Merge branch 'main' into get-field-filter-optimization

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased 3.x]
 ### Added
+- Add support for Basic Authentication in webhook audit log sink using `plugins.security.audit.config.username` and `plugins.security.audit.config.password` ([#5792](https://github.com/opensearch-project/security/pull/5792))
 
 ### Changed
 - Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
@@ -23,7 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add support for X509 v3 extensions (SAN) for authentication  ([#5701](https://github.com/opensearch-project/security/pull/5701))
 - [Resource Sharing] Requires default_owner for resource/migrate API ([#5789](https://github.com/opensearch-project/security/pull/5789))
 - Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user ([#5777](https://github.com/opensearch-project/security/pull/5777))
-
+- Add --timeout (-to) as an option to securityadmin.sh ([#5787](https://github.com/opensearch-project/security/pull/5787))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -1827,14 +1827,14 @@ public List<Setting<?>> getSettings() {
             ); // not filtered here
             settings.add(
                 Setting.simpleString(
-                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME,
+                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_CONFIG_USERNAME,
                     Property.NodeScope,
                     Property.Filtered
                 )
             );
             settings.add(
                 Setting.simpleString(
-                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD,
+                    ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_CONFIG_PASSWORD,
                     Property.NodeScope,
                     Property.Filtered
                 )

src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java

@@ -83,8 +83,8 @@ public ExternalOpenSearchSink(
             ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH,
             ConfigConstants.OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT
         );
-        final String user = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME);
-        final String password = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD);
+        final String user = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_CONFIG_USERNAME);
+        final String password = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_CONFIG_PASSWORD);
 
         final HttpClientBuilder builder = HttpClient.builder(servers.toArray(new String[0]));
 

src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java

@@ -18,6 +18,7 @@
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
+import java.util.Base64;
 import java.util.concurrent.TimeUnit;
 import javax.net.ssl.SSLContext;
 
@@ -60,6 +61,9 @@ public class WebhookSink extends AuditLogSink {
     WebhookFormat webhookFormat = null;
     final boolean verifySSL;
     final KeyStore effectiveTruststore;
+    private final String username;
+    private final String password;
+    private final String basicAuthHeader;
 
     public WebhookSink(
         final String name,
@@ -77,6 +81,19 @@ public WebhookSink(
         final String webhookUrl = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_URL);
         final String format = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_FORMAT);
 
+        // Read basic auth credentials
+        this.username = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_CONFIG_USERNAME);
+        this.password = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_CONFIG_PASSWORD);
+
+        // Generate Basic Auth header if credentials are provided
+        if (this.username != null && this.password != null) {
+            String credentials = this.username + ":" + this.password;
+            String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.UTF_8));
+            this.basicAuthHeader = "Basic " + encodedCredentials;
+        } else {
+            this.basicAuthHeader = null;
+        }
+
         verifySSL = sinkSettings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true);
         httpClient = getHttpClient();
 
@@ -225,6 +242,12 @@ boolean get(AuditMessage msg) {
 
     protected boolean doGet(String url) {
         HttpGet httpGet = new HttpGet(url);
+
+        // Add Basic Auth header if credentials are configured
+        if (basicAuthHeader != null) {
+            httpGet.setHeader("Authorization", basicAuthHeader);
+        }
+
         CloseableHttpResponse serverResponse = null;
         try {
             serverResponse = httpClient.execute(httpGet);
@@ -280,6 +303,11 @@ protected boolean doPost(String url, String payload) {
 
         HttpPost postRequest = new HttpPost(url);
 
+        // Add Basic Auth header if credentials are configured
+        if (basicAuthHeader != null) {
+            postRequest.setHeader("Authorization", basicAuthHeader);
+        }
+
         StringEntity input = new StringEntity(payload, webhookFormat.contentType.withCharset(StandardCharsets.UTF_8));
         postRequest.setEntity(input);
 

src/main/java/org/opensearch/security/auth/http/saml/SamlFilesystemMetadataResolver.java

@@ -29,16 +29,7 @@ public class SamlFilesystemMetadataResolver extends FilesystemMetadataResolver {
 
     @Override
     protected byte[] fetchMetadata() throws ResolverException {
-        try {
-            return AccessController.doPrivilegedChecked(SamlFilesystemMetadataResolver.super::fetchMetadata);
-        } catch (Exception e) {
-
-            if (e instanceof ResolverException) {
-                throw (ResolverException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
-        }
+        return AccessController.doPrivilegedChecked(SamlFilesystemMetadataResolver.super::fetchMetadata);
     }
 
     private static File getMetadataFile(String filePath, Settings settings, Path configPath) {

src/main/java/org/opensearch/security/auth/http/saml/SamlHTTPMetadataResolver.java

@@ -37,15 +37,7 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {
 
     @Override
     protected byte[] fetchMetadata() throws ResolverException {
-        try {
-            return AccessController.doPrivilegedChecked(SamlHTTPMetadataResolver.super::fetchMetadata);
-        } catch (Exception e) {
-            if (e instanceof ResolverException) {
-                throw (ResolverException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
-        }
+        return AccessController.doPrivilegedChecked(SamlHTTPMetadataResolver.super::fetchMetadata);
     }
 
     private static SettingsBasedSSLConfiguratorV4.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception {

src/main/java/org/opensearch/security/auth/ldap/util/LdapHelper.java

@@ -66,14 +66,8 @@ public static List<LdapEntry> search(
 
                 return entries;
             });
-        } catch (Exception e) {
-            if (e instanceof LdapException) {
-                throw (LdapException) e;
-            } else if (e instanceof RuntimeException) {
-                throw (RuntimeException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
+        } catch (InvalidNameException e) {
+            throw new RuntimeException(e);
         }
     }
 

src/main/java/org/opensearch/security/auth/ldap2/LDAPAuthenticationBackend2.java

@@ -87,17 +87,7 @@ public LDAPAuthenticationBackend2(final Settings settings, final Path configPath
 
     @Override
     public User authenticate(AuthenticationContext context) throws OpenSearchSecurityException {
-        try {
-            return AccessController.doPrivilegedChecked(() -> authenticate0(context));
-        } catch (Exception e) {
-            if (e instanceof OpenSearchSecurityException) {
-                throw (OpenSearchSecurityException) e;
-            } else if (e instanceof RuntimeException) {
-                throw (RuntimeException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
-        }
+        return AccessController.doPrivilegedChecked(() -> authenticate0(context));
     }
 
     private User authenticate0(AuthenticationContext context) throws OpenSearchSecurityException {
@@ -217,19 +207,7 @@ public Optional<User> impersonate(User user) {
     }
 
     private void authenticateByLdapServer(final Connection connection, final String dn, byte[] password) throws LdapException {
-        try {
-            AccessController.doPrivilegedChecked(
-                () -> connection.getProviderConnection().bind(new BindRequest(dn, new Credential(password)))
-            );
-        } catch (Exception e) {
-            if (e instanceof LdapException) {
-                throw (LdapException) e;
-            } else if (e instanceof RuntimeException) {
-                throw (RuntimeException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
-        }
+        AccessController.doPrivilegedChecked(() -> connection.getProviderConnection().bind(new BindRequest(dn, new Credential(password))));
     }
 
     private void authenticateByLdapServerWithSeparateConnection(final String dn, byte[] password) throws LdapException {

src/main/java/org/opensearch/security/auth/ldap2/LDAPAuthorizationBackend2.java

@@ -120,17 +120,7 @@ private static List<Map.Entry<String, Settings>> convertOldStyleSettingsToNewSty
 
     @Override
     public User addRoles(final User user, AuthenticationContext context) throws OpenSearchSecurityException {
-        try {
-            return AccessController.doPrivilegedChecked(() -> addRoles0(user, context));
-        } catch (Exception e) {
-            if (e instanceof OpenSearchSecurityException) {
-                throw (OpenSearchSecurityException) e;
-            } else if (e instanceof RuntimeException) {
-                throw (RuntimeException) e;
-            } else {
-                throw new RuntimeException(e);
-            }
-        }
+        return AccessController.doPrivilegedChecked(() -> addRoles0(user, context));
     }
 
     private User addRoles0(final User user, AuthenticationContext context) throws OpenSearchSecurityException {

src/main/java/org/opensearch/security/auth/ldap2/MakeJava9Happy.java

@@ -27,12 +27,7 @@ static ClassLoader getClassLoader() {
         }
 
         if (classLoader == null) {
-
-            try {
-                return AccessController.doPrivilegedChecked(() -> new Java9CL());
-            } catch (Exception e) {
-                throw new RuntimeException(e);
-            }
+            return AccessController.doPrivilegedChecked(() -> new Java9CL());
         }
 
         return classLoader;