fix config index masterkey pull up for multi-tenancy (opensearch-project#3700) (opensearch-project#3703)

* fix config index masterkey pull up for multi-tenancy

Signed-off-by: Dhrubo Saha <[email protected]>

* apply spotless

Signed-off-by: Dhrubo Saha <[email protected]>

* add more unit test

Signed-off-by: Dhrubo Saha <[email protected]>

* addressed comment

Signed-off-by: Dhrubo Saha <[email protected]>

* addressed comment

Signed-off-by: Dhrubo Saha <[email protected]>

* changing to OpenSearchException

Signed-off-by: Dhrubo Saha <[email protected]>

---------

Signed-off-by: Dhrubo Saha <[email protected]>
(cherry picked from commit 0f34877)

Co-authored-by: Dhrubo Saha <[email protected]>

Author: opensearch-trigger-bot[bot]

ml-algorithms/src/main/java/org/opensearch/ml/engine/encryptor/EncryptorImpl.java

@@ -25,6 +25,7 @@
 
 import javax.crypto.spec.SecretKeySpec;
 
+import org.opensearch.OpenSearchException;
 import org.opensearch.OpenSearchStatusException;
 import org.opensearch.ResourceNotFoundException;
 import org.opensearch.action.get.GetResponse;
@@ -34,6 +35,7 @@
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.common.Strings;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.index.engine.VersionConflictEngineException;
 import org.opensearch.ml.common.exception.MLException;
 import org.opensearch.ml.engine.indices.MLIndicesHandler;
@@ -254,9 +256,20 @@ private void handleGetDataObjectSuccess(
         try {
             GetResponse getMasterKeyResponse = response.parser() == null ? null : GetResponse.fromXContent(response.parser());
             if (getMasterKeyResponse != null && getMasterKeyResponse.isExists()) {
-                this.tenantMasterKeys
-                    .put(Objects.requireNonNullElse(tenantId, DEFAULT_TENANT_ID), (String) response.source().get(masterKeyId));
-                log.info("ML encryption master key already initialized, no action needed");
+                Map<String, Object> source = getMasterKeyResponse.getSourceAsMap();
+                if (source != null) {
+                    Object keyValue = source.get(MASTER_KEY);
+                    if (keyValue instanceof String) {
+                        this.tenantMasterKeys.put(Objects.requireNonNullElse(tenantId, DEFAULT_TENANT_ID), (String) keyValue);
+                        log.info("ML encryption master key already initialized, no action needed");
+                    } else {
+                        log.error("Master key not found or not a string for tenantId: {}, masterKeyId: {}", tenantId, masterKeyId);
+                        exceptionRef.set(new ResourceNotFoundException(MASTER_KEY_NOT_READY_ERROR));
+                    }
+                } else {
+                    log.error("Master key not found or not a string for tenantId: {}, masterKeyId: {}", tenantId, masterKeyId);
+                    exceptionRef.set(new ResourceNotFoundException(MASTER_KEY_NOT_READY_ERROR));
+                }
                 latch.countDown();
             } else {
                 initializeNewMasterKey(tenantId, masterKeyId, exceptionRef, latch, context);
@@ -351,7 +364,8 @@ private void handlePutDataObjectFailure(
         CountDownLatch latch
     ) {
         Exception cause = SdkClientUtils.unwrapAndConvertToException(throwable, OpenSearchStatusException.class);
-        if (cause instanceof VersionConflictEngineException) {
+        if (cause instanceof VersionConflictEngineException
+            || (cause instanceof OpenSearchException && ((OpenSearchException) cause).status() == RestStatus.CONFLICT)) {
             handleVersionConflict(tenantId, masterKeyId, context, exceptionRef, latch);
         } else {
             log.debug("Failed to index ML encryption master key to config index", cause);
@@ -416,9 +430,20 @@ private void handleVersionConflictResponse(
         } else {
             GetResponse getMasterKeyResponse = response1.parser() == null ? null : GetResponse.fromXContent(response1.parser());
             if (getMasterKeyResponse != null && getMasterKeyResponse.isExists()) {
-                this.tenantMasterKeys
-                    .put(Objects.requireNonNullElse(tenantId, DEFAULT_TENANT_ID), (String) response1.source().get(masterKeyId));
-                log.info("ML encryption master key already initialized, no action needed");
+                Map<String, Object> source = getMasterKeyResponse.getSourceAsMap();
+                if (source != null) {
+                    Object keyValue = source.get(MASTER_KEY);
+                    if (keyValue instanceof String) {
+                        this.tenantMasterKeys.put(Objects.requireNonNullElse(tenantId, DEFAULT_TENANT_ID), (String) keyValue);
+                        log.info("ML encryption master key already initialized, no action needed");
+                    } else {
+                        log.error("Master key not found or not a string for tenantId: {}, masterKeyId: {}", tenantId, masterKeyId);
+                        exceptionRef.set(new ResourceNotFoundException(MASTER_KEY_NOT_READY_ERROR));
+                    }
+                } else {
+                    log.error("Master key not found or not a string for tenantId: {}, masterKeyId: {}", tenantId, masterKeyId);
+                    exceptionRef.set(new ResourceNotFoundException(MASTER_KEY_NOT_READY_ERROR));
+                }
                 latch.countDown();
             } else {
                 exceptionRef.set(new ResourceNotFoundException(MASTER_KEY_NOT_READY_ERROR));

ml-algorithms/src/test/java/org/opensearch/ml/engine/encryptor/EncryptorImplTest.java

@@ -76,14 +76,15 @@ public class EncryptorImplTest {
     ThreadContext threadContext;
     final String USER_STRING = "myuser|role1,role2|myTenant";
     final String TENANT_ID = "myTenant";
+    final String GENERATED_MASTER_KEY = "m+dWmfmnNRiNlOdej/QelEkvMTyH//frS2TBeS2BP4w=";
 
     Encryptor encryptor;
 
     @Before
     public void setUp() {
         MockitoAnnotations.openMocks(this);
         masterKey = new ConcurrentHashMap<>();
-        masterKey.put(DEFAULT_TENANT_ID, "m+dWmfmnNRiNlOdej/QelEkvMTyH//frS2TBeS2BP4w=");
+        masterKey.put(DEFAULT_TENANT_ID, GENERATED_MASTER_KEY);
         sdkClient = SdkClientFactory.createSdkClient(client, NamedXContentRegistry.EMPTY, Collections.emptyMap());
 
         doAnswer(invocation -> {
@@ -483,8 +484,7 @@ public void initMasterKey_AddTenantMasterKeys() throws IOException {
         Assert.assertNotNull(tenantMasterKey);
 
         // Ensure that the master key for this tenant matches the expected value
-        String expectedMasterKeyId = MASTER_KEY + "_" + hashString(TENANT_ID);
-        Assert.assertEquals("m+dWmfmnNRiNlOdej/QelEkvMTyH//frS2TBeS2BP4w=", encryptor.getMasterKey(TENANT_ID));
+        Assert.assertEquals(GENERATED_MASTER_KEY, encryptor.getMasterKey(TENANT_ID));
     }
 
     @Test
@@ -514,24 +514,6 @@ public void encrypt_SdkClientPutDataObjectFailure() {
         encryptor.encrypt("test", null);
     }
 
-    @Test
-    public void handleVersionConflictResponse_ShouldThrowException_WhenRetryFails() throws IOException {
-        doAnswer(invocation -> {
-            ActionListener<Boolean> actionListener = (ActionListener) invocation.getArgument(0);
-            actionListener.onResponse(true);
-            return null;
-        }).when(mlIndicesHandler).initMLConfigIndex(any());
-
-        doAnswer(invocation -> {
-            ActionListener<GetResponse> actionListener = invocation.getArgument(1);
-            actionListener.onFailure(new IOException("Failed to get master key"));
-            return null;
-        }).when(client).get(any(), any());
-
-        exceptionRule.expect(MLException.class);
-        encryptor.encrypt("test", "someTenant");
-    }
-
     // Helper method to prepare a valid GetResponse
     private GetResponse prepareMLConfigResponse(String tenantId) throws IOException {
         // Compute the masterKeyId based on tenantId
@@ -543,8 +525,8 @@ private GetResponse prepareMLConfigResponse(String tenantId) throws IOException
         // Create the source map with the expected fields
         Map<String, Object> sourceMap = Map
             .of(
-                masterKeyId,
-                "m+dWmfmnNRiNlOdej/QelEkvMTyH//frS2TBeS2BP4w=", // Valid MASTER_KEY for this tenant
+                MASTER_KEY,
+                GENERATED_MASTER_KEY, // Valid MASTER_KEY for this tenant
                 CREATE_TIME_FIELD,
                 Instant.now().toEpochMilli()
             );
@@ -565,6 +547,231 @@ private GetResponse prepareMLConfigResponse(String tenantId) throws IOException
         return new GetResponse(getResult);
     }
 
+    @Test
+    public void encrypt_MasterKeyFieldMismatch_ShouldFallbackToProperKeyField() throws IOException {
+        // This test simulates the case where the document ID is `master_key_<hash>`
+        // but the actual `_source` only contains `master_key` (as expected in real DDB).
+
+        doAnswer(invocation -> {
+            ActionListener<Boolean> actionListener = (ActionListener) invocation.getArgument(0);
+            actionListener.onResponse(true); // init index success
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // Prepare a GetResponse where the _source has ONLY "master_key"
+        Map<String, Object> sourceMap = Map.of(MASTER_KEY, GENERATED_MASTER_KEY, CREATE_TIME_FIELD, Instant.now().toEpochMilli());
+
+        XContentBuilder builder = XContentFactory.jsonBuilder();
+        builder.startObject();
+        for (Map.Entry<String, Object> entry : sourceMap.entrySet()) {
+            builder.field(entry.getKey(), entry.getValue());
+        }
+        builder.endObject();
+
+        BytesReference sourceBytes = BytesReference.bytes(builder);
+        String masterKeyId = MASTER_KEY + "_" + hashString(TENANT_ID); // Simulate full hashed ID
+        GetResult getResult = new GetResult(ML_CONFIG_INDEX, masterKeyId, 1L, 1L, 1L, true, sourceBytes, null, null);
+        GetResponse getResponse = new GetResponse(getResult);
+
+        // Simulate Get API call returning a GetResponse with only "master_key" field
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onResponse(getResponse);
+            return null;
+        }).when(client).get(any(), any());
+
+        Encryptor encryptor = new EncryptorImpl(clusterService, client, sdkClient, mlIndicesHandler);
+
+        // Old buggy code would try to access response.source().get(masterKeyId) and get null
+        // This test ensures the new fix works — we access MASTER_KEY properly
+        String encrypted = encryptor.encrypt("test", TENANT_ID);
+        Assert.assertNotNull(encrypted);
+        Assert.assertEquals("test", encryptor.decrypt(encrypted, TENANT_ID));
+    }
+
+    @Test
+    public void encrypt_MasterKeyFieldExistsButNotString_ShouldThrowError() throws IOException {
+        doAnswer(invocation -> {
+            ActionListener<Boolean> actionListener = invocation.getArgument(0);
+            actionListener.onResponse(true);
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // Prepare _source with a non-string master key
+        Map<String, Object> sourceMap = Map
+            .of(
+                MASTER_KEY,
+                12345, // wrong type
+                CREATE_TIME_FIELD,
+                Instant.now().toEpochMilli()
+            );
+
+        XContentBuilder builder = XContentFactory.jsonBuilder().startObject();
+        for (Map.Entry<String, Object> entry : sourceMap.entrySet()) {
+            builder.field(entry.getKey(), entry.getValue());
+        }
+        builder.endObject();
+
+        BytesReference sourceBytes = BytesReference.bytes(builder);
+        String masterKeyId = MASTER_KEY + "_" + hashString(TENANT_ID);
+        GetResult getResult = new GetResult(ML_CONFIG_INDEX, masterKeyId, 1L, 1L, 1L, true, sourceBytes, null, null);
+        GetResponse getResponse = new GetResponse(getResult);
+
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onResponse(getResponse);
+            return null;
+        }).when(client).get(any(), any());
+
+        Encryptor encryptor = new EncryptorImpl(clusterService, client, sdkClient, mlIndicesHandler);
+
+        exceptionRule.expect(ResourceNotFoundException.class);
+        exceptionRule.expectMessage(MASTER_KEY_NOT_READY_ERROR);
+
+        encryptor.encrypt("test", TENANT_ID);
+    }
+
+    @Test
+    public void encrypt_MasterKeyFieldMissing_ShouldThrowError() throws IOException {
+        doAnswer(invocation -> {
+            ActionListener<Boolean> actionListener = invocation.getArgument(0);
+            actionListener.onResponse(true);
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // _source does not include the "master_key" field
+        Map<String, Object> sourceMap = Map.of(CREATE_TIME_FIELD, Instant.now().toEpochMilli());
+
+        XContentBuilder builder = XContentFactory.jsonBuilder().startObject();
+        for (Map.Entry<String, Object> entry : sourceMap.entrySet()) {
+            builder.field(entry.getKey(), entry.getValue());
+        }
+        builder.endObject();
+
+        BytesReference sourceBytes = BytesReference.bytes(builder);
+        String masterKeyId = MASTER_KEY + "_" + hashString(TENANT_ID);
+        GetResult getResult = new GetResult(ML_CONFIG_INDEX, masterKeyId, 1L, 1L, 1L, true, sourceBytes, null, null);
+        GetResponse getResponse = new GetResponse(getResult);
+
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onResponse(getResponse);
+            return null;
+        }).when(client).get(any(), any());
+
+        Encryptor encryptor = new EncryptorImpl(clusterService, client, sdkClient, mlIndicesHandler);
+
+        exceptionRule.expect(ResourceNotFoundException.class);
+        exceptionRule.expectMessage(MASTER_KEY_NOT_READY_ERROR);
+
+        encryptor.encrypt("test", TENANT_ID);
+    }
+
+    @Test
+    public void handleVersionConflictResponse_RetrySucceeds() throws IOException {
+        // Simulate successful ML Config Index initialization
+        doAnswer(invocation -> {
+            ActionListener<Boolean> listener = invocation.getArgument(0);
+            listener.onResponse(true);
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // First, simulate a version conflict on the initial PUT
+        doAnswer(invocation -> {
+            ActionListener<IndexResponse> listener = invocation.getArgument(1);
+            // Version conflict error is thrown
+            listener.onFailure(new VersionConflictEngineException(new ShardId(ML_CONFIG_INDEX, "index_uuid", 1), "test_id", "failed"));
+            return null;
+        }).when(client).index(any(), any());
+
+        // Simulate that after the version conflict, the GET call returns a valid master key document.
+        GetResponse validResponse = prepareMLConfigResponse(TENANT_ID);
+        // This GET call will be triggered twice (once for the version conflict GET and again in the normal flow),
+        // so we set up our stub to return a valid response each time.
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onResponse(validResponse);
+            return null;
+        }).when(client).get(any(), any());
+
+        // Now run encryption; it should handle the version conflict by fetching the key, and then succeed.
+        Encryptor encryptor = new EncryptorImpl(clusterService, client, sdkClient, mlIndicesHandler);
+        // This will go through the PUT failure, then version conflict handling, and use the returned key.
+        String encrypted = encryptor.encrypt("test", TENANT_ID);
+        Assert.assertNotNull(encrypted);
+        Assert.assertEquals("test", encryptor.decrypt(encrypted, TENANT_ID));
+    }
+
+    @Test
+    public void handleVersionConflictResponse_RetryFails() throws IOException {
+        // Simulate successful ML Config Index initialization
+        doAnswer(invocation -> {
+            ActionListener<Boolean> listener = invocation.getArgument(0);
+            listener.onResponse(true);
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // Simulate a version conflict on the initial PUT
+        doAnswer(invocation -> {
+            ActionListener<IndexResponse> listener = invocation.getArgument(1);
+            listener.onFailure(new VersionConflictEngineException(new ShardId(ML_CONFIG_INDEX, "index_uuid", 1), "test_id", "failed"));
+            return null;
+        }).when(client).index(any(), any());
+
+        // Simulate that the GET call in version conflict handling fails, e.g., by throwing an IOException.
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onFailure(new IOException("Failed to get master key on retry"));
+            return null;
+        }).when(client).get(any(), any());
+
+        Encryptor encryptor = new EncryptorImpl(clusterService, client, sdkClient, mlIndicesHandler);
+
+        // We expect an MLException (or a ResourceNotFoundException) to be thrown due to the failure in getting the key.
+        exceptionRule.expect(MLException.class);
+        exceptionRule.expectMessage("Failed to get master key"); // Or adjust based on your exact message.
+
+        encryptor.encrypt("test", TENANT_ID);
+    }
+
+    @Test
+    public void encrypt_GetSourceAsMapIsNull_ShouldThrowResourceNotFound() throws Exception {
+        exceptionRule.expect(ResourceNotFoundException.class);
+        exceptionRule.expectMessage(MASTER_KEY_NOT_READY_ERROR);
+
+        // Simulate ML config index init success
+        doAnswer(invocation -> {
+            ActionListener<Boolean> actionListener = (ActionListener) invocation.getArgument(0);
+            actionListener.onResponse(true);
+            return null;
+        }).when(mlIndicesHandler).initMLConfigIndex(any());
+
+        // Create a GetResult with null sourceBytes
+        String masterKeyId = MASTER_KEY + "_" + hashString(TENANT_ID);
+        GetResult getResult = new GetResult(
+            ML_CONFIG_INDEX,
+            masterKeyId,
+            1L,
+            1L,
+            1L,
+            true,  // exists = true
+            null,  // sourceBytes = null => getSourceAsMap() will return null
+            null,
+            null
+        );
+        GetResponse getResponse = new GetResponse(getResult);
+
+        // Mock the get response
+        doAnswer(invocation -> {
+            ActionListener<GetResponse> listener = invocation.getArgument(1);
+            listener.onResponse(getResponse);
+            return null;
+        }).when(client).get(any(), any());
+
+        // Now run it
+        encryptor.encrypt("test", TENANT_ID);
+    }
+
     // Helper method to prepare a valid IndexResponse
     private IndexResponse prepareIndexResponse() {
         ShardId shardId = new ShardId(ML_CONFIG_INDEX, "index_uuid", 0);