Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into off-ramp-custom-seria…
Browse files Browse the repository at this point in the history
…ilzer

Signed-off-by: Peter Nied <[email protected]>
  • Loading branch information
peternied committed Apr 24, 2024
2 parents 7491446 + 0d7af4d commit 76b0804
Show file tree
Hide file tree
Showing 8 changed files with 38 additions and 11 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ jobs:
working-directory: downloaded-artifacts

- name: Upload Coverage with retry
uses: Wandalen/wretry.action@v3.3.0
uses: Wandalen/wretry.action@v3.4.0
with:
attempt_limit: 5
attempt_delay: 2000
Expand Down
5 changes: 3 additions & 2 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -496,7 +496,7 @@ configurations {
force "org.apache.httpcomponents:httpcore:4.4.16"
force "com.google.errorprone:error_prone_annotations:2.26.1"
force "org.checkerframework:checker-qual:3.42.0"
force "ch.qos.logback:logback-classic:1.5.5"
force "ch.qos.logback:logback-classic:1.5.6"
}
}

Expand Down Expand Up @@ -580,6 +580,7 @@ dependencies {
implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
implementation 'org.ldaptive:ldaptive:1.2.3'
implementation 'com.nimbusds:nimbus-jose-jwt:9.37.3'
implementation 'com.rfksystems:blake2b:2.0.0'

//JWT
implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"
Expand Down Expand Up @@ -634,7 +635,7 @@ dependencies {
implementation "com.nulab-inc:zxcvbn:1.9.0"

runtimeOnly 'com.google.guava:failureaccess:1.0.2'
runtimeOnly 'org.apache.commons:commons-text:1.11.0'
runtimeOnly 'org.apache.commons:commons-text:1.12.0'
runtimeOnly "org.glassfish.jaxb:jaxb-runtime:${jaxb_version}"
runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
Expand Down
2 changes: 2 additions & 0 deletions plugin-security.policy
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ grant {
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";
permission java.security.SecurityPermission "removeProviderProperty.BC";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size";
permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests";

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@
import org.opensearch.test.framework.cluster.LocalCluster;
import org.opensearch.test.framework.cluster.TestRestClient;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.equalTo;
import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
Expand Down Expand Up @@ -127,11 +129,13 @@ private void runResourceTest(
final var requests = AsyncActions.generate(() -> {
final HttpPost post = new HttpPost(client.getHttpServerUri() + requestPath);
post.setEntity(new ByteArrayEntity(compressedRequestBody, ContentType.APPLICATION_JSON));
return client.executeRequest(post);
TestRestClient.HttpResponse response = client.executeRequest(post);
return response.getStatusCode();
}, parrallelism, totalNumberOfRequests);

AsyncActions.getAll(requests, 2, TimeUnit.MINUTES)
.forEach((response) -> { response.assertStatusCode(HttpStatus.SC_UNAUTHORIZED); });
AsyncActions.getAll(requests, 2, TimeUnit.MINUTES).forEach((responseCode) -> {
assertThat(responseCode, equalTo(HttpStatus.SC_UNAUTHORIZED));
});
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,19 @@ public void testBrowserShouldRequestForCredentials() {
}
}

@Test
public void shouldRespondWithChallengeWhenNoCredentialsArePresent() {
try (TestRestClient client = cluster.getRestClient()) {
HttpResponse response = client.getAuthInfo();

assertThat(response, is(notNullValue()));
response.assertStatusCode(SC_UNAUTHORIZED);
assertThat(response.getHeader("WWW-Authenticate"), is(notNullValue()));
assertThat(response.getHeader("WWW-Authenticate").getValue(), equalTo("Basic realm=\"OpenSearch Security\""));
assertThat(response.getBody(), equalTo("Unauthorized"));
}
}

@Test
public void testUserShouldNotHaveAssignedCustomAttributes() {
try (TestRestClient client = cluster.getRestClient(TEST_USER)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,10 @@

import com.google.common.base.Splitter;
import org.apache.lucene.util.BytesRef;
import org.bouncycastle.crypto.digests.Blake2bDigest;
import org.bouncycastle.util.encoders.Hex;

import com.rfksystems.blake2b.Blake2b;

public class MaskedField {

private final String name;
Expand Down Expand Up @@ -164,10 +165,12 @@ private String customHash(String in) {
}

private byte[] blake2bHash(byte[] in) {
final Blake2bDigest hash = new Blake2bDigest(null, 32, null, defaultSalt);
// Salt is passed incorrectly but order of parameters is retained at present to ensure full backwards compatibility
// Tracking with https://github.com/opensearch-project/security/issues/4274
final Blake2b hash = new Blake2b(null, 32, null, defaultSalt);
hash.update(in, 0, in.length);
final byte[] out = new byte[hash.getDigestSize()];
hash.doFinal(out, 0);
hash.digest(out, 0);
return Hex.encode(out);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,11 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
@Override
public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials creds) {
return Optional.of(
new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""), "")
new SecurityResponse(
HttpStatus.SC_UNAUTHORIZED,
Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""),
"Unauthorized"
)
);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,7 @@ public static class HttpResponse {
public HttpResponse(SimpleHttpResponse inner) throws IllegalStateException, IOException {
super();
this.inner = inner;
if (inner.getBody() == null) { // head request does not have a entity
if (inner.getBody() == null) { // head request does not have an entity
this.body = "";
} else {
this.body = inner.getBodyText();
Expand Down

0 comments on commit 76b0804

Please sign in to comment.