), equalTo(184792));
+        // Show that the majority of the size of the custom serialized large object is the map duplicated ~100 times
+        assertThat((double) customSerializedOnlyHashMap.length(), closeTo(customSerialized.length() / 100, 70d));
+    }
 }
diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
index 4b3636a000..8d902ed498 100644
--- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
+++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
@@ -12,8 +12,9 @@
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -120,7 +121,7 @@ public class SecurityInterceptorTests {
 
     private AsyncSender sender;
     private AsyncSender serializedSender;
-    private AsyncSender nullSender;
+    private AtomicReference<CountDownLatch> senderLatch = new AtomicReference<>(new CountDownLatch(1));
 
     @Before
     public void setup() {
@@ -208,6 +209,7 @@ public <T extends TransportResponse> void sendRequest(
             ) {
                 String serializedUserHeader = threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);
                 assertEquals(serializedUserHeader, Base64Helper.serializeObject(user, true));
+                senderLatch.get().countDown();
             }
         };
 
@@ -222,6 +224,7 @@ public <T extends TransportResponse> void sendRequest(
             ) {
                 User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
                 assertEquals(transientUser, user);
+                senderLatch.get().countDown();
             }
         };
 
@@ -249,17 +252,16 @@ final void completableRequestDecorate(
         TransportResponseHandler handler,
         DiscoveryNode localNode
     ) {
+        securityInterceptor.sendRequestDecorate(sender, connection, action, request, options, handler, localNode);
+        verifyOriginalContext(user);
+        try {
+            senderLatch.get().await(1, TimeUnit.SECONDS);
+        } catch (final InterruptedException e) {
+            throw new RuntimeException(e);
+        }
 
-        ExecutorService singleThreadExecutor = Executors.newSingleThreadExecutor();
-
-        singleThreadExecutor.execute(() -> {
-            try {
-                securityInterceptor.sendRequestDecorate(sender, connection, action, request, options, handler, localNode);
-                verifyOriginalContext(user);
-            } finally {
-                singleThreadExecutor.shutdown();
-            }
-        });
+        // Reset the latch so another request can be processed
+        senderLatch.set(new CountDownLatch(1));
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/transport/SecuritySSLRequestHandlerTests.java b/src/test/java/org/opensearch/security/transport/SecuritySSLRequestHandlerTests.java
index 2d10b6f84f..c63c8d26ae 100644
--- a/src/test/java/org/opensearch/security/transport/SecuritySSLRequestHandlerTests.java
+++ b/src/test/java/org/opensearch/security/transport/SecuritySSLRequestHandlerTests.java
@@ -94,9 +94,19 @@ public void testUseJDKSerializationHeaderIsSetOnMessageReceived() throws Excepti
         Assert.assertFalse(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
 
         threadPool.getThreadContext().stashContext();
-        when(transportChannel.getVersion()).thenReturn(Version.V_3_0_0);
+        when(transportChannel.getVersion()).thenReturn(Version.V_2_13_0);
         Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, transportChannel, task));
         Assert.assertFalse(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
+
+        threadPool.getThreadContext().stashContext();
+        when(transportChannel.getVersion()).thenReturn(Version.V_2_14_0);
+        Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, transportChannel, task));
+        Assert.assertTrue(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
+
+        threadPool.getThreadContext().stashContext();
+        when(transportChannel.getVersion()).thenReturn(Version.V_3_0_0);
+        Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, transportChannel, task));
+        Assert.assertTrue(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
     }
 
     @Test
@@ -118,9 +128,19 @@ public void testUseJDKSerializationHeaderIsSetWithWrapperChannel() throws Except
         Assert.assertFalse(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
 
         threadPool.getThreadContext().stashContext();
-        when(transportChannel.getVersion()).thenReturn(Version.V_3_0_0);
+        when(transportChannel.getVersion()).thenReturn(Version.V_2_13_0);
         Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, wrappedChannel, task));
         Assert.assertFalse(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
+
+        threadPool.getThreadContext().stashContext();
+        when(transportChannel.getVersion()).thenReturn(Version.V_2_14_0);
+        Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, wrappedChannel, task));
+        Assert.assertTrue(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
+
+        threadPool.getThreadContext().stashContext();
+        when(transportChannel.getVersion()).thenReturn(Version.V_3_0_0);
+        Assert.assertThrows(Exception.class, () -> securitySSLRequestHandler.messageReceived(transportRequest, wrappedChannel, task));
+        Assert.assertTrue(threadPool.getThreadContext().getTransient(ConfigConstants.USE_JDK_SERIALIZATION));
     }
 
     @Test

From fe61282ca82c9529b7c49e160b55cb37326a813b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Apr 2024 07:12:32 -0400
Subject: [PATCH 135/143] Bump derek-ho/start-opensearch from 3 to 4 (#4292)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/plugin_install.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml
index 6fa8c74beb..8cfcd156ae 100644
--- a/.github/workflows/plugin_install.yml
+++ b/.github/workflows/plugin_install.yml
@@ -40,7 +40,7 @@ jobs:
         shell: bash
 
       - name: Run Opensearch with A Single Plugin
-        uses: derek-ho/start-opensearch@v3
+        uses: derek-ho/start-opensearch@v4
         with:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugins: "file:$(pwd)/${{ env.PLUGIN_NAME }}.zip"

From 14281a20f59916177488bd27a7d13d8564ad6f4a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Apr 2024 07:57:36 -0400
Subject: [PATCH 136/143] Bump com.google.errorprone:error_prone_annotations
 from 2.26.1 to 2.27.0 (#4294)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index ad0a58313f..a2e3f70378 100644
--- a/build.gradle
+++ b/build.gradle
@@ -494,7 +494,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.26.1"
+            force "com.google.errorprone:error_prone_annotations:2.27.0"
             force "org.checkerframework:checker-qual:3.42.0"
             force "ch.qos.logback:logback-classic:1.5.6"
         }
@@ -605,7 +605,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.26.1'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.27.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.7'

From b396a31581918b01eecd2ea3dfa9fc046ee6d5f4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Apr 2024 08:08:23 -0400
Subject: [PATCH 137/143] Bump com.netflix.nebula.ospackage from 11.8.1 to
 11.9.0 (#4296)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index a2e3f70378..134c9d5386 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,7 +64,7 @@ plugins {
     id 'maven-publish'
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.8.1"
+    id 'com.netflix.nebula.ospackage' version "11.9.0"
     id "org.gradle.test-retry" version "1.5.8"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"

From 7ccc09ec2f61189cc0c5f4dc50a410b7373062b9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Apr 2024 08:58:04 -0400
Subject: [PATCH 138/143] Bump org.gradle.test-retry from 1.5.8 to 1.5.9
 (#4295)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 134c9d5386..70bf7ff601 100644
--- a/build.gradle
+++ b/build.gradle
@@ -65,7 +65,7 @@ plugins {
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.9.0"
-    id "org.gradle.test-retry" version "1.5.8"
+    id "org.gradle.test-retry" version "1.5.9"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"
     id "com.google.osdetector" version "1.7.3"

From b525839171954f1bc0568528b386eaab363b8c3c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Apr 2024 09:43:21 -0400
Subject: [PATCH 139/143] Bump commons-codec:commons-codec from 1.16.1 to
 1.17.0 (#4293)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 70bf7ff601..4fe975e00b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -469,7 +469,7 @@ bundlePlugin {
 configurations {
     all {
         resolutionStrategy {
-            force 'commons-codec:commons-codec:1.16.1'
+            force 'commons-codec:commons-codec:1.17.0'
             force 'org.slf4j:slf4j-api:1.7.36'
             force 'org.scala-lang:scala-library:2.13.13'
             force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
@@ -603,7 +603,7 @@ dependencies {
 
     runtimeOnly 'com.sun.activation:jakarta.activation:1.2.2'
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
-    runtimeOnly 'commons-codec:commons-codec:1.16.1'
+    runtimeOnly 'commons-codec:commons-codec:1.17.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.6'
     compileOnly 'com.google.errorprone:error_prone_annotations:2.27.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'

From 6d35a0af9de48620f9c6d5b2c67b094713ca8c3e Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Mon, 29 Apr 2024 17:48:58 +0200
Subject: [PATCH 140/143] REST API tests refactoring (Part 3) (#4253)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../rest/api/SecurityHealthActionTest.java    | 48 -------------------
 .../LegacySecurityHealthActionTests.java      | 23 ---------
 2 files changed, 71 deletions(-)
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java

diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java
deleted file mode 100644
index e239050612..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityHealthActionTest.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api;
-
-import org.apache.http.HttpStatus;
-import org.junit.Assert;
-import org.junit.Test;
-
-import org.opensearch.common.settings.Settings;
-import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.security.test.helper.rest.RestHelper;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-
-public class SecurityHealthActionTest extends AbstractRestApiUnitTest {
-    private final String ENDPOINT;
-
-    protected String getEndpointPrefix() {
-        return PLUGINS_PREFIX;
-    }
-
-    public SecurityHealthActionTest() {
-        ENDPOINT = getEndpointPrefix();
-    }
-
-    @Test
-    public void testSecurityHealthAPI() throws Exception {
-        Settings settings = Settings.builder()
-            .put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true)
-            .build();
-        setup(settings);
-
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-
-        RestHelper.HttpResponse response = rh.executeGetRequest(ENDPOINT + "/health");
-        Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
-    }
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java
deleted file mode 100644
index 99fa4a99ae..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityHealthActionTests.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api.legacy;
-
-import org.opensearch.security.dlic.rest.api.SecurityHealthActionTest;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-
-public class LegacySecurityHealthActionTests extends SecurityHealthActionTest {
-    @Override
-    protected String getEndpointPrefix() {
-        return LEGACY_OPENDISTRO_PREFIX;
-    }
-}

From af358d0e41b9eb28b9cadc6eb7679e83bb083b84 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Wed, 1 May 2024 13:21:31 +0200
Subject: [PATCH 141/143] Fix spelling (#4305)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../security/dlic/rest/api/AbstractApiAction.java    |  6 +++---
 .../security/dlic/rest/api/FlushCacheApiAction.java  |  6 +++---
 .../security/dlic/rest/api/MigrateApiAction.java     | 12 ++++++------
 .../opensearch/security/dlic/rest/api/Responses.java |  2 +-
 .../security/dlic/rest/api/ValidateApiAction.java    |  4 ++--
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
index 157d44da73..bee0fe5579 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java
@@ -74,7 +74,7 @@
 import static org.opensearch.security.dlic.rest.api.Responses.conflict;
 import static org.opensearch.security.dlic.rest.api.Responses.forbidden;
 import static org.opensearch.security.dlic.rest.api.Responses.forbiddenMessage;
-import static org.opensearch.security.dlic.rest.api.Responses.internalSeverError;
+import static org.opensearch.security.dlic.rest.api.Responses.internalServerError;
 import static org.opensearch.security.dlic.rest.api.Responses.payload;
 import static org.opensearch.security.dlic.rest.support.Utils.withIOException;
 
@@ -482,7 +482,7 @@ public final void onFailure(Exception e) {
             if (ExceptionsHelper.unwrapCause(e) instanceof VersionConflictEngineException) {
                 conflict(channel, e.getMessage());
             } else {
-                internalSeverError(channel, "Error " + e.getMessage());
+                internalServerError(channel, "Error " + e.getMessage());
             }
         }
 
@@ -579,7 +579,7 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie
 
         // check if .opendistro_security index has been initialized
         if (!ensureIndexExists()) {
-            return channel -> internalSeverError(channel, RequestContentValidator.ValidationError.SECURITY_NOT_INITIALIZED.message());
+            return channel -> internalServerError(channel, RequestContentValidator.ValidationError.SECURITY_NOT_INITIALIZED.message());
         }
 
         // check if request is authorized
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/FlushCacheApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/FlushCacheApiAction.java
index d6f5e24d7d..2f579ecbd9 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/FlushCacheApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/FlushCacheApiAction.java
@@ -28,7 +28,7 @@
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.threadpool.ThreadPool;
 
-import static org.opensearch.security.dlic.rest.api.Responses.internalSeverError;
+import static org.opensearch.security.dlic.rest.api.Responses.internalServerError;
 import static org.opensearch.security.dlic.rest.api.Responses.ok;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
@@ -73,7 +73,7 @@ private void flushCacheApiRequestHandlers(RequestHandler.RequestHandlersBuilder
                         public void onResponse(ConfigUpdateResponse configUpdateResponse) {
                             if (configUpdateResponse.hasFailures()) {
                                 LOGGER.error("Cannot flush cache due to", configUpdateResponse.failures().get(0));
-                                internalSeverError(
+                                internalServerError(
                                     channel,
                                     "Cannot flush cache due to " + configUpdateResponse.failures().get(0).getMessage() + "."
                                 );
@@ -86,7 +86,7 @@ public void onResponse(ConfigUpdateResponse configUpdateResponse) {
                         @Override
                         public void onFailure(final Exception e) {
                             LOGGER.error("Cannot flush cache due to", e);
-                            internalSeverError(channel, "Cannot flush cache due to " + e.getMessage() + ".");
+                            internalServerError(channel, "Cannot flush cache due to " + e.getMessage() + ".");
                         }
 
                     }
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java
index 7f1adecd3e..b66ff0d5f3 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/MigrateApiAction.java
@@ -61,7 +61,7 @@
 import org.opensearch.threadpool.ThreadPool;
 
 import static org.opensearch.security.dlic.rest.api.Responses.badRequest;
-import static org.opensearch.security.dlic.rest.api.Responses.internalSeverError;
+import static org.opensearch.security.dlic.rest.api.Responses.internalServerError;
 import static org.opensearch.security.dlic.rest.api.Responses.ok;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 // CS-ENFORCE-SINGLE
@@ -209,7 +209,7 @@ public void onResponse(CreateIndexResponse response) {
                                         }
                                     } catch (final IOException e1) {
                                         LOGGER.error("Unable to create bulk request " + e1, e1);
-                                        internalSeverError(channel, "Unable to create bulk request.");
+                                        internalServerError(channel, "Unable to create bulk request.");
                                         return;
                                     }
 
@@ -226,7 +226,7 @@ public void onResponse(BulkResponse response) {
                                                             "Unable to upload migrated configuration because of "
                                                                 + response.buildFailureMessage()
                                                         );
-                                                        internalSeverError(
+                                                        internalServerError(
                                                             channel,
                                                             "Unable to upload migrated configuration (bulk index failed)."
                                                         );
@@ -240,7 +240,7 @@ public void onResponse(BulkResponse response) {
                                                 @Override
                                                 public void onFailure(Exception e) {
                                                     LOGGER.error("Unable to upload migrated configuration because of " + e, e);
-                                                    internalSeverError(channel, "Unable to upload migrated configuration.");
+                                                    internalServerError(channel, "Unable to upload migrated configuration.");
                                                 }
                                             }
                                         )
@@ -251,7 +251,7 @@ public void onFailure(Exception e) {
                                 @Override
                                 public void onFailure(Exception e) {
                                     LOGGER.error("Unable to create opendistro_security index because of " + e, e);
-                                    internalSeverError(channel, "Unable to create opendistro_security index.");
+                                    internalServerError(channel, "Unable to create opendistro_security index.");
                                 }
                             });
 
@@ -263,7 +263,7 @@ public void onFailure(Exception e) {
                 @Override
                 public void onFailure(Exception e) {
                     LOGGER.error("Unable to delete opendistro_security index because of " + e, e);
-                    internalSeverError(channel, "Unable to delete opendistro_security index.");
+                    internalServerError(channel, "Unable to delete opendistro_security index.");
                 }
             });
 
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java b/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java
index 4f895d1a91..f0d90af6a0 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java
@@ -50,7 +50,7 @@ public static void conflict(final RestChannel channel, final String message) {
         response(channel, RestStatus.CONFLICT, message);
     }
 
-    public static void internalSeverError(final RestChannel channel, final String message) {
+    public static void internalServerError(final RestChannel channel, final String message) {
         response(channel, RestStatus.INTERNAL_SERVER_ERROR, message);
     }
 
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/ValidateApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/ValidateApiAction.java
index 93f1cd35c3..1d56ed80f9 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/ValidateApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/ValidateApiAction.java
@@ -40,7 +40,7 @@
 import org.opensearch.threadpool.ThreadPool;
 
 import static org.opensearch.security.dlic.rest.api.Responses.badRequest;
-import static org.opensearch.security.dlic.rest.api.Responses.internalSeverError;
+import static org.opensearch.security.dlic.rest.api.Responses.internalServerError;
 import static org.opensearch.security.dlic.rest.api.Responses.ok;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
@@ -125,7 +125,7 @@ protected void validate(RestChannel channel, RestRequest request) throws IOExcep
 
             ok(channel, "OK.");
         } catch (Exception e) {
-            internalSeverError(channel, "Configuration is not valid.");
+            internalServerError(channel, "Configuration is not valid.");
         }
     }
 

From 753e318013a252211eddf6b9112e0e821a9ae74d Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Wed, 1 May 2024 09:55:01 -0400
Subject: [PATCH 142/143] Release notes for 2.14 (#4307)

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
---
 ...nsearch-security.release-notes-2.14.0.0.md | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 release-notes/opensearch-security.release-notes-2.14.0.0.md

diff --git a/release-notes/opensearch-security.release-notes-2.14.0.0.md b/release-notes/opensearch-security.release-notes-2.14.0.0.md
new file mode 100644
index 0000000000..2d089866f9
--- /dev/null
+++ b/release-notes/opensearch-security.release-notes-2.14.0.0.md
@@ -0,0 +1,39 @@
+## Version 2.14.0.0
+
+Compatible with OpenSearch 2.14.0
+
+### Enhancements
+* Check for and perform upgrades on security configurations ([#4251](https://github.com/opensearch-project/security/pull/4251))
+* Replace bouncy castle blake2b ([#4284](https://github.com/opensearch-project/security/pull/4284))
+* Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails ([#4228](https://github.com/opensearch-project/security/pull/4228))
+* Dynamic sign in options ([#4137](https://github.com/opensearch-project/security/pull/4137))
+* Add index permissions for query insights exporters ([#4231](https://github.com/opensearch-project/security/pull/4231))
+* Add new stop words system index ([#4181](https://github.com/opensearch-project/security/pull/4181))
+* Switch to built-in security transports from core ([#4119](https://github.com/opensearch-project/security/pull/4119)) ([#4174](https://github.com/opensearch-project/security/pull/4174)) ([#4187](https://github.com/opensearch-project/security/pull/4187))
+* System index permission grants reading access to documents in the index ([#4291](https://github.com/opensearch-project/security/pull/4291))
+* Improve cluster initialization reliability ([#4002](https://github.com/opensearch-project/security/pull/4002)) ([#4256](https://github.com/opensearch-project/security/pull/4256))
+
+### Bug Fixes
+* Ensure that challenge response contains body ([#4268](https://github.com/opensearch-project/security/pull/4268))
+* Add logging for audit log that are unable to saving the request body ([#4272](https://github.com/opensearch-project/security/pull/4272))
+* Use predictable serialization logic for transport headers ([#4288](https://github.com/opensearch-project/security/pull/4288))
+* Update Log4JSink Default from sgaudit to audit and add test for default values ([#4155](https://github.com/opensearch-project/security/pull/4155))
+* Remove Pom task dependencies rewrite ([#4178](https://github.com/opensearch-project/security/pull/4178)) ([#4186](https://github.com/opensearch-project/security/pull/4186))
+* Misc changes for tests ([#4184](https://github.com/opensearch-project/security/pull/4184))
+* Add simple roles mapping integ test to test mapping of backend role to role ([#4176](https://github.com/opensearch-project/security/pull/4176))
+
+### Maintenance
+* Add getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy ([#4270](https://github.com/opensearch-project/security/pull/4270))
+* Add getProperty.org.bouncycastle.pkcs12.default to plugin-security.policy ([#4266](https://github.com/opensearch-project/security/pull/4266))
+* Bump apache_cxf_version from 4.0.3 to 4.0.4 ([#4287](https://github.com/opensearch-project/security/pull/4287))
+* Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.5 ([#4248](https://github.com/opensearch-project/security/pull/4248))
+* Bump codecov/codecov-action from v3 to v4 ([#4237](https://github.com/opensearch-project/security/pull/4237))
+* Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 ([#4195](https://github.com/opensearch-project/security/pull/4195))
+* Bump com.google.googlejavaformat:google-java-format from 1.21.0 to 1.22.0 ([#4220](https://github.com/opensearch-project/security/pull/4220))
+* Bump commons-io:commons-io from 2.15.1 to 2.16.1 ([#4196](https://github.com/opensearch-project/security/pull/4196)) ([#4246](https://github.com/opensearch-project/security/pull/4246))
+* Bump com.nulab-inc:zxcvbn from 1.8.2 to 1.9.0 ([#4219](https://github.com/opensearch-project/security/pull/4219))
+* Bump io.dropwizard.metrics:metrics-core from 4.2.15 to 4.2.25 ([#4193](https://github.com/opensearch-project/security/pull/4193)) ([#4197](https://github.com/opensearch-project/security/pull/4197))
+* Bump net.shibboleth.utilities:java-support from 8.4.1 to 8.4.2 ([#4245](https://github.com/opensearch-project/security/pull/4245))
+* Bump spring_version from 5.3.33 to 5.3.34 ([#4250](https://github.com/opensearch-project/security/pull/4250))
+* Bump Wandalen/wretry.action from 1.4.10 to 3.3.0 ([#4167](https://github.com/opensearch-project/security/pull/4167)) ([#4198](https://github.com/opensearch-project/security/pull/4198)) ([#4221](https://github.com/opensearch-project/security/pull/4221)) ([#4247](https://github.com/opensearch-project/security/pull/4247))
+* Bump open_saml_version from 4.3.0 to 4.3.2 ([#4303](https://github.com/opensearch-project/security/pull/4303)) ([#4239](https://github.com/opensearch-project/security/pull/4239))

From f130915daa969643c3996e0500e2bdbf3499c674 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Wed, 1 May 2024 16:19:24 +0200
Subject: [PATCH 143/143] REST API tests refactoring (Part 2) (#4252)

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../api/SslCertsRestApiIntegrationTest.java   |  79 ++++++++
 .../certificate/TestCertificates.java         |  32 ++--
 .../test/framework/cluster/LocalCluster.java  |   3 +-
 .../cluster/LocalOpenSearchCluster.java       |  14 +-
 .../ssl/OpenSearchSecuritySSLPlugin.java      |   4 -
 .../security/ssl/SecurityKeyStore.java        |  22 +--
 .../dlic/rest/api/SslCertsApiTest.java        | 179 ------------------
 .../api/legacy/LegacySslCertsApiTest.java     |  29 ---
 8 files changed, 119 insertions(+), 243 deletions(-)
 create mode 100644 src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java
 delete mode 100644 src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySslCertsApiTest.java

diff --git a/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java
new file mode 100644
index 0000000000..61085d3f8a
--- /dev/null
+++ b/src/integrationTest/java/org/opensearch/security/api/SslCertsRestApiIntegrationTest.java
@@ -0,0 +1,79 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.api;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import org.junit.Test;
+
+import org.opensearch.security.dlic.rest.api.Endpoint;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
+
+public class SslCertsRestApiIntegrationTest extends AbstractApiIntegrationTest {
+
+    final static String REST_API_ADMIN_SSL_INFO = "rest-api-admin-ssl-info";
+
+    static {
+        clusterSettings.put(SECURITY_RESTAPI_ADMIN_ENABLED, true);
+        testSecurityConfig.withRestAdminUser(REST_ADMIN_USER, allRestAdminPermissions())
+            .withRestAdminUser(REST_API_ADMIN_SSL_INFO, restAdminPermission(Endpoint.SSL, CERTS_INFO_ACTION));
+    }
+
+    protected String sslCertsPath() {
+        return super.apiPath("ssl", "certs");
+    }
+
+    @Test
+    public void certsInfoForbiddenForRegularUser() throws Exception {
+        withUser(NEW_USER, client -> forbidden(() -> client.get(sslCertsPath())));
+    }
+
+    @Test
+    public void certsInfoForbiddenForAdminUser() throws Exception {
+        withUser(NEW_USER, client -> forbidden(() -> client.get(sslCertsPath())));
+    }
+
+    @Test
+    public void certsInfoAvailableForTlsAdmin() throws Exception {
+        withUser(ADMIN_USER_NAME, localCluster.getAdminCertificate(), this::verifySSLCertsInfo);
+    }
+
+    @Test
+    public void certsInfoAvailableForRestAdmin() throws Exception {
+        withUser(REST_ADMIN_USER, this::verifySSLCertsInfo);
+        withUser(REST_API_ADMIN_SSL_INFO, this::verifySSLCertsInfo);
+    }
+
+    private void verifySSLCertsInfo(final TestRestClient client) throws Exception {
+        final var response = ok(() -> client.get(sslCertsPath()));
+
+        final var body = response.bodyAsJsonNode();
+        assertThat(response.getBody(), body.has("http_certificates_list"));
+        assertThat(response.getBody(), body.get("http_certificates_list").isArray());
+        verifyCertsJson(body.get("http_certificates_list").get(0));
+        assertThat(response.getBody(), body.has("transport_certificates_list"));
+        assertThat(response.getBody(), body.get("transport_certificates_list").isArray());
+        verifyCertsJson(body.get("transport_certificates_list").get(0));
+    }
+
+    private void verifyCertsJson(final JsonNode jsonNode) {
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("issuer_dn"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("subject_dn"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.get("subject_dn").asText().matches(".*node-\\d.example.com+"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.get("san").asText().matches(".*node-\\d.example.com.*"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("not_before"));
+        assertThat(jsonNode.toPrettyString(), jsonNode.has("not_after"));
+    }
+
+}
diff --git a/src/integrationTest/java/org/opensearch/test/framework/certificate/TestCertificates.java b/src/integrationTest/java/org/opensearch/test/framework/certificate/TestCertificates.java
index 2dd1dd5eea..f5a936ce7b 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/certificate/TestCertificates.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/certificate/TestCertificates.java
@@ -55,9 +55,13 @@ public class TestCertificates {
 
     private static final Logger log = LogManager.getLogger(TestCertificates.class);
 
-    public static final Integer MAX_NUMBER_OF_NODE_CERTIFICATES = 3;
+    public static final Integer DEFAULT_NUMBER_OF_NODE_CERTIFICATES = 3;
+
+    public static final String CA_SUBJECT = "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA";
+
+    public static final String LDAP_SUBJECT = "DC=de,L=test,O=node,OU=node,CN=ldap.example.com";
+    public static final String NODE_SUBJECT_PATTERN = "DC=de,L=test,O=node,OU=node,CN=node-%d.example.com";
 
-    private static final String CA_SUBJECT = "DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Root CA,CN=Example Com Inc. Root CA";
     private static final String ADMIN_DN = "CN=kirk,OU=client,O=client,L=test,C=de";
     private static final int CERTIFICATE_VALIDITY_DAYS = 365;
     private static final String CERTIFICATE_FILE_EXT = ".cert";
@@ -66,13 +70,18 @@ public class TestCertificates {
     private final CertificateData adminCertificate;
     private final List<CertificateData> nodeCertificates;
 
+    private final int numberOfNodes;
+
     private final CertificateData ldapCertificate;
 
     public TestCertificates() {
+        this(DEFAULT_NUMBER_OF_NODE_CERTIFICATES);
+    }
+
+    public TestCertificates(final int numberOfNodes) {
         this.caCertificate = createCaCertificate();
-        this.nodeCertificates = IntStream.range(0, MAX_NUMBER_OF_NODE_CERTIFICATES)
-            .mapToObj(this::createNodeCertificate)
-            .collect(Collectors.toList());
+        this.numberOfNodes = numberOfNodes;
+        this.nodeCertificates = IntStream.range(0, this.numberOfNodes).mapToObj(this::createNodeCertificate).collect(Collectors.toList());
         this.ldapCertificate = createLdapCertificate();
         this.adminCertificate = createAdminCertificate(ADMIN_DN);
         log.info("Test certificates successfully generated");
@@ -109,7 +118,7 @@ public CertificateData getRootCertificateData() {
 
     /**
     * Certificate for Open Search node. The certificate is derived from root certificate, returned by method {@link #getRootCertificate()}
-    * @param node is a node index. It has to be less than {@link #MAX_NUMBER_OF_NODE_CERTIFICATES}
+    * @param node is a node index. It has to be less than {@link #DEFAULT_NUMBER_OF_NODE_CERTIFICATES}
     * @return file which contains certificate in PEM format, defined by <a href="https://www.rfc-editor.org/rfc/rfc1421.txt">RFC 1421</a>
     */
     public File getNodeCertificate(int node) {
@@ -123,18 +132,18 @@ public CertificateData getNodeCertificateData(int node) {
     }
 
     private void isCorrectNodeNumber(int node) {
-        if (node >= MAX_NUMBER_OF_NODE_CERTIFICATES) {
+        if (node >= numberOfNodes) {
             String message = String.format(
                 "Cannot get certificate for node %d, number of created certificates for nodes is %d",
                 node,
-                MAX_NUMBER_OF_NODE_CERTIFICATES
+                numberOfNodes
             );
             throw new RuntimeException(message);
         }
     }
 
     private CertificateData createNodeCertificate(Integer node) {
-        String subject = String.format("DC=de,L=test,O=node,OU=node,CN=node-%d.example.com", node);
+        final var subject = String.format(NODE_SUBJECT_PATTERN, node);
         String domain = String.format("node-%d.example.com", node);
         CertificateMetadata metadata = CertificateMetadata.basicMetadata(subject, CERTIFICATE_VALIDITY_DAYS)
             .withKeyUsage(false, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, CLIENT_AUTH, SERVER_AUTH)
@@ -150,8 +159,7 @@ public CertificateData issueUserCertificate(String organizationUnit, String user
     }
 
     private CertificateData createLdapCertificate() {
-        String subject = "DC=de,L=test,O=node,OU=node,CN=ldap.example.com";
-        CertificateMetadata metadata = CertificateMetadata.basicMetadata(subject, CERTIFICATE_VALIDITY_DAYS)
+        CertificateMetadata metadata = CertificateMetadata.basicMetadata(LDAP_SUBJECT, CERTIFICATE_VALIDITY_DAYS)
             .withKeyUsage(false, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, CLIENT_AUTH, SERVER_AUTH)
             .withSubjectAlternativeName(null, List.of("localhost"), "127.0.0.1");
         return CertificatesIssuerFactory.rsaBaseCertificateIssuer().issueSignedCertificate(metadata, caCertificate);
@@ -164,7 +172,7 @@ public CertificateData getLdapCertificateData() {
     /**
     * It returns private key associated with node certificate returned by method {@link #getNodeCertificate(int)}
     *
-    * @param node is a node index. It has to be less than {@link #MAX_NUMBER_OF_NODE_CERTIFICATES}
+    * @param node is a node index. It has to be less than {@link #DEFAULT_NUMBER_OF_NODE_CERTIFICATES}
     * @param privateKeyPassword is a password used to encode private key, can be <code>null</code> to retrieve unencrypted key.
     * @return file which contains private key encoded in PEM format, defined
     * by <a href="https://www.rfc-editor.org/rfc/rfc1421.txt">RFC 1421</a>
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
index 135f1fb481..894bb5baa9 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalCluster.java
@@ -141,7 +141,6 @@ public void before() {
             }
 
             for (Map.Entry<String, LocalCluster> entry : remotes.entrySet()) {
-                @SuppressWarnings("resource")
                 InetSocketAddress transportAddress = entry.getValue().localOpenSearchCluster.clusterManagerNode().getTransportAddress();
                 String key = "cluster.remote." + entry.getKey() + ".seeds";
                 String value = transportAddress.getHostString() + ":" + transportAddress.getPort();
@@ -509,7 +508,7 @@ public Builder defaultConfigurationInitDirectory(String defaultConfigurationInit
         public LocalCluster build() {
             try {
                 if (testCertificates == null) {
-                    testCertificates = new TestCertificates();
+                    testCertificates = new TestCertificates(clusterManager.getNodes());
                 }
                 clusterName += "_" + num.incrementAndGet();
                 Settings settings = nodeOverrideSettingsBuilder.build();
diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
index 5e9fd75326..8a14daeb2d 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/LocalOpenSearchCluster.java
@@ -105,6 +105,8 @@ public class LocalOpenSearchCluster {
 
     private File snapshotDir;
 
+    private int nodeCounter = 0;
+
     public LocalOpenSearchCluster(
         String clusterName,
         ClusterManager clusterManager,
@@ -163,7 +165,6 @@ public void start() throws Exception {
         this.initialClusterManagerHosts = toHostList(clusterManagerPorts);
 
         started = true;
-
         CompletableFuture<Void> clusterManagerNodeFuture = startNodes(
             clusterManager.getClusterManagerNodeSettings(),
             clusterManagerNodeTransportPorts,
@@ -195,7 +196,6 @@ public void start() throws Exception {
         log.info("Startup finished. Waiting for GREEN");
 
         waitForCluster(ClusterHealthStatus.GREEN, TimeValue.timeValueSeconds(10), nodes.size());
-
         log.info("Started: {}", this);
 
     }
@@ -303,10 +303,10 @@ private CompletableFuture<Void> startNodes(
         List<CompletableFuture<StartStage>> futures = new ArrayList<>();
 
         for (NodeSettings nodeSettings : nodeSettingList) {
-            Node node = new Node(nodeSettings, transportPortIterator.next(), httpPortIterator.next());
+            Node node = new Node(nodeCounter, nodeSettings, transportPortIterator.next(), httpPortIterator.next());
             futures.add(node.start());
+            nodeCounter += 1;
         }
-
         return CompletableFuture.allOf(futures.toArray(new CompletableFuture[0]));
     }
 
@@ -386,8 +386,10 @@ public class Node implements OpenSearchClientProvider {
         private PluginAwareNode node;
         private boolean running = false;
         private boolean portCollision = false;
+        private final int nodeNumber;
 
-        Node(NodeSettings nodeSettings, int transportPort, int httpPort) {
+        Node(int nodeNumber, NodeSettings nodeSettings, int transportPort, int httpPort) {
+            this.nodeNumber = nodeNumber;
             this.nodeName = createNextNodeName(requireNonNull(nodeSettings, "Node settings are required."));
             this.nodeSettings = nodeSettings;
             this.nodeHomeDir = new File(clusterHomeDir, nodeName);
@@ -517,7 +519,7 @@ private Settings getOpenSearchSettings() {
 
             if (nodeSettingsSupplier != null) {
                 // TODO node number
-                return Settings.builder().put(settings).put(nodeSettingsSupplier.get(0)).build();
+                return Settings.builder().put(settings).put(nodeSettingsSupplier.get(nodeNumber)).build();
             }
             return settings;
         }
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 073193e9d4..e6a1b47888 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -134,10 +134,6 @@ public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPl
     protected final SSLConfig SSLConfig;
     protected volatile ThreadPool threadPool;
 
-    // public OpenSearchSecuritySSLPlugin(final Settings settings, final Path configPath) {
-    // this(settings, configPath, false);
-    // }
-
     @SuppressWarnings("removal")
     protected OpenSearchSecuritySSLPlugin(final Settings settings, final Path configPath, boolean disabled) {
 
diff --git a/src/main/java/org/opensearch/security/ssl/SecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/SecurityKeyStore.java
index 03b5df2100..29083d6d6b 100644
--- a/src/main/java/org/opensearch/security/ssl/SecurityKeyStore.java
+++ b/src/main/java/org/opensearch/security/ssl/SecurityKeyStore.java
@@ -23,25 +23,25 @@
 
 public interface SecurityKeyStore {
 
-    public SSLEngine createHTTPSSLEngine() throws SSLException;
+    SSLEngine createHTTPSSLEngine() throws SSLException;
 
-    public SSLEngine createServerTransportSSLEngine() throws SSLException;
+    SSLEngine createServerTransportSSLEngine() throws SSLException;
 
-    public SSLEngine createClientTransportSSLEngine(String peerHost, int peerPort) throws SSLException;
+    SSLEngine createClientTransportSSLEngine(String peerHost, int peerPort) throws SSLException;
 
-    public String getHTTPProviderName();
+    String getHTTPProviderName();
 
-    public String getTransportServerProviderName();
+    String getTransportServerProviderName();
 
-    public String getTransportClientProviderName();
+    String getTransportClientProviderName();
 
-    public String getSubjectAlternativeNames(X509Certificate cert);
+    String getSubjectAlternativeNames(X509Certificate cert);
 
-    public void initHttpSSLConfig();
+    void initHttpSSLConfig();
 
-    public void initTransportSSLConfig();
+    void initTransportSSLConfig();
 
-    public X509Certificate[] getTransportCerts();
+    X509Certificate[] getTransportCerts();
 
-    public X509Certificate[] getHttpCerts();
+    X509Certificate[] getHttpCerts();
 }
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java
deleted file mode 100644
index 8617555925..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/SslCertsApiTest.java
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api;
-
-import java.util.List;
-import java.util.Map;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableMap;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import org.apache.hc.core5.http.Header;
-import org.apache.http.HttpStatus;
-import org.junit.Assert;
-import org.junit.Test;
-
-import org.opensearch.common.settings.Settings;
-import org.opensearch.security.DefaultObjectMapper;
-import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
-
-public class SslCertsApiTest extends AbstractRestApiUnitTest {
-
-    static final String HTTP_CERTS = "http";
-
-    static final String TRANSPORT_CERTS = "transport";
-
-    private final static List<Map<String, String>> EXPECTED_CERTIFICATES = ImmutableList.of(
-        ImmutableMap.of(
-            "issuer_dn",
-            "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com",
-            "subject_dn",
-            "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE",
-            "san",
-            "[[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]",
-            "not_before",
-            "2018-05-05T14:37:09Z",
-            "not_after",
-            "2028-05-02T14:37:09Z"
-        ),
-        ImmutableMap.of(
-            "issuer_dn",
-            "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com",
-            "subject_dn",
-            "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com",
-            "san",
-            "",
-            "not_before",
-            "2018-05-05T14:37:08Z",
-            "not_after",
-            "2028-05-04T14:37:08Z"
-        )
-    );
-
-    private final static String EXPECTED_CERTIFICATES_BY_TYPE;
-    static {
-        try {
-            EXPECTED_CERTIFICATES_BY_TYPE = DefaultObjectMapper.objectMapper.writeValueAsString(
-                ImmutableMap.of("http_certificates_list", EXPECTED_CERTIFICATES, "transport_certificates_list", EXPECTED_CERTIFICATES)
-            );
-        } catch (JsonProcessingException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private final Header restApiAdminHeader = encodeBasicHeader("rest_api_admin_user", "rest_api_admin_user");
-    private final Header restApiCertsInfoAdminHeader = encodeBasicHeader("rest_api_admin_ssl_info", "rest_api_admin_ssl_info");
-
-    private final Header restApiReloadCertsAdminHeader = encodeBasicHeader(
-        "rest_api_admin_ssl_reloadcerts",
-        "rest_api_admin_ssl_reloadcerts"
-    );
-
-    private final Header restApiHeader = encodeBasicHeader("test", "test");
-
-    public String certsInfoEndpoint() {
-        return PLUGINS_PREFIX + "/api/ssl/certs";
-    }
-
-    public String certsReloadEndpoint(final String certType) {
-        return String.format("%s/api/ssl/%s/reloadcerts", PLUGINS_PREFIX, certType);
-    }
-
-    private void verifyHasNoAccess() throws Exception {
-        final Header adminCredsHeader = encodeBasicHeader("admin", "admin");
-        // No creds, no admin certificate - UNAUTHORIZED
-        rh.sendAdminCertificate = false;
-        HttpResponse response = rh.executeGetRequest(certsInfoEndpoint());
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_UNAUTHORIZED, response.getStatusCode());
-
-        rh.sendAdminCertificate = false;
-        response = rh.executeGetRequest(certsInfoEndpoint(), adminCredsHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        response = rh.executeGetRequest(certsInfoEndpoint(), restApiHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-    }
-
-    @Test
-    public void testCertsInfo() throws Exception {
-        setup();
-        verifyHasNoAccess();
-        sendAdminCert();
-        HttpResponse response = rh.executeGetRequest(certsInfoEndpoint());
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
-        Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, response.getBody());
-
-    }
-
-    @Test
-    public void testCertsInfoRestAdmin() throws Exception {
-        setupWithRestRoles(Settings.builder().put(SECURITY_RESTAPI_ADMIN_ENABLED, true).build());
-        verifyHasNoAccess();
-        rh.sendAdminCertificate = false;
-        Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, loadCerts(restApiAdminHeader));
-        Assert.assertEquals(EXPECTED_CERTIFICATES_BY_TYPE, loadCerts(restApiCertsInfoAdminHeader));
-    }
-
-    private String loadCerts(final Header... header) throws Exception {
-        HttpResponse response = rh.executeGetRequest(certsInfoEndpoint(), restApiAdminHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
-        return response.getBody();
-    }
-
-    @Test
-    public void testReloadCertsNotAvailableByDefault() throws Exception {
-        setupWithRestRoles();
-
-        sendAdminCert();
-        verifyReloadCertsNotAvailable(HttpStatus.SC_BAD_REQUEST);
-
-        rh.sendAdminCertificate = false;
-        verifyReloadCertsNotAvailable(HttpStatus.SC_FORBIDDEN, restApiAdminHeader);
-        verifyReloadCertsNotAvailable(HttpStatus.SC_FORBIDDEN, restApiReloadCertsAdminHeader);
-    }
-
-    private void verifyReloadCertsNotAvailable(final int expectedStatus, final Header... header) {
-        HttpResponse response = rh.executePutRequest(certsReloadEndpoint(HTTP_CERTS), "{}", header);
-        Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode());
-        response = rh.executePutRequest(certsReloadEndpoint(TRANSPORT_CERTS), "{}", header);
-        Assert.assertEquals(response.getBody(), expectedStatus, response.getStatusCode());
-    }
-
-    @Test
-    public void testReloadCertsWrongCertsType() throws Exception {
-        setupWithRestRoles(reloadEnabled());
-        sendAdminCert();
-        HttpResponse response = rh.executePutRequest(certsReloadEndpoint("aaaaa"), "{}");
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-        rh.sendAdminCertificate = false;
-        response = rh.executePutRequest(certsReloadEndpoint("bbbb"), "{}", restApiAdminHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-        response = rh.executePutRequest(certsReloadEndpoint("cccc"), "{}", restApiReloadCertsAdminHeader);
-        Assert.assertEquals(response.getBody(), HttpStatus.SC_FORBIDDEN, response.getStatusCode());
-
-    }
-
-    private void sendAdminCert() {
-        rh.keystore = "restapi/kirk-keystore.jks";
-        rh.sendAdminCertificate = true;
-    }
-
-    Settings reloadEnabled() {
-        return Settings.builder().put(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, true).build();
-    }
-
-}
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySslCertsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySslCertsApiTest.java
deleted file mode 100644
index 5d1c3ae538..0000000000
--- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySslCertsApiTest.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-package org.opensearch.security.dlic.rest.api.legacy;
-
-import org.opensearch.security.dlic.rest.api.SslCertsApiTest;
-
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-
-public class LegacySslCertsApiTest extends SslCertsApiTest {
-
-    @Override
-    public String certsInfoEndpoint() {
-        return LEGACY_OPENDISTRO_PREFIX + "/api/ssl/certs";
-    }
-
-    @Override
-    public String certsReloadEndpoint(String certType) {
-        return String.format("%s/api/ssl/%s/reloadcerts", LEGACY_OPENDISTRO_PREFIX, certType);
-    }
-}