From ed796a9b65bbfd6e230e2f3ee7b7efb95b5b4e9d Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 14:51:13 -0400 Subject: [PATCH 01/28] [2.x] Run BWC Tests with security plugin enabled Signed-off-by: Craig Perkins --- .github/actions/create-bwc-build/action.yaml | 4 ++-- .github/actions/run-bwc-suite/action.yaml | 3 +++ bwc-test/build.gradle | 5 ++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/actions/create-bwc-build/action.yaml b/.github/actions/create-bwc-build/action.yaml index bfe64ff59b..25a348bcc0 100644 --- a/.github/actions/create-bwc-build/action.yaml +++ b/.github/actions/create-bwc-build/action.yaml @@ -36,7 +36,7 @@ runs: uses: gradle/gradle-build-action@v2 with: cache-disabled: true - arguments: assemble -Dbuild.snapshot=false + arguments: assemble build-root-directory: ${{ inputs.plugin-branch }} - id: get-opensearch-version @@ -47,5 +47,5 @@ runs: - name: Copy current distro into the expected folder run: | mkdir -p ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }} - cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }} + cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}-SNAPSHOT.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }} shell: bash diff --git a/.github/actions/run-bwc-suite/action.yaml b/.github/actions/run-bwc-suite/action.yaml index 6771faddab..68f742b071 100644 --- a/.github/actions/run-bwc-suite/action.yaml +++ b/.github/actions/run-bwc-suite/action.yaml @@ -35,6 +35,9 @@ runs: arguments: | bwcTestSuite -Dtests.security.manager=false + -Dtests.opensearch.secure=true + -Dtests.opensearch.username=admin + -Dtests.opensearch.password=admin -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }} -Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i build-root-directory: bwc-test diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 9b8d9fcc0a..2ae379bd5e 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -84,8 +84,8 @@ String baseName = "securityBwcCluster" String bwcFilePath = "src/test/resources/" String projectVersion = nextVersion -String previousOpenSearch = extractVersion(previousVersion); -String nextOpenSearch = extractVersion(nextVersion); +String previousOpenSearch = extractVersion(previousVersion) + "-SNAPSHOT"; +String nextOpenSearch = extractVersion(nextVersion) + "-SNAPSHOT"; // Extracts the OpenSearch version from a plugin version string, 2.4.0.0 -> 2.4.0. def String extractVersion(versionStr) { @@ -122,7 +122,6 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem")) node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) - node.setting("plugins.security.disabled", "true") node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") From a65a90195b289d4b15e356ddc162726e05dcdc1f Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:02:13 -0400 Subject: [PATCH 02/28] Add certs with IPv6 loopback address ::1 Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 12 ++--- src/test/resources/bwc/esnode-key.pem | 28 +++++++++++ src/test/resources/bwc/esnode.pem | 50 +++++++++++++++++++ .../resources/bwc/generate_certificates.sh | 27 ++++++++++ src/test/resources/bwc/kirk-key.pem | 28 +++++++++++ src/test/resources/bwc/kirk.pem | 21 ++++++++ src/test/resources/bwc/root-ca-key.pem | 28 +++++++++++ src/test/resources/bwc/root-ca.pem | 25 ++++++++++ 8 files changed, 213 insertions(+), 6 deletions(-) create mode 100644 src/test/resources/bwc/esnode-key.pem create mode 100644 src/test/resources/bwc/esnode.pem create mode 100755 src/test/resources/bwc/generate_certificates.sh create mode 100644 src/test/resources/bwc/kirk-key.pem create mode 100644 src/test/resources/bwc/kirk.pem create mode 100644 src/test/resources/bwc/root-ca-key.pem create mode 100644 src/test/resources/bwc/root-ca.pem diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 2ae379bd5e..196d5e310e 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -117,11 +117,11 @@ def String extractVersion(versionStr) { plugins.remove(0) plugins.add(firstPlugin) - node.extraConfigFile("kirk.pem", file("src/test/resources/security/kirk.pem")) - node.extraConfigFile("kirk-key.pem", file("src/test/resources/security/kirk-key.pem")) - node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem")) - node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) - node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) + node.extraConfigFile("kirk.pem", file("src/test/resources/bwc/kirk.pem")) + node.extraConfigFile("kirk-key.pem", file("src/test/resources/bwc/kirk-key.pem")) + node.extraConfigFile("esnode.pem", file("src/test/resources/bwc/esnode.pem")) + node.extraConfigFile("esnode-key.pem", file("src/test/resources/bwc/esnode-key.pem")) + node.extraConfigFile("root-ca.pem", file("src/test/resources/bwc/root-ca.pem")) node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") @@ -133,7 +133,7 @@ def String extractVersion(versionStr) { node.setting("plugins.security.allow_unsafe_democertificates", "true") node.setting("plugins.security.allow_default_init_securityindex", "true") node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de") - node.setting("plugins.security.audit.type", "internal_elasticsearch") + node.setting("plugins.security.audit.type", "internal_opensearch") node.setting("plugins.security.enable_snapshot_restore_privilege", "true") node.setting("plugins.security.check_snapshot_restore_write_privileges", "true") node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]") diff --git a/src/test/resources/bwc/esnode-key.pem b/src/test/resources/bwc/esnode-key.pem new file mode 100644 index 0000000000..8dd1db0923 --- /dev/null +++ b/src/test/resources/bwc/esnode-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1uCtmgJW3zlvo +6VM6dpGHH/vnj73x6Xi19I3FzVMSok6Bd3ZaUZ09jqy1xz58uUc4QJcPW79CdqjN +zEWRUkCyNBtgi21LGV0FY6tUtcm7Dh82Y0Jpk8DPzw6WgUIDqfp2Zr4ric88asaI +R7dzjr7NTlIKKjcC+zuo1NqgYg0ElYtOof2wdxZ/17akOQmLAKrdDwtYfBgbBkYD +PDvAYNYVM7+DhWhtLbjizskc20u1En4UikWWwq+1mWR2DyvDoRuRtem//JYmK7+B +YzXV6aTm7Erw8KAWpUL5F7HcgmGWHOIPEPNfskB1egdKoTdDRosKOOVxHVAr7+fj +Wj8610BJAgMBAAECggEACJy44LHXDYctD3/GDAGF3j+Pu7D9DlKJiY8VvP4SUE/i +AoWmX0oHAdZTVVezZ/mydlVFNiOYE4NHLVdghNRmMhjDcOHSJdSwvvScV667cFPx +Yh2egUbNdjsinsHPB4PYpHe7aJk+6zYu2S3yTxmMtHNvSq3qGa+miqdTNlXZcPSf +RWh9iXrk+XDkq8iFknI7U8NNoVXkk0UyNpw0o0CG/Vh6k6HnIR6CwOy3asxdaKug +Jqndm5MyvCy/NOknsjA6eJwwJDEZg4ARzalyEpT5jxoQHngFRI6+9hRUPZC8tD+6 +osg5IB0iLp7JR4TYe+CVOups/a3J2jLqbPbSm5j3UQKBgQD8mcw+JY2VwVXx1dQr +BixMuuT7fIX0H0yb9sAKq4/LQlAfWT6DBgbLy2r+Z09SQ5m69H6aqn/gqhUI/7Jk +DpZfIZz8OXgj8E/+1I/dCdVdxPFoywTViUgzsJNC6G3Oxc3xC8AUqObzVyJRhIWw +Mel5nfo3WsK7BnDNWjA5noOMNQKBgQD5Bqpmf2J8lUkHRCzFOS1UcBvdMJrfiPUf +32mp14A23E9n+2okCQRkEjXyqYjUqTFXxFIS2zsVjRROy5TFjSa/dwuU4W74Gygs +XY6cqsAeHFaU9zVEFFPc7W44Icb5dd/Ww+quTqvW5ddUx1HNpXkHq889n3YptdmH +/iie6yteRQKBgQDPjySncD4N7sZLKBPlonXmOrALAYAkX0+Y3EFiwyQttXiWucNG +8D3HWYe6MXOZOhjo6RvaxPy8w6TzNwADfYUL+FfBXQueJEnnMAxiaUEcgsaHAEMh +n2NnrdDjao9IF3sodSpJD5xuGYwGhalAZVLebvP6ZiaafSlVY6U6w0h+fQKBgQDR +4XdOacBU5fElyaS+GIGG7/HcC3IMQj7uPPquJa2vDyFxruj3NA5aVSrYuWBUc8Dd +it3tfI4gjMX33wclNODab/f348QGIcVLFxLyIctH1XR3mp5vIX7I7ed+MaGkcF9W +f8rUXAPiW9aPYmokm3kVKQ3Cjxok71pGjsQnpGbpzQKBgAqd1RwnhotvkcldmLEq +AB3Ayb0XhsJLl0ubyf37DodPsIdMlSPKyg4YnYRpnrATeGVweS9rxdmDDnsvtEEv +8E+/RhSn9temcZV7J8M4uQlZBDHbyL8Q5g3Bg/mq2fAMS0szaAcAqS+CXJ1UnDYd +UaMFpGE7ajMoVZOg8ItfEAGn +-----END PRIVATE KEY----- diff --git a/src/test/resources/bwc/esnode.pem b/src/test/resources/bwc/esnode.pem new file mode 100644 index 0000000000..76c52035ed --- /dev/null +++ b/src/test/resources/bwc/esnode.pem @@ -0,0 +1,50 @@ +-----BEGIN CERTIFICATE----- +MIIEITCCAwmgAwIBAgIUGPqmZdMIOqjgbQ0nRdJ2F/VUkPgwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NTA3WhcNMzMwODA3MjExNTA3WjBXMQswCQYDVQQGEwJkZTENMAsGA1UEBwwEdGVz +dDENMAsGA1UECgwEbm9kZTENMAsGA1UECwwEbm9kZTEbMBkGA1UEAwwSbm9kZS0w +LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bgr +ZoCVt85b6OlTOnaRhx/754+98el4tfSNxc1TEqJOgXd2WlGdPY6stcc+fLlHOECX +D1u/QnaozcxFkVJAsjQbYIttSxldBWOrVLXJuw4fNmNCaZPAz88OloFCA6n6dma+ +K4nPPGrGiEe3c46+zU5SCio3Avs7qNTaoGINBJWLTqH9sHcWf9e2pDkJiwCq3Q8L +WHwYGwZGAzw7wGDWFTO/g4VobS244s7JHNtLtRJ+FIpFlsKvtZlkdg8rw6EbkbXp +v/yWJiu/gWM11emk5uxK8PCgFqVC+Rex3IJhlhziDxDzX7JAdXoHSqE3Q0aLCjjl +cR1QK+/n41o/OtdASQIDAQABo4GMMIGJMEcGA1UdEQRAMD6CEm5vZGUtMC5leGFt +cGxlLmNvbYIJbG9jYWxob3N0hxAAAAAAAAAAAAAAAAAAAAABhwR/AAABiAUqAwQF +BTAdBgNVHQ4EFgQUwEDN1zWWQ4ULvKofWCRi+a/uTt8wHwYDVR0jBBgwFoAU6bJR +I4km9IzZNac3Yt+Jyn9KkskwDQYJKoZIhvcNAQELBQADggEBAJd/5+cVSmsL2Gx4 +Dq36U4XOHfUSIVJUuOuu19ZxQ5a9ObUfNX0gSLXbcWnLcdOCUgN4OutjxUw16FeL +G9t2tT/dKbJZiCkF0QPorugNGeeMt0fExRQ3D0a8OisGdqYurcHxVDjViyWurh1B +ETFU6Gm2E1Rya3zCrW5wEll2GSNe1Xdc+1ANh1mW8E8TbzX3vhY6gXu9o8uNCXLU +N0JE0ggugkOBLSSP9MbFvQDWWAY7nMaQxuXwULyiXMSm2QQOOlNqcGMASWo7sWij +ELDpYc5XPVplpQObdTkEFrooHe7oBl91WZ9oY9iu/H2Yx6HS/zJs6knZvwNxz3uY +ZcvdYXw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG +CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x +ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh +bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw +CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE +vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f +OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 +uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P +UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm +ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G +A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C +AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G +XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n +Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto +KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ +FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x +p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= +-----END CERTIFICATE----- diff --git a/src/test/resources/bwc/generate_certificates.sh b/src/test/resources/bwc/generate_certificates.sh new file mode 100755 index 0000000000..1b57136cff --- /dev/null +++ b/src/test/resources/bwc/generate_certificates.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# Root CA + +openssl genrsa -out root-ca-key.pem 2048 +openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:1 -new -x509 -sha256 -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA, CN = Example Com Inc. Root CA" -out root-ca.pem -days 730 + +# kirk cert +openssl genrsa -out kirk-key-temp.pem 2048 +openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk-key.pem +openssl req -new -key kirk-key.pem -subj "/C=de/L=test/O=client/OU=client/CN=kirk" -out kirk.csr +openssl x509 -req -in kirk.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kirk.pem -days 730 + + +openssl genrsa -out esnode-key-temp.pem 2048 +openssl pkcs8 -inform PEM -outform PEM -in esnode-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out esnode-key.pem +openssl req -new -key esnode-key.pem -subj "/C=de/L=test/O=node/OU=node/CN=node-0.example.com" -out esnode.csr +# openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-0.example.com,DNS:localhost,IP:::1,IP:127.0.0.1,RID:1.2.3.4.5.5") -in esnode.csr -out esnode.pem -CA root-ca.pem -CAkey root-ca-key.pem + + +# Cleanup +rm kirk-key-temp.pem +rm kirk.csr +rm signing-key-temp.pem +rm signing.csr +# rm esnode-key-temp.pem +# rm esnode.csr +# rm esnode.ext \ No newline at end of file diff --git a/src/test/resources/bwc/kirk-key.pem b/src/test/resources/bwc/kirk-key.pem new file mode 100644 index 0000000000..d9405abfe5 --- /dev/null +++ b/src/test/resources/bwc/kirk-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDu8gQ5Sl7I1h1m +AfGxFfdcBAwz3zsta1nzJzkWdwDeSa1NFAVOke8dOHFHnbsaYMJuCBh9t7NbcHiX +e8A7CGX7XfwBZHhLNEU6Yjq8rfVoP5ySPyk80nGen56+dmeli0B+BC4GDCO4J8Hm +DdTnYtdWGK6NzOceJpbAXywtixLly6H+aYGE9MBcBtOJuVHzEvVUP/xGToCIDdi2 +wsoySoqbyTbWFB6t3LUlir9qVIn05EdzurmTUVNXIzL0BFUGiejqxE7uHEu3O7ro +Pr47y3rZ6jSgt5ynrQr2ng1qxiY3bB9l4Xqs2wbNe1isS5H533s7REsq57ma1w2y +aDpvR1SzAgMBAAECggEABngmiAxn9t7+big4FkzKLtv7CsB+HvwmjJ3KtQxPBI5R +CUA1Ic5zsKmwUe+uLCqUzL2yS3DFIYriF7rxx6xPiZ9GL6d3GzycDzklxwv/AEaQ +oOQcvI83murYNYRiZnjJGCVFmDAq4FVO7N7uOtLIL8FBoJwkJhZydL9e6V+Gzf6r +B42P8VSmd+xyDg/9r6l69nNB7zSz+wF6UCphhkNtjc/pZS3/Z+gL2Q1LkP/9txkK +Arh9bdptPxWI0fPQYJSTfdbSW6AyJDCpptqDvhG5mYFBP2uQKHXDY1E4HH65vHp2 ++lS0AEK7NsY0u0/JPcyAvpomo2tnmfUb/3I8RtLrYQKBgQD5lykdqlghDajR7POK +RIeX/T185cc1IKMYIOzbT9sB9NbUq0dM5HHz/RqJybj7Dd+s8EKj6i/daTOfQ1Hk +FGshE8m3yBY7wYx1AzA9cgxZjC12q7+1s9rR66fQ0ycpoITuwI8uVEUgmYxZBYvw +yc2XrEWi4EQpwmftCWTmk8/IQwKBgQD1FN+qRpl/2VbI1sDpMVKYsQRUKSgoKkRU +Ov9XK1LkzGFP+a287NJB8sqomwXGXngTJr0gYy2N58N8osQmjcRMac5WBuFT8k5J +jJpaZKcx4mUrVMtknOmEeeN8U1XzMXh/j4Ps6yy1oZbATm7MzsbBBz8ofgRVmEBH +H69G9r1y0QKBgG/j+Ca4avHGcdxKYZOmzTKx8JLBX+DNVNBIUmavEft6i6SjdD9g +WkWLPg5vRGIoAhJBU16waezUcLQBNgENtkkJ2fBt3qnDRvheCY5CRo8ObIM606Ld +kkdxYbYYMwJSV8XAxW97j9HhhC2UcvvrPCO2szElYOlnobd98qH7ubaJAoGBAO0/ +Qa2CHoInEN3nFmQnfP+XDMuz88297NtlKV1m8R3Pw7w5xTgIQRnaQNirCRIYzUAs +1hSOLcEbRKBYqG1x+z7Fhhq9Gk+7VpHYbGto2Hlv4ePqd+J0C5JUtCTcP23my/Eg +KuOkXWmOfXK3+oaE/N5Ld5ZpNyTs9/xh7blSjd6hAoGBANuixtW8ZxxNvA8AEhIc +NqRcLfQJgjSGY82PffDura0C1gXrfNRaz6gvFDU9oIYNrllG5uf/qITkKBoQzJuA +q330xqf18B0Gp6p/TaqAU48LBi6hLBsuEvsMVOrpJNfBN97SeXWw3wmmz11YDdF1 +Jpv7Qh0XM/NaSDjMN1ILQNQ2 +-----END PRIVATE KEY----- diff --git a/src/test/resources/bwc/kirk.pem b/src/test/resources/bwc/kirk.pem new file mode 100644 index 0000000000..681c4cb79d --- /dev/null +++ b/src/test/resources/bwc/kirk.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmsCFBj6pmXTCDqo4G0NJ0XSdhf1VJD3MA0GCSqGSIb3DQEBCwUAMIGu +MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZ +MBcGA1UECgwQRXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20g +SW5jLiBSb290IENBMUAwPgYDVQQDDDdFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0Es +IENOID0gRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTIzMDgxMDIxMTQ1MVoX +DTI1MDgwOTIxMTQ1MVowTTELMAkGA1UEBhMCZGUxDTALBgNVBAcMBHRlc3QxDzAN +BgNVBAoMBmNsaWVudDEPMA0GA1UECwwGY2xpZW50MQ0wCwYDVQQDDARraXJrMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7vIEOUpeyNYdZgHxsRX3XAQM +M987LWtZ8yc5FncA3kmtTRQFTpHvHThxR527GmDCbggYfbezW3B4l3vAOwhl+138 +AWR4SzRFOmI6vK31aD+ckj8pPNJxnp+evnZnpYtAfgQuBgwjuCfB5g3U52LXVhiu +jcznHiaWwF8sLYsS5cuh/mmBhPTAXAbTiblR8xL1VD/8Rk6AiA3YtsLKMkqKm8k2 +1hQerdy1JYq/alSJ9ORHc7q5k1FTVyMy9ARVBono6sRO7hxLtzu66D6+O8t62eo0 +oLecp60K9p4NasYmN2wfZeF6rNsGzXtYrEuR+d97O0RLKue5mtcNsmg6b0dUswID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEW7neR3+hpQSnkvwIM0lUua/uFjIqNCf8 +4syKeYqyl/2fLVTx2NdXzSeMcMOa03xt2pSuRT2m1qhrtajEUNHwtlaNOUSXQFpz +BRliDug4oKKNlssKZTbY2DsmfsKrucrbeGxPxIoJlBB4ryx0Z6XlhtVDIc90mInY +d6hQG7jVhTStSGtz1pRp5Ze/3TgA7rcKH1jgGkawVBwDsBeR9rvRncQ6kuLR8/8z +o9HLSWD74syp7v22BfmhEEIDHz+x4iAbJ6r/5VOwuCvIVbPRggmkaW4b7YLgfQo0 +YsIUj2TTWBTx6SVHrbZ/uTWakYE70BQWv7WpTWDQ/DzMih8EGprv +-----END CERTIFICATE----- diff --git a/src/test/resources/bwc/root-ca-key.pem b/src/test/resources/bwc/root-ca-key.pem new file mode 100644 index 0000000000..cc32481482 --- /dev/null +++ b/src/test/resources/bwc/root-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCq2bb3zmYpqNGF +sAlqi3ro5xCE8UMhTPiyqcO74XL7tscBWFLE/ZcdzmmSo4r0+YnCqCkVwfeWigMF +BL76rz/DIO/2USBusx/dKDKEYwA1DMdXh05uv8uUe2KhE3xY9Y70cCJFR/l1Jjzd +nzpE7bGBp3yNqq3/fa5oHeTgdCmYa4J+DWkxv1G19x5czloanS9auYiRTkycFw1E +ObsPzhtrfM54McaztoVwnPFgP7jOj64F4ZGat7NNwvdf9MBbHACcoGBjwDzM3i+/ +D1KhYrj8t12ipxFX48VWq7lWhKRvquZZuGuvyoCNjpUfyhMQq/lzkM78D3R60kkE +JmbITsXdAgMBAAECggEAI4umUIpFoRc5eEn2u48HZFtmiXI0mEIOYAWH7pfqN0qA +vtvkZI2qGg5u0o5qA6vDKJeZ7KftXgmatTmWjktVxcAdjK62Q7HKyFVrpTV/vonJ +E4HYJJyMu3isPXzzWwLD2kFWL/nYgbIR6b4N/ndBfgsdk8/V4ZkBZzIJA1XHrakh +dSE9gQEcYv9+k1G26jFtiAPQ8P6Lwylk99s5iJ6XmEtHju9A7nHixoX4s+8YJ5Fr +vPnGEeegfG9LuaP8QmVyBpM22DajJ/KtndaCcO5qWK2qN05q1x1i561jQODRFC6a +z+qmH7MuWpBmNe/VirFy3wZErAKz9lJyqxor5OhVQQKBgQDUrW4zS/OY5Vr1hmAE +cZuFaa87aoOZTouZNZahIWtZE39ziirmb4g1k2dWubONW9fIodfw2cbDxVMkSHRS +paeia6SoAApFTb/mFEzGOa+524b2NVuHYfh5ZzbXM7wbqpvJt9SG0ZstJGVWZDaN +3dprnscJC1I62lDrATYx4/Fz0QKBgQDNpx2X5k9Y+/IGzTnHRU2/BI9X5P6LF4aI +JFZvThSmdvPNJ3a49OpXcQzWwHYNBRQ+3bD9Q+KaVHPNSpz8zmmQc8MfuGDCCFSm +ccZaxh9X1zu6OeU642I8uexGta3knjziy4GWFKCTruDLtZ+orHtr6g7QuxwwzVoD +utz/6CvwTQKBgQDImwIcXqLacFSYzPQanPJ+KA7Cs5iH7d+dVz/KotQ3xD1uxT/r +9f370xshYa5sQtpKA+bE5xYmKSVgTvtxzZFOkcxRLyCA+HJu2m0EePs5C0nFSNUZ +4R5XnTTMTp87VXT3E2/i7yk4rmDr2UDgFghlhPHmpQgePTkgQhdVfdWNUQKBgGyk +gm/CzdxWjU+mj4WESURGZmuqoAZfEUVO3RLEDwi6AqY42PFxAXPcV0oENtk9+6oS +d/P0LvwU7XBgoHq1mPMlFMnnH8ahnAaqSH2f+OLw467H8x+fDEDEf9wDErCaH9Q4 +amcc0o/ybPNxKb10EWe7KMSAdK4bbhhWWXYf80ZpAoGBAMd4kVJcPV7SB7v4pFZS +ChMXK3BEKAjL7FC+JqW1LsDmoToIBJg6s+632A0GWxbR8xYXHqxEhQfP77e+EJZr +PR24ZzT89Zvp86n5NTBzR2ETF/ELrIBndu77RecJsfxpqcFVtcBKSPpbC2WhS5b7 +BEoEP10H08sPGPeqcA54aXCM +-----END PRIVATE KEY----- diff --git a/src/test/resources/bwc/root-ca.pem b/src/test/resources/bwc/root-ca.pem new file mode 100644 index 0000000000..ed97e17ec8 --- /dev/null +++ b/src/test/resources/bwc/root-ca.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG +CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x +ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh +bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw +CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE +vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f +OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 +uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P +UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm +ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G +A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C +AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G +XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n +Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto +KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ +FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x +p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= +-----END CERTIFICATE----- From 96f590b0330941c016af759a84467cf9225fe84b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:08:33 -0400 Subject: [PATCH 03/28] Move to bwc-test Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 10 +-- .../test/resources/security/esnode-key.pem | 52 ++++++------ .../src/test/resources/security/esnode.pem | 74 ++++++++++++------ .../security}/generate_certificates.sh | 0 .../src/test/resources/security/kirk-key.pem | 52 ++++++------ bwc-test/src/test/resources/security/kirk.pem | 43 +++++----- .../test/resources/security}/root-ca-key.pem | 0 .../src/test/resources/security/root-ca.pem | 45 +++++------ .../src/test/resources/security/sample.pem | 28 ------- .../src/test/resources/security/test-kirk.jks | Bin 3874 -> 0 bytes src/test/resources/bwc/esnode-key.pem | 28 ------- src/test/resources/bwc/esnode.pem | 50 ------------ src/test/resources/bwc/kirk-key.pem | 28 ------- src/test/resources/bwc/kirk.pem | 21 ----- src/test/resources/bwc/root-ca.pem | 25 ------ 15 files changed, 147 insertions(+), 309 deletions(-) rename {src/test/resources/bwc => bwc-test/src/test/resources/security}/generate_certificates.sh (100%) rename {src/test/resources/bwc => bwc-test/src/test/resources/security}/root-ca-key.pem (100%) delete mode 100644 bwc-test/src/test/resources/security/sample.pem delete mode 100644 bwc-test/src/test/resources/security/test-kirk.jks delete mode 100644 src/test/resources/bwc/esnode-key.pem delete mode 100644 src/test/resources/bwc/esnode.pem delete mode 100644 src/test/resources/bwc/kirk-key.pem delete mode 100644 src/test/resources/bwc/kirk.pem delete mode 100644 src/test/resources/bwc/root-ca.pem diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 196d5e310e..25ce7cddd4 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -117,11 +117,11 @@ def String extractVersion(versionStr) { plugins.remove(0) plugins.add(firstPlugin) - node.extraConfigFile("kirk.pem", file("src/test/resources/bwc/kirk.pem")) - node.extraConfigFile("kirk-key.pem", file("src/test/resources/bwc/kirk-key.pem")) - node.extraConfigFile("esnode.pem", file("src/test/resources/bwc/esnode.pem")) - node.extraConfigFile("esnode-key.pem", file("src/test/resources/bwc/esnode-key.pem")) - node.extraConfigFile("root-ca.pem", file("src/test/resources/bwc/root-ca.pem")) + node.extraConfigFile("kirk.pem", file("src/test/resources/security/kirk.pem")) + node.extraConfigFile("kirk-key.pem", file("src/test/resources/security/kirk-key.pem")) + node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem")) + node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) + node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") diff --git a/bwc-test/src/test/resources/security/esnode-key.pem b/bwc-test/src/test/resources/security/esnode-key.pem index 4ac2cb57a7..8dd1db0923 100644 --- a/bwc-test/src/test/resources/security/esnode-key.pem +++ b/bwc-test/src/test/resources/security/esnode-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCWvn+O+rywfgMC -ud24mAclMDfuNA/IzCKLxl5usIE/PvUm7PPfXQ14LfQhNQXqOuaD9fiVM+HO1BzK -wmN3j4g7eHInR1cxENoNGKFa0Fr9EXnUv8sfwyobPD8NTu9eaH7T+d6f9oow+Q4n -xb9Xin5IRR/pcJ8v7zEjcXpZaZejcSU4iVZ0PR2Di4H9rfe9SEyR5wLrsVBePB3L -jaL1uK4bZF3n/JGgDe3BNy1PgPU+O+FCzQipBBTyJWQCjd4iTRXVbMa01PglAR85 -O9w6NXApBLyWdGRY6dGd8vMC2P4KlhnxlcgPZdglKniGTX+eTzT7Rszq77zjYrou -PLwSh9S7AgMBAAECggEABwiohxFoEIwws8XcdKqTWsbfNTw0qFfuHLuK2Htf7IWR -htlzn66F3F+4jnwc5IsPCoVFriCXnsEC/usHHSMTZkL+gJqxlNaGdin6DXS/aiOQ -nb69SaQfqNmsz4ApZyxVDqsQGkK0vAhDAtQVU45gyhp/nLLmmqP8lPzMirOEodmp -U9bA8t/ttrzng7SVAER42f6IVpW0iTKTLyFii0WZbq+ObViyqib9hVFrI6NJuQS+ -IelcZB0KsSi6rqIjXg1XXyMiIUcSlhq+GfEa18AYgmsbPwMbExate7/8Ci7ZtCbh -lx9bves2+eeqq5EMm3sMHyhdcg61yzd5UYXeZhwJkQKBgQDS9YqrAtztvLY2gMgv -d+wOjb9awWxYbQTBjx33kf66W+pJ+2j8bI/XX2CpZ98w/oq8VhMqbr9j5b8MfsrF -EoQvedA4joUo8sXd4j1mR2qKF4/KLmkgy6YYusNP2UrVSw7sh77bzce+YaVVoO/e -0wIVTHuD/QZ6fG6MasOqcbl6hwKBgQC27cQruaHFEXR/16LrMVAX+HyEEv44KOCZ -ij5OE4P7F0twb+okngG26+OJV3BtqXf0ULlXJ+YGwXCRf6zUZkld3NMy3bbKPgH6 -H/nf3BxqS2tudj7+DV52jKtisBghdvtlKs56oc9AAuwOs37DvhptBKUPdzDDqfys -Qchv5JQdLQKBgERev+pcqy2Bk6xmYHrB6wdseS/4sByYeIoi0BuEfYH4eB4yFPx6 -UsQCbVl6CKPgWyZe3ydJbU37D8gE78KfFagtWoZ56j4zMF2RDUUwsB7BNCDamce/ -OL2bCeG/Erm98cBG3lxufOX+z47I8fTNfkdY2k8UmhzoZwurLm73HJ3RAoGBAKsp -6yamuXF2FbYRhUXgjHsBbTD/vJO72/yO2CGiLRpi/5mjfkjo99269trp0C8sJSub -5PBiSuADXFsoRgUv+HI1UAEGaCTwxFTQWrRWdtgW3d0sE2EQDVWL5kmfT9TwSeat -mSoyAYR5t3tCBNkPJhbgA7pm4mASzHQ50VyxWs25AoGBAKPFx9X2oKhYQa+mW541 -bbqRuGFMoXIIcr/aeM3LayfLETi48o5NDr2NDP11j4yYuz26YLH0Dj8aKpWuehuH -uB27n6j6qu0SVhQi6mMJBe1JrKbzhqMKQjYOoy8VsC2gdj5pCUP/kLQPW7zm9diX -CiKTtKgPIeYdigor7V3AHcVT +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1uCtmgJW3zlvo +6VM6dpGHH/vnj73x6Xi19I3FzVMSok6Bd3ZaUZ09jqy1xz58uUc4QJcPW79CdqjN +zEWRUkCyNBtgi21LGV0FY6tUtcm7Dh82Y0Jpk8DPzw6WgUIDqfp2Zr4ric88asaI +R7dzjr7NTlIKKjcC+zuo1NqgYg0ElYtOof2wdxZ/17akOQmLAKrdDwtYfBgbBkYD +PDvAYNYVM7+DhWhtLbjizskc20u1En4UikWWwq+1mWR2DyvDoRuRtem//JYmK7+B +YzXV6aTm7Erw8KAWpUL5F7HcgmGWHOIPEPNfskB1egdKoTdDRosKOOVxHVAr7+fj +Wj8610BJAgMBAAECggEACJy44LHXDYctD3/GDAGF3j+Pu7D9DlKJiY8VvP4SUE/i +AoWmX0oHAdZTVVezZ/mydlVFNiOYE4NHLVdghNRmMhjDcOHSJdSwvvScV667cFPx +Yh2egUbNdjsinsHPB4PYpHe7aJk+6zYu2S3yTxmMtHNvSq3qGa+miqdTNlXZcPSf +RWh9iXrk+XDkq8iFknI7U8NNoVXkk0UyNpw0o0CG/Vh6k6HnIR6CwOy3asxdaKug +Jqndm5MyvCy/NOknsjA6eJwwJDEZg4ARzalyEpT5jxoQHngFRI6+9hRUPZC8tD+6 +osg5IB0iLp7JR4TYe+CVOups/a3J2jLqbPbSm5j3UQKBgQD8mcw+JY2VwVXx1dQr +BixMuuT7fIX0H0yb9sAKq4/LQlAfWT6DBgbLy2r+Z09SQ5m69H6aqn/gqhUI/7Jk +DpZfIZz8OXgj8E/+1I/dCdVdxPFoywTViUgzsJNC6G3Oxc3xC8AUqObzVyJRhIWw +Mel5nfo3WsK7BnDNWjA5noOMNQKBgQD5Bqpmf2J8lUkHRCzFOS1UcBvdMJrfiPUf +32mp14A23E9n+2okCQRkEjXyqYjUqTFXxFIS2zsVjRROy5TFjSa/dwuU4W74Gygs +XY6cqsAeHFaU9zVEFFPc7W44Icb5dd/Ww+quTqvW5ddUx1HNpXkHq889n3YptdmH +/iie6yteRQKBgQDPjySncD4N7sZLKBPlonXmOrALAYAkX0+Y3EFiwyQttXiWucNG +8D3HWYe6MXOZOhjo6RvaxPy8w6TzNwADfYUL+FfBXQueJEnnMAxiaUEcgsaHAEMh +n2NnrdDjao9IF3sodSpJD5xuGYwGhalAZVLebvP6ZiaafSlVY6U6w0h+fQKBgQDR +4XdOacBU5fElyaS+GIGG7/HcC3IMQj7uPPquJa2vDyFxruj3NA5aVSrYuWBUc8Dd +it3tfI4gjMX33wclNODab/f348QGIcVLFxLyIctH1XR3mp5vIX7I7ed+MaGkcF9W +f8rUXAPiW9aPYmokm3kVKQ3Cjxok71pGjsQnpGbpzQKBgAqd1RwnhotvkcldmLEq +AB3Ayb0XhsJLl0ubyf37DodPsIdMlSPKyg4YnYRpnrATeGVweS9rxdmDDnsvtEEv +8E+/RhSn9temcZV7J8M4uQlZBDHbyL8Q5g3Bg/mq2fAMS0szaAcAqS+CXJ1UnDYd +UaMFpGE7ajMoVZOg8ItfEAGn -----END PRIVATE KEY----- diff --git a/bwc-test/src/test/resources/security/esnode.pem b/bwc-test/src/test/resources/security/esnode.pem index 7ba92534e4..76c52035ed 100644 --- a/bwc-test/src/test/resources/security/esnode.pem +++ b/bwc-test/src/test/resources/security/esnode.pem @@ -1,28 +1,50 @@ -----BEGIN CERTIFICATE----- -MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm -iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ -RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 -IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy -MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL -BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV -BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt -9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8 -Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL -gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl -ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq -eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw -gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB -GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs -ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw -HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv -78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg -MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq -AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI -hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0 -5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy -8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr -XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA -1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t -e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs= +MIIEITCCAwmgAwIBAgIUGPqmZdMIOqjgbQ0nRdJ2F/VUkPgwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NTA3WhcNMzMwODA3MjExNTA3WjBXMQswCQYDVQQGEwJkZTENMAsGA1UEBwwEdGVz +dDENMAsGA1UECgwEbm9kZTENMAsGA1UECwwEbm9kZTEbMBkGA1UEAwwSbm9kZS0w +LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bgr +ZoCVt85b6OlTOnaRhx/754+98el4tfSNxc1TEqJOgXd2WlGdPY6stcc+fLlHOECX +D1u/QnaozcxFkVJAsjQbYIttSxldBWOrVLXJuw4fNmNCaZPAz88OloFCA6n6dma+ +K4nPPGrGiEe3c46+zU5SCio3Avs7qNTaoGINBJWLTqH9sHcWf9e2pDkJiwCq3Q8L +WHwYGwZGAzw7wGDWFTO/g4VobS244s7JHNtLtRJ+FIpFlsKvtZlkdg8rw6EbkbXp +v/yWJiu/gWM11emk5uxK8PCgFqVC+Rex3IJhlhziDxDzX7JAdXoHSqE3Q0aLCjjl +cR1QK+/n41o/OtdASQIDAQABo4GMMIGJMEcGA1UdEQRAMD6CEm5vZGUtMC5leGFt +cGxlLmNvbYIJbG9jYWxob3N0hxAAAAAAAAAAAAAAAAAAAAABhwR/AAABiAUqAwQF +BTAdBgNVHQ4EFgQUwEDN1zWWQ4ULvKofWCRi+a/uTt8wHwYDVR0jBBgwFoAU6bJR +I4km9IzZNac3Yt+Jyn9KkskwDQYJKoZIhvcNAQELBQADggEBAJd/5+cVSmsL2Gx4 +Dq36U4XOHfUSIVJUuOuu19ZxQ5a9ObUfNX0gSLXbcWnLcdOCUgN4OutjxUw16FeL +G9t2tT/dKbJZiCkF0QPorugNGeeMt0fExRQ3D0a8OisGdqYurcHxVDjViyWurh1B +ETFU6Gm2E1Rya3zCrW5wEll2GSNe1Xdc+1ANh1mW8E8TbzX3vhY6gXu9o8uNCXLU +N0JE0ggugkOBLSSP9MbFvQDWWAY7nMaQxuXwULyiXMSm2QQOOlNqcGMASWo7sWij +ELDpYc5XPVplpQObdTkEFrooHe7oBl91WZ9oY9iu/H2Yx6HS/zJs6knZvwNxz3uY +ZcvdYXw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG +CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x +ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh +bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw +CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE +vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f +OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 +uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P +UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm +ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G +A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C +AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G +XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n +Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto +KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ +FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x +p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= -----END CERTIFICATE----- diff --git a/src/test/resources/bwc/generate_certificates.sh b/bwc-test/src/test/resources/security/generate_certificates.sh similarity index 100% rename from src/test/resources/bwc/generate_certificates.sh rename to bwc-test/src/test/resources/security/generate_certificates.sh diff --git a/bwc-test/src/test/resources/security/kirk-key.pem b/bwc-test/src/test/resources/security/kirk-key.pem index bacb22c215..d9405abfe5 100644 --- a/bwc-test/src/test/resources/security/kirk-key.pem +++ b/bwc-test/src/test/resources/security/kirk-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCwgBOoO88uMM8 -dREJsk58Yt4Jn0zwQ2wUThbvy3ICDiEWhiAhUbg6dTggpS5vWWJto9bvaaqgMVoh -ElfYHdTDncX3UQNBEP8tqzHON6BFEFSGgJRGLd6f5dri6rK32nCotYS61CFXBFxf -WumXjSukjyrcTsdkR3C5QDo2oN7F883MOQqRENPzAtZi9s3jNX48u+/e3yvJzXsB -GS9Qmsye6C71enbIujM4CVwDT/7a5jHuaUp6OuNCFbdRPnu/wLYwOS2/yOtzAqk7 -/PFnPCe7YOa10ShnV/jx2sAHhp7ZQBJgFkkgnIERz9Ws74Au+EbptWnsWuB+LqRL -x5G02IzpAgMBAAECggEAEzwnMkeBbqqDgyRqFbO/PgMNvD7i0b/28V0dCtCPEVY6 -klzrg3RCERP5V9AN8VVkppYjPkCzZ2A4b0JpMUu7ncOmr7HCnoSCj2IfEyePSVg+ -4OHbbcBOAoDTHiI2myM/M9++8izNS34qGV4t6pfjaDyeQQ/5cBVWNBWnKjS34S5H -rJWpAcDgxYk5/ah2Xs2aULZlXDMxbSikjrv+n4JIYTKFQo8ydzL8HQDBRmXAFLjC -gNOSHf+5u1JdpY3uPIxK1ugVf8zPZ4/OEB23j56uu7c8+sZ+kZwfRWAQmMhFVG/y -OXxoT5mOruBsAw29m2Ijtxg252/YzSTxiDqFziB/eQKBgQDjeVAdi55GW/bvhuqn -xME/An8E3hI/FyaaITrMQJUBjiCUaStTEqUgQ6A7ZfY/VX6qafOX7sli1svihrXC -uelmKrdve/CFEEqzX9JWWRiPiQ0VZD+EQRsJvX85Tw2UGvVUh6dO3UGPS0BhplMD -jeVpyXgZ7Gy5we+DWjfwhYrCmwKBgQDbLmQhRy+IdVljObZmv3QtJ0cyxxZETWzU -MKmgBFvcRw+KvNwO+Iy0CHEbDu06Uj63kzI2bK3QdINaSrjgr8iftXIQpBmcgMF+ -a1l5HtHlCp6RWd55nWQOEvn36IGN3cAaQkXuh4UYM7QfEJaAbzJhyJ+wXA3jWqUd -8bDTIAZ0ywKBgFuZ44gyTAc7S2JDa0Up90O/ZpT4NFLRqMrSbNIJg7d/m2EIRNkM -HhCzCthAg/wXGo3XYq+hCdnSc4ICCzmiEfoBY6LyPvXmjJ5VDOeWs0xBvVIK74T7 -jr7KX2wdiHNGs9pZUidw89CXVhK8nptEzcheyA1wZowbK68yamph7HHXAoGBAK3x -7D9Iyl1mnDEWPT7f1Gh9UpDm1TIRrDvd/tBihTCVKK13YsFy2d+LD5Bk0TpGyUVR -STlOGMdloFUJFh4jA3pUOpkgUr8Uo/sbYN+x6Ov3+I3sH5aupRhSURVA7YhUIz/z -tqIt5R+m8Nzygi6dkQNvf+Qruk3jw0S3ahizwsvvAoGAL7do6dTLp832wFVxkEf4 -gg1M6DswfkgML5V/7GQ3MkIX/Hrmiu+qSuHhDGrp9inZdCDDYg5+uy1+2+RBMRZ3 -vDUUacvc4Fep05zp7NcjgU5y+/HWpuKVvLIlZAO1MBY4Xinqqii6RdxukIhxw7eT -C6TPL5KAcV1R/XAihDhI18Y= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDu8gQ5Sl7I1h1m +AfGxFfdcBAwz3zsta1nzJzkWdwDeSa1NFAVOke8dOHFHnbsaYMJuCBh9t7NbcHiX +e8A7CGX7XfwBZHhLNEU6Yjq8rfVoP5ySPyk80nGen56+dmeli0B+BC4GDCO4J8Hm +DdTnYtdWGK6NzOceJpbAXywtixLly6H+aYGE9MBcBtOJuVHzEvVUP/xGToCIDdi2 +wsoySoqbyTbWFB6t3LUlir9qVIn05EdzurmTUVNXIzL0BFUGiejqxE7uHEu3O7ro +Pr47y3rZ6jSgt5ynrQr2ng1qxiY3bB9l4Xqs2wbNe1isS5H533s7REsq57ma1w2y +aDpvR1SzAgMBAAECggEABngmiAxn9t7+big4FkzKLtv7CsB+HvwmjJ3KtQxPBI5R +CUA1Ic5zsKmwUe+uLCqUzL2yS3DFIYriF7rxx6xPiZ9GL6d3GzycDzklxwv/AEaQ +oOQcvI83murYNYRiZnjJGCVFmDAq4FVO7N7uOtLIL8FBoJwkJhZydL9e6V+Gzf6r +B42P8VSmd+xyDg/9r6l69nNB7zSz+wF6UCphhkNtjc/pZS3/Z+gL2Q1LkP/9txkK +Arh9bdptPxWI0fPQYJSTfdbSW6AyJDCpptqDvhG5mYFBP2uQKHXDY1E4HH65vHp2 ++lS0AEK7NsY0u0/JPcyAvpomo2tnmfUb/3I8RtLrYQKBgQD5lykdqlghDajR7POK +RIeX/T185cc1IKMYIOzbT9sB9NbUq0dM5HHz/RqJybj7Dd+s8EKj6i/daTOfQ1Hk +FGshE8m3yBY7wYx1AzA9cgxZjC12q7+1s9rR66fQ0ycpoITuwI8uVEUgmYxZBYvw +yc2XrEWi4EQpwmftCWTmk8/IQwKBgQD1FN+qRpl/2VbI1sDpMVKYsQRUKSgoKkRU +Ov9XK1LkzGFP+a287NJB8sqomwXGXngTJr0gYy2N58N8osQmjcRMac5WBuFT8k5J +jJpaZKcx4mUrVMtknOmEeeN8U1XzMXh/j4Ps6yy1oZbATm7MzsbBBz8ofgRVmEBH +H69G9r1y0QKBgG/j+Ca4avHGcdxKYZOmzTKx8JLBX+DNVNBIUmavEft6i6SjdD9g +WkWLPg5vRGIoAhJBU16waezUcLQBNgENtkkJ2fBt3qnDRvheCY5CRo8ObIM606Ld +kkdxYbYYMwJSV8XAxW97j9HhhC2UcvvrPCO2szElYOlnobd98qH7ubaJAoGBAO0/ +Qa2CHoInEN3nFmQnfP+XDMuz88297NtlKV1m8R3Pw7w5xTgIQRnaQNirCRIYzUAs +1hSOLcEbRKBYqG1x+z7Fhhq9Gk+7VpHYbGto2Hlv4ePqd+J0C5JUtCTcP23my/Eg +KuOkXWmOfXK3+oaE/N5Ld5ZpNyTs9/xh7blSjd6hAoGBANuixtW8ZxxNvA8AEhIc +NqRcLfQJgjSGY82PffDura0C1gXrfNRaz6gvFDU9oIYNrllG5uf/qITkKBoQzJuA +q330xqf18B0Gp6p/TaqAU48LBi6hLBsuEvsMVOrpJNfBN97SeXWw3wmmz11YDdF1 +Jpv7Qh0XM/NaSDjMN1ILQNQ2 -----END PRIVATE KEY----- diff --git a/bwc-test/src/test/resources/security/kirk.pem b/bwc-test/src/test/resources/security/kirk.pem index c32b21cd89..681c4cb79d 100644 --- a/bwc-test/src/test/resources/security/kirk.pem +++ b/bwc-test/src/test/resources/security/kirk.pem @@ -1,26 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIEdzCCA1+gAwIBAgIGAWLrc1O4MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm -iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ -RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 -IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy -MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBNMQswCQYDVQQGEwJkZTENMAsGA1UEBwwE -dGVzdDEPMA0GA1UECgwGY2xpZW50MQ8wDQYDVQQLDAZjbGllbnQxDTALBgNVBAMM -BGtpcmswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCwgBOoO88uMM8 -dREJsk58Yt4Jn0zwQ2wUThbvy3ICDiEWhiAhUbg6dTggpS5vWWJto9bvaaqgMVoh -ElfYHdTDncX3UQNBEP8tqzHON6BFEFSGgJRGLd6f5dri6rK32nCotYS61CFXBFxf -WumXjSukjyrcTsdkR3C5QDo2oN7F883MOQqRENPzAtZi9s3jNX48u+/e3yvJzXsB -GS9Qmsye6C71enbIujM4CVwDT/7a5jHuaUp6OuNCFbdRPnu/wLYwOS2/yOtzAqk7 -/PFnPCe7YOa10ShnV/jx2sAHhp7ZQBJgFkkgnIERz9Ws74Au+EbptWnsWuB+LqRL -x5G02IzpAgMBAAGjggEYMIIBFDCBvAYDVR0jBIG0MIGxgBSSNQzgDx4rRfZNOfN7 -X6LmEpdAc6GBlaSBkjCBjzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT -8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4xITAfBgNV -BAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8GA1UEAwwYRXhhbXBsZSBD -b20gSW5jLiBSb290IENBggEBMB0GA1UdDgQWBBRsdhuHn3MGDvZxOe22+1wliCJB -mDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSUBAf8EDDAKBggr -BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkPrUTKKn+/6g0CjhTPBFeX8mKXhG -zw5z9Oq+xnwefZwxV82E/tgFsPcwXcJIBg0f43BaVSygPiV7bXqWhxASwn73i24z -lveIR4+z56bKIhP6c3twb8WWR9yDcLu2Iroin7dYEm3dfVUrhz/A90WHr6ddwmLL -3gcFF2kBu3S3xqM5OmN/tqRXFmo+EvwrdJRiTh4Fsf0tX1ZT07rrGvBFYktK7Kma -lqDl4UDCF1UWkiiFubc0Xw+DR6vNAa99E0oaphzvCmITU1wITNnYZTKzVzQ7vUCq -kLmXOFLTcxTQpptxSo5xDD3aTpzWGCvjExCKpXQtsITUOYtZc02AGjjPOQ== +MIIDgzCCAmsCFBj6pmXTCDqo4G0NJ0XSdhf1VJD3MA0GCSqGSIb3DQEBCwUAMIGu +MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZ +MBcGA1UECgwQRXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20g +SW5jLiBSb290IENBMUAwPgYDVQQDDDdFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0Es +IENOID0gRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTIzMDgxMDIxMTQ1MVoX +DTI1MDgwOTIxMTQ1MVowTTELMAkGA1UEBhMCZGUxDTALBgNVBAcMBHRlc3QxDzAN +BgNVBAoMBmNsaWVudDEPMA0GA1UECwwGY2xpZW50MQ0wCwYDVQQDDARraXJrMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7vIEOUpeyNYdZgHxsRX3XAQM +M987LWtZ8yc5FncA3kmtTRQFTpHvHThxR527GmDCbggYfbezW3B4l3vAOwhl+138 +AWR4SzRFOmI6vK31aD+ckj8pPNJxnp+evnZnpYtAfgQuBgwjuCfB5g3U52LXVhiu +jcznHiaWwF8sLYsS5cuh/mmBhPTAXAbTiblR8xL1VD/8Rk6AiA3YtsLKMkqKm8k2 +1hQerdy1JYq/alSJ9ORHc7q5k1FTVyMy9ARVBono6sRO7hxLtzu66D6+O8t62eo0 +oLecp60K9p4NasYmN2wfZeF6rNsGzXtYrEuR+d97O0RLKue5mtcNsmg6b0dUswID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEW7neR3+hpQSnkvwIM0lUua/uFjIqNCf8 +4syKeYqyl/2fLVTx2NdXzSeMcMOa03xt2pSuRT2m1qhrtajEUNHwtlaNOUSXQFpz +BRliDug4oKKNlssKZTbY2DsmfsKrucrbeGxPxIoJlBB4ryx0Z6XlhtVDIc90mInY +d6hQG7jVhTStSGtz1pRp5Ze/3TgA7rcKH1jgGkawVBwDsBeR9rvRncQ6kuLR8/8z +o9HLSWD74syp7v22BfmhEEIDHz+x4iAbJ6r/5VOwuCvIVbPRggmkaW4b7YLgfQo0 +YsIUj2TTWBTx6SVHrbZ/uTWakYE70BQWv7WpTWDQ/DzMih8EGprv -----END CERTIFICATE----- diff --git a/src/test/resources/bwc/root-ca-key.pem b/bwc-test/src/test/resources/security/root-ca-key.pem similarity index 100% rename from src/test/resources/bwc/root-ca-key.pem rename to bwc-test/src/test/resources/security/root-ca-key.pem diff --git a/bwc-test/src/test/resources/security/root-ca.pem b/bwc-test/src/test/resources/security/root-ca.pem index 4015d866e1..ed97e17ec8 100644 --- a/bwc-test/src/test/resources/security/root-ca.pem +++ b/bwc-test/src/test/resources/security/root-ca.pem @@ -1,24 +1,25 @@ -----BEGIN CERTIFICATE----- -MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjzETMBEGCgmSJomT8ixk -ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w -bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh -MB8GA1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTE4MDQyMjAzNDM0 -NloXDTI4MDQxOTAzNDM0NlowgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJ -kiaJk/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEw -HwYDVQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1w -bGUgQ29tIEluYy4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAK/u+GARP5innhpXK0c0q7s1Su1VTEaIgmZr8VWI6S8amf5cU3ktV7WT9SuV -TsAm2i2A5P+Ctw7iZkfnHWlsC3HhPUcd6mvzGZ4moxnamM7r+a9otRp3owYoGStX -ylVTQusAjbq9do8CMV4hcBTepCd+0w0v4h6UlXU8xjhj1xeUIz4DKbRgf36q0rv4 -VIX46X72rMJSETKOSxuwLkov1ZOVbfSlPaygXIxqsHVlj1iMkYRbQmaTib6XWHKf -MibDaqDejOhukkCjzpptGZOPFQ8002UtTTNv1TiaKxkjMQJNwz6jfZ53ws3fh1I0 -RWT6WfM4oeFRFnyFRmc4uYTUgAkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAf -BgNVHSMEGDAWgBSSNQzgDx4rRfZNOfN7X6LmEpdAczAdBgNVHQ4EFgQUkjUM4A8e -K0X2TTnze1+i5hKXQHMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IB -AQBoQHvwsR34hGO2m8qVR9nQ5Klo5HYPyd6ySKNcT36OZ4AQfaCGsk+SecTi35QF -RHL3g2qffED4tKR0RBNGQSgiLavmHGCh3YpDupKq2xhhEeS9oBmQzxanFwWFod4T -nnsG2cCejyR9WXoRzHisw0KJWeuNlwjUdJY0xnn16srm1zL/M/f0PvCyh9HU1mF1 -ivnOSqbDD2Z7JSGyckgKad1Omsg/rr5XYtCeyJeXUPcmpeX6erWJJNTUh6yWC/hY -G/dFC4xrJhfXwz6Z0ytUygJO32bJG4Np2iGAwvvgI9EfxzEv/KP+FGrJOvQJAq4/ -BU36ZAa80W/8TBnqZTkNnqZV +MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL +BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx +NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG +CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x +ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh +bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw +CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE +vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f +OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 +uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P +UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm +ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G +A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C +AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G +XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n +Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto +KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ +FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x +p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= -----END CERTIFICATE----- diff --git a/bwc-test/src/test/resources/security/sample.pem b/bwc-test/src/test/resources/security/sample.pem deleted file mode 100644 index 7ba92534e4..0000000000 --- a/bwc-test/src/test/resources/security/sample.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm -iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ -RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 -IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy -MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL -BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV -BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt -9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8 -Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL -gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl -ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq -eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw -gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB -GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs -ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw -HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv -78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg -MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq -AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI -hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0 -5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy -8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr -XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA -1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t -e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs= ------END CERTIFICATE----- diff --git a/bwc-test/src/test/resources/security/test-kirk.jks b/bwc-test/src/test/resources/security/test-kirk.jks deleted file mode 100644 index 174dbda656f41b10341adb78ab91a46afaae8a1c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3874 zcmY+GcQhM}zs8e@RFtSn>{Y9_XzfvZl*TSQG6F9FNd(wu zFab99cRY+FKt2CO5E21u`*&mo0s{VisDB9%$qk|Z?*;}S1PKGv1*1XCugHHEKp;B6 z69Saqd|bch;ZdXcj@o48Or^T{VjiQWQ)um?koax&EW2Jd6%cmO+99&?<0M#TkhMY0 z>TOc9NNj$5o%GwnI2>ZpA<-syd;YVlrkqVstJxqe_w8#F0dlKW!#D3WVDWfwaN@uX z{)l!>hgv`=r)M_tPedAH8wS zrMCsCM3^vbf3iWkdUoK)O(h9`bxp3s^zq4CU5%IJN;Y04OLiLfXPS%;Duo}L?EKtE z$4DyO?uRf+Ovm@OBmMKYjcI;;3k(jA`wJ`_W&){Es6Nv(A-s;NYZhfPTZJ%tBZ{1@ zc|_(P(o|Du6c{sJ4@Q6w- zF)*aVb&dDqmGoH8(8Y;T2S?DR9+P|nUT>q8177|so}DjY7IWc!jB(9r?rJ%YyVvh5 z4`BJLeFX6F2g1N^WT?dWin3^|1>$*MQP~CSqFMgQ4m&bJp``1>I(!5Pe9&NB7{wXc z+p)Bs6Durb104tWmIOYRkBU~Waz;l#k`+@Fye00vbTIQq3dY*R{KBH-UF3%r{=+v` zqu(DD1~xv;*N0vqhN9l+bCm(5u37KF+&JF&or0qB&J%}ZmdviHekDmr#GlPK60J4Q zJ#vSZYt1pSxEPM~S27`bL-X}ig&?t1ubwy1&P?lEwQUs|t?a7>dqM7^&@^5tSL9pMp+&5H?jk>BGMj!JcQ+3*rxFcY4MY2z z4C?1*^xq&(g`+u7JnXS-Yuq8?$%DG-Zs#VDo=cTmcJRfEFTG1T4~(u1j$Snc+7Cs; zyB9?mE4rqbq_*xqj?#OlN%@YGt*PgH+-~Fy+blur5jn zu_S?>vGKl_57zp6>#CW5Q&HHKl|qVToNrM`8!zz5n*{CQ+r2#n4{2tk@;0m{ zM8pbY25rVQv1<0iw2CPT?uG+>NVZVLalVoRSZQdC(&M@`0$mC@6l?zxF&LAM8XHR1Ah3S zb?4&7@N$w<+PVC^0ws=h2pqrozQ!=b!?Zy2@uQjFh1)BEPT$JlDa9Q8(%YHT_r)w# z<4bW`j)gX^ktonho#Uf=U=ZH5QT!;ug%qe!Fi?N(OjphEVY3YTU5B*j^ZMOg+XmnL zPpT%`zoHjGCw~=w|5zC`KWOFwsF`=Jjwez^hwA2rgTt^ z^10Gp<3*%@mI37QZ>P3$*PX4;4LpFQqK9AnvMxAg!|B)unEQ{13w`0LO;;mgV22L5 z=Y8bwo8Fch2UFgZEqeTdMGZMKmz)4Uzb#-R)&H4zUC45?<4&g?`6XX-=`F2|(~Esf z4P+-+Y;J{*hV8L55?o`K^wL+ zE>e|WH7ZW48)vi%Zq4nbkLikeTd&2pCr5A#jJC9jypS>*@uF<#i}Xp$3X7~b0>bXQ zd@CV7FY-$A{IR_m5uZie z+ckdOpNC4bjck=wZ@3lTl5+`W3~_4oPuGx4#mk-f?CsbGulgu|BAb)LTI|hBYM==Q zPLdu6@x)I_O{qq^{%cI*Q`-C+WZjpp^GjGiWv(#7Vr(pZ@A532u&Rn|3@4+xgKqNc zMhtgDOn)7lv}KZc^U}jD!KU{3;=7as(>uBwDx5}ii8iIz!F(WDlbe(V`WH5PS-XhZ zPJFI;eV}4{aJ?&?Sv%?zMZJ9SRFL%?ZZ0C(FdozY2R@i=1>&&E< z<(hauSRE!6;QE6ujbYrYrWNm9;!ixJV`}*=J$7wZ^0l>rTb7|)`olK^*^m3Ex%nq2 zL({r^1)T=Q7qM>-F~1lC817t!PNhq1c&?{#kiAuiMtlDELuI?Ut6LMQ6()675@U5L z_g(P7&7MR-N3z!C5a+qZ$!xmrg0qbsQn*7vqc!v-^yqc6`tlc%aQl-Fe+IYP5Pe^K z^%zx2w*a+^&+F*;<~HZ&=XwRTB6z)Uec2XkH=^cl)cHs|VxGqSQStks&td*NQbTPW z@??ewN#dRVCH?t{p-$)JDIxkVF$#9Q?iS!Qqby9p zttQuw3k2_4Hs9`5TG}3Jwk97Nste6#I!jG)f$b(~xI#)Bs7nQ7es#6RzYPh=8vCY$@K;aE z0JYYxSm&6)?GS&eI-ibs8vhi$EXK)Yhv7%bHy2C$czjfz?F4J+b%lJkXj+1&h?Ti_R;#D>}h%qh-ltN3^kJE=J$q9lGN z97&*c`aeQNBG8(G3ADz4#|D3&4&?Ix=oLK>L?VDUkp%Gi|FbTdf2<2!*X4kUenR(; zb%6=se)ca%eZ zOyn3`1eb66NoONNlb!Qgq|BuMxwULjnW>4u2iuhj(ZUV8fC!eY=nsZF*}w6V0(LxJ zVJ|ew^cV0%UizR_Y1yOEtM1}iw*f#fPAX(#E)%*G)QD7W7O$XT5e!*pv0krMED!yw zv)_h?54B@8<=GZ6ukEmkmrx<@jaUud2Y%EQU-vBcCChZ&9Xf`1Rw3w4G=@{y>I<<5 zr)BfiiXe`(Z@ksE4@BqB5d!$>pA(N&9b7XX5GBfr?j{H(J6=OSr*~9Ff8Zh0^d;HS3|V9O<+-Py zxI&YAI-gM^t2+X1O6JyQ*^8SfuZ5{?m1F14fGg;0aeF|P)4c8tw{C;?*J)`bjV2~qOsSjk^$@gQ1{3jw}OGfYhan!3#Y zHIQX-5|4fmT69zTvDd3aW(AkQqj4t}?Md}bd>>Q>N!29V@klLOr#L%^gPrlgw8ASS>!fstf*6i;ka?xLu@MUq>?r_mf*HCZ0jHy2N^B`x>Y90Tt5-jn7*G)Ai~?r^6!i zChFK}Z-Np|s#K(ct1NYcNSoxM%p~ng6bf7}uXm#_v&(wHHp4Tljgd6EW$Kg0xZkkr zi&o;({o`MC#=#JXFx-Py14vyFMbGypX`-a>1F9n21b`MXKk|zU$zEO&>l1Rjkx$4Vg-UeUetqM3xCVt2 z#4}QY$t__sQxkuq9U8E_JbjM8#9JvlSK48A@`?q^I*~JnT-!@f$l49YlT>fpGqYJ9 zr+k*tw-oT8l~Dr<$GT8lt$6D+{n7Af1%CX7h0*}>N)s;I);DZqq{57a Date: Fri, 25 Aug 2023 15:20:33 -0400 Subject: [PATCH 04/28] Rest client settings Signed-off-by: Craig Perkins --- bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index 6415a23bea..ca6bdad121 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -22,6 +22,8 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.hasItem; +import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED; + public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { private ClusterType CLUSTER_TYPE; @@ -53,6 +55,7 @@ protected boolean preserveTemplatesUponCompletion() { @Override protected final Settings restClientSettings() { return Settings.builder() + .put(SECURITY_SSL_HTTP_ENABLED, true) .put(super.restClientSettings()) // increase the timeout here to 90 seconds to handle long waits for a green // cluster health. the waits for green need to be longer than a minute to From 9c2bdf193ad3a279763c36c36980ff354b0a20a2 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:29:27 -0400 Subject: [PATCH 05/28] Override getProtocol Signed-off-by: Craig Perkins --- .../src/test/java/SecurityBackwardsCompatibilityIT.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index ca6bdad121..ea8742c9a0 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -22,8 +22,6 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.hasItem; -import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED; - public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { private ClusterType CLUSTER_TYPE; @@ -52,10 +50,14 @@ protected boolean preserveTemplatesUponCompletion() { return true; } + @Override + protected String getProtocol() { + return "https"; + } + @Override protected final Settings restClientSettings() { return Settings.builder() - .put(SECURITY_SSL_HTTP_ENABLED, true) .put(super.restClientSettings()) // increase the timeout here to 90 seconds to handle long waits for a green // cluster health. the waits for green need to be longer than a minute to From 1011f9418a606b7ae55303d35e362b892e23fb30 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:45:06 -0400 Subject: [PATCH 06/28] Bump to 2.11 for testing Signed-off-by: Craig Perkins --- build.gradle | 2 +- .../test/java/SecurityBackwardsCompatibilityIT.java | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 0ef74914bd..8c183002c4 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ import groovy.json.JsonBuilder buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index ea8742c9a0..d51aa3c357 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -22,6 +22,9 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.hasItem; +import org.opensearch.client.RestClient; +import org.opensearch.commons.rest.SecureRestClientBuilder; + public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { private ClusterType CLUSTER_TYPE; @@ -66,6 +69,16 @@ protected final Settings restClientSettings() { .build(); } + @Override + protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { + String userName = System.getProperty("tests.opensearch.username"); + String password = System.getProperty("tests.opensearch.password"); + + return new SecureRestClientBuilder(hosts, true, userName, password).setSocketTimeout(60000) + .setConnectionRequestTimeout(180000) + .build(); + } + public void testBasicBackwardsCompatibility() throws Exception { String round = System.getProperty("tests.rest.bwcsuite_round"); From a35e0ad0a0c68deebc91773d0e5d221b30a61570 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:49:40 -0400 Subject: [PATCH 07/28] Fake 3.0.0 Signed-off-by: Craig Perkins --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 8c183002c4..5f2f940e66 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ import groovy.json.JsonBuilder buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.11.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") From f4be93024be33201a855f308c83fa2644e64acad Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:53:41 -0400 Subject: [PATCH 08/28] 2.10 to 2.10 Signed-off-by: Craig Perkins --- build.gradle | 2 +- bwc-test/build.gradle | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 5f2f940e66..0ef74914bd 100644 --- a/build.gradle +++ b/build.gradle @@ -16,7 +16,7 @@ import groovy.json.JsonBuilder buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 25ce7cddd4..2199083389 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -76,7 +76,7 @@ loggerUsageCheck.enabled = false testingConventions.enabled = false validateNebulaPom.enabled = false -String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0") +String previousVersion = System.getProperty("bwc.version.previous", "2.10.0.0") String nextVersion = System.getProperty("bwc.version.next", "2.10.0.0") String bwcVersion = previousVersion From 4ad5900eb289fb76ec97eadb93dceb4c79268f94 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 15:58:24 -0400 Subject: [PATCH 09/28] Add dependency on common-utils Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 2199083389..f27783b481 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -46,6 +46,7 @@ buildscript { ext { opensearch_version = System.getProperty("opensearch.version", "2.9.0-SNAPSHOT") opensearch_group = "org.opensearch" + common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') } repositories { mavenLocal() @@ -70,6 +71,7 @@ dependencies { testImplementation "com.google.guava:guava:${versions.guava}" testImplementation "org.opensearch.test:framework:${opensearch_version}" testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}" + testImplementation "org.opensearch:common-utils:${common_utils_version}" } loggerUsageCheck.enabled = false From 6cafd2a1b4ff5f909634e7d94d361829d95e928b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 16:03:37 -0400 Subject: [PATCH 10/28] Import HttpHost Signed-off-by: Craig Perkins --- bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java | 1 + 1 file changed, 1 insertion(+) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index d51aa3c357..43c411845a 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -12,6 +12,7 @@ import java.util.Set; import java.util.stream.Collectors; +import org.apache.http.HttpHost; import org.junit.Assume; import org.junit.Before; import org.opensearch.common.settings.Settings; From 1411492c48f214067396fe563130408f664c3f60 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 16:20:50 -0400 Subject: [PATCH 11/28] Import IOException Signed-off-by: Craig Perkins --- bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java | 1 + 1 file changed, 1 insertion(+) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index 43c411845a..91d5cc64d2 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -7,6 +7,7 @@ */ package org.opensearch.security.bwc; +import java.io.IOException; import java.util.List; import java.util.Map; import java.util.Set; From ec58df39dc5490416204ad477574ef739fc9d436 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 16:38:11 -0400 Subject: [PATCH 12/28] Add kirk keystore Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 1 + .../test/resources/security/kirk-keystore.jks | Bin 0 -> 4525 bytes 2 files changed, 1 insertion(+) create mode 100644 bwc-test/src/test/resources/security/kirk-keystore.jks diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index f27783b481..3348577783 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -124,6 +124,7 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem")) node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) + node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") diff --git a/bwc-test/src/test/resources/security/kirk-keystore.jks b/bwc-test/src/test/resources/security/kirk-keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..dd7562ef81822291c9e48be60b6daef2883288a9 GIT binary patch literal 4525 zcmdVccT^MWwgB){LPGDoiG|JtLlcmi&;&(_6h#7rP(uq{DS;pYA_Afmm4HYQP!tF# zO+it?LY1P3NK;Ux3W)H6$9wKM=ic}3T5sJy?)_ud%--LgH8bDr`F*qXdFwL>1cER& z@XrnA;}zt?2;6|iLvA1t91KukKLBYi?ob|vHEVPXTvFy98Cf88WeS!f7A?SFPvZg)V z7v6j;sEtmwpQf&7q@7zop%6{r2s~o4`h$O*s-O*b>U-1znW*c#zSZBch%8xV*PK!@M#{2`WZYarXxm&{`QatOX?4u9M`&!g z&8@j*V|x00YnIuVYvX+t0oL3*%ZApt%D}TBgx;82*eFi6zP*KyC^rTTB}T2_jyE(_ z;f-sVA5zg)Q)lMvlIJLf*G91S{6-yTXOSiB%Pl6=)ezz52b@>D2PMdN`A#<=9WZ-| z7KW!1+>q&M9FI4m)Uo2)<*krrUc5S@Z)L7G7dgI!>|D_H@?HQ2<&8$8eAM5V`nS_j zNpG-+#Ccy*OAKTS(OGuQwm4>u0HI3?WwUI`J?nS!O@}YqX!P0n!lx^wZ-xy>9X%}X z%zmko=qLu(IqcUGH-zYG9NL}p(8Yv5_N2}HLil{#_GY+#+?8~+txTk4E?9{>Y6;8Q zEZMQQG+Zc7(ONjc_Z{R_?;uOgps(gW9B#f(6USN@W|Q~IWxj{osPJ=+k~BeQ@cQL| z$FtVYsZN!ibBkZ5nzYpH;ZHJ%>jHUIYX_z7yg_w(Pt?L{^X(1y1V;C7nhA@9^p>1jxzk4S}xL;ZtiB54PN2WN{SYvv3Rh9rlt7aOkInvb_wo?IeDCPpYvkB~u~s|dnp zzlO4kJt=!g)8MF%;L*>C7`w|&Q5;Zw^-N`BMf^2O*~k34r_QaBMiXr@B`1*OXV;sA z9gZ{qm~Tz#GUS?VMvHuD!B$x1U&)(!$F*Sp&b2~cEiXb}fOVHxav+Cc&lruM_R&V( z{43J!IB|M3ZPcwnQbKw_ebQNXOK%`r0lA@di3f&@c4}>O5mAX}`oa7CAntB*PQV6H z^L0WBm#47xTa;TPT3rIKe{dQg49MoR+S7kZUoEgm8$1*sT7hyWeFN zn%<%O^kC4vVk0^76VKU1bP6oo&2Wj(7bV7r$yWzRuT)$$b)}BoAG@t&D^9#0)4o5t z3!Xb!WQChtbPDCZqnv#{@Cy@D^Gw)@;l6aTSvhyQ&XWfqXs~EWy=uctyrPgS<;cB3 ziFkO@!mSh-w6rR5LZ+*OP##Ou?k-vUl=T*#5wv)XW2;UyNTZj8}9GudhAJ(K5qN?vK^qvH6t3LGn(B3(e+O(u*EW1 zgo5DqN~(Y+2m~`?c&GqQ{_o?!Vs@#_RA&(9SEpn!M%ab_5c z29yHk05S3?2n7rV(d*;#xkoZwk^xiERpN!)4V9H=l4Tn>l)s)UWPUlhW+IW-e}Nd?fsk@0y>16?UrrsO!Hfv0>DAFyj~ z4;Oe+Dtg6e1A$uu6@_fEHn~Tu=r`1LiAGjPWDh&kDWabnW};Hzp#zbs1*P^&lDQn3 zhr`|MiT6!+C&i|>I%eo`0eSDaQI)&vJ`Nd~4)V@wtQn-jj?ItB_B_)Xwk^s@lernM zO6lqvz0uD;>}Ldz03>%+rJfw%-gl1kJbl2iG7Yh2s)~NTOz*9{732Q!JpEGs6V6Or z?v@;35->T4fIz_@a8cZQAa0bgx9TTIG8{VR`$aOlLZ$GqH0yMO z@Y6xHgC39jse&KLbn`{{Q=Dt?sE>A+&5;&KL6?ewqvkimo8(4^)y-6@f|g&srG3>K zOR=S%Q-k-M?40&}c8i-mnBH1sjS;pxgNV#%ZPwef`YO#$*D?j$PZ$l zv{pW;Ex{36V{U;rt7KE%$r;XTZ-@9eYiWqK{GxeG!gsw=N<4qP;JB$*gcAmX#ZTkm zq-$D~{KvLfP0R=BdS#-bj(0KEcF*w_t(~hvN!;6+PE{lAeAu>?ljx1Nff@jeHBiRi z;8P7Z7*;-^Yp6&xT-dBKQxS9QF4n?^yDy1p2?1 z{23BJ<8P2)b|7Jd|FHo6E0OvuRKyY-<<1OEd3a0BM&Rq!?9JVYy#B1+Qd!I5#H&na zk30jH2V789$$yAG~m0RXuJD{3u#WSeCxe~2|f62_g>oeC8H2- ze_UH=t}fpaj}759iKB>E5tqFUk`YL%VC@Mru%ad`VPXugO{!w0WjwP{qm4bia|eAw z%*&+wPLE(jG-lJ5O7spY(>%Nwf zJoPod6ROYp-O|9-fNjCN;-j5sdwH&MMsRxO-8N?0U+SP@S1s;CxMp2EWy){1+$1-p z-DsI!@Z4bXQA?=y)QQ#3-$e2N-2dzmme zbbuEP3)|)lIMxspuEbuJf&jNE&eccAgGAH(;O4$ri-*b+2mD#*+5{X{T+%#m+hwnw zkf-(~ntl3qGJvy}XGYaA_O+L)P&_p4@%st9PcpPWv(828(5o1EE|+dIyIAoDXB5Rx z2VB*Q-H5fTW<9l){gQ8BNW*?6U`6S{ffb#a&3)ZV>)Im)?txTeS&1&gRUu8nNMOgv z+(FN+c$pG?jSUeB*?EX{HtNS#Gz{^Sc$kU#;o^jQwe_IHf@kKow7!c`4=eK)3_^Qx ze7?GX&f}#QwMYDVJliV?LGc3@|E>ar@q@9&P+{tq3gEv?*MFl5|8b7}D-UjPy+2V- zR(n5asG`m*?|e`x$VJQF^3>hqpOW4P>L+*@OdT!pG`Rd)sD7&MgFN|kU=M2@8(Y6w ztRiYPqHa?A_K*Cd0VS>?dqH_B%{`uuhc64=N%<(+p1=57=C#>Iv?CgYyQ>hI6)OpE zamrO&M9IHI$%MboyIg}=uimEGEuTd;oGskcyAn}lHDB0@@N+%$RGxMe6Cr4funqQ$ z(@D`B1+Ln_7dr$zQ;nCclkF8IVs{r0xqV`xp_b29-!1B1zY$=RRk4Wz8NU~@x|U=) z^7_KegkHLFMM4Z#0{ z2OPh900*E95B~5Q@=w3@{|^RoP6f5c3mqhA=})^K1scsL<<#R9%F6QEx{2Rb`ky~z zrY&|YhQ9HW!AbMWFK9)w`=or^w-wr%%ogmWARu$h2!fZ<*ZkVuCOohaSsN5nyOO&>*~TNv9yR<|${+cysDRR3}7H>+p?a9c8v%bU%E#C4CGWvaeW$ oIl4xa=rqgDw#QA?#n3);-E>Npf^^i;kSQ<9A)UYFuMDdGAEFEd8UO$Q literal 0 HcmV?d00001 From fbdacc37adcefc75c1adf84d4a31aac6517dcfa2 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Fri, 25 Aug 2023 16:44:45 -0400 Subject: [PATCH 13/28] Add debug statement Signed-off-by: Craig Perkins --- .../opensearch/security/transport/SecurityRequestHandler.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 2bc1c5b9d7..99dde079d0 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -289,6 +289,7 @@ protected void messageReceivedDecorate( || HeaderHelper.isTrustedClusterRequest(getThreadContext()) || HeaderHelper.isExtensionRequest(getThreadContext()))) { // CS-ENFORCE-SINGLE + System.out.println("Not a trusted transport request. Erroring out."); final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException(); log.error(exception.toString()); transportChannel.sendResponse(exception); From f956a9cfcd37c1bb7554826d90254590a0542262 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 11:20:52 -0400 Subject: [PATCH 14/28] Add network.publish_host Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 3348577783..b061e766b7 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -125,22 +125,38 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) + node.extraConfigFile("opensearch-security/action_groups.yml", file("src/test/resources/security/opensearch-security/action_groups.yml")) + node.extraConfigFile("opensearch-security/allowlist.yml", file("src/test/resources/security/opensearch-security/allowlist.yml")) + node.extraConfigFile("opensearch-security/audit.yml", file("src/test/resources/security/opensearch-security/audit.yml")) + node.extraConfigFile("opensearch-security/config.yml", file("src/test/resources/security/opensearch-security/config.yml")) + node.extraConfigFile("opensearch-security/internal_users.yml", file("src/test/resources/security/opensearch-security/internal_users.yml")) + node.extraConfigFile("opensearch-security/nodes_dn.yml", file("src/test/resources/security/opensearch-security/nodes_dn.yml")) + node.extraConfigFile("opensearch-security/roles.yml", file("src/test/resources/security/opensearch-security/roles.yml")) + node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/opensearch-security/roles_mapping.yml")) + node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/opensearch-security/tenants.yml")) + node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/opensearch-security/whitelist.yml")) + // node.setting("network.host", "0.0.0.0") + node.setting("network.bind_host", "0.0.0.0") + node.setting("network.publish_host", "127.0.0.1") + // node.setting("transport.publish_address", "0.0.0.0") node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") node.setting("plugins.security.ssl.transport.enforce_hostname_verification", "false") - node.setting("plugins.security.ssl.http.enabled", "true") + node.setting("plugins.security.ssl.http.enabled", "false") node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.http.pemtrustedcas_filepath", "root-ca.pem") node.setting("plugins.security.allow_unsafe_democertificates", "true") node.setting("plugins.security.allow_default_init_securityindex", "true") - node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de") +// node.setting("plugins.security.nodes_dn", "\"*\"") + node.setting("plugins.security.authcz.admin_dn", "\"CN=kirk,OU=client,O=client,L=test,C=de\"") node.setting("plugins.security.audit.type", "internal_opensearch") node.setting("plugins.security.enable_snapshot_restore_privilege", "true") node.setting("plugins.security.check_snapshot_restore_write_privileges", "true") node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]") node.setting("plugins.security.system_indices.enabled", "true") + node.setting("logger.org.opensearch.gradle.testclusters", "debug") } setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" From b44f462c6c681d62c688a91c279bf6e808705830 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 11:28:21 -0400 Subject: [PATCH 15/28] Add securityconfig Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 20 +- .../security/securityconfig/action_groups.yml | 3 + .../security/securityconfig/allowlist.yml | 69 ++++ .../security/securityconfig/audit.yml | 85 +++++ .../security/securityconfig/config.yml | 247 ++++++++++++++ .../securityconfig/internal_users.yml | 68 ++++ .../security/securityconfig/nodes_dn.yml | 8 + .../securityconfig/opensearch.yml.example | 228 +++++++++++++ .../security/securityconfig/roles.yml | 308 ++++++++++++++++++ .../security/securityconfig/roles_mapping.yml | 54 +++ .../security/securityconfig/tenants.yml | 11 + .../security/securityconfig/whitelist.yml | 69 ++++ 12 files changed, 1160 insertions(+), 10 deletions(-) create mode 100644 bwc-test/src/test/resources/security/securityconfig/action_groups.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/allowlist.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/audit.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/config.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/internal_users.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example create mode 100644 bwc-test/src/test/resources/security/securityconfig/roles.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/tenants.yml create mode 100644 bwc-test/src/test/resources/security/securityconfig/whitelist.yml diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index b061e766b7..c26df3f116 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -125,16 +125,16 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) - node.extraConfigFile("opensearch-security/action_groups.yml", file("src/test/resources/security/opensearch-security/action_groups.yml")) - node.extraConfigFile("opensearch-security/allowlist.yml", file("src/test/resources/security/opensearch-security/allowlist.yml")) - node.extraConfigFile("opensearch-security/audit.yml", file("src/test/resources/security/opensearch-security/audit.yml")) - node.extraConfigFile("opensearch-security/config.yml", file("src/test/resources/security/opensearch-security/config.yml")) - node.extraConfigFile("opensearch-security/internal_users.yml", file("src/test/resources/security/opensearch-security/internal_users.yml")) - node.extraConfigFile("opensearch-security/nodes_dn.yml", file("src/test/resources/security/opensearch-security/nodes_dn.yml")) - node.extraConfigFile("opensearch-security/roles.yml", file("src/test/resources/security/opensearch-security/roles.yml")) - node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/opensearch-security/roles_mapping.yml")) - node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/opensearch-security/tenants.yml")) - node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/opensearch-security/whitelist.yml")) + node.extraConfigFile("securityconfig/action_groups.yml", file("src/test/resources/security/opensearch-security/action_groups.yml")) + node.extraConfigFile("securityconfig/allowlist.yml", file("src/test/resources/security/opensearch-security/allowlist.yml")) + node.extraConfigFile("securityconfig/audit.yml", file("src/test/resources/security/opensearch-security/audit.yml")) + node.extraConfigFile("securityconfig/config.yml", file("src/test/resources/security/opensearch-security/config.yml")) + node.extraConfigFile("securityconfig/internal_users.yml", file("src/test/resources/security/opensearch-security/internal_users.yml")) + node.extraConfigFile("securityconfig/nodes_dn.yml", file("src/test/resources/security/opensearch-security/nodes_dn.yml")) + node.extraConfigFile("securityconfig/roles.yml", file("src/test/resources/security/opensearch-security/roles.yml")) + node.extraConfigFile("securityconfig/roles_mapping.yml", file("src/test/resources/security/opensearch-security/roles_mapping.yml")) + node.extraConfigFile("securityconfig/tenants.yml", file("src/test/resources/security/opensearch-security/tenants.yml")) + node.extraConfigFile("securityconfig/whitelist.yml", file("src/test/resources/security/opensearch-security/whitelist.yml")) // node.setting("network.host", "0.0.0.0") node.setting("network.bind_host", "0.0.0.0") node.setting("network.publish_host", "127.0.0.1") diff --git a/bwc-test/src/test/resources/security/securityconfig/action_groups.yml b/bwc-test/src/test/resources/security/securityconfig/action_groups.yml new file mode 100644 index 0000000000..aac69ab8f8 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/action_groups.yml @@ -0,0 +1,3 @@ +_meta: + type: "actiongroups" + config_version: 2 \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/allowlist.yml b/bwc-test/src/test/resources/security/securityconfig/allowlist.yml new file mode 100644 index 0000000000..0df6c158b2 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/allowlist.yml @@ -0,0 +1,69 @@ +--- +_meta: + type: "allowlist" + config_version: 2 + +# Description: +# enabled - feature flag. +# if enabled is false, the allowlisting feature is removed. +# This is like removing the check that checks if an API is allowlisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. +# if enabled is true, then all users except SuperAdmin can access only the APIs in requests +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: +# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. +# +# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints + +# Examples showing how to configure this yml file (make sure the _meta data from above is also there): +# Example 1: +# To enable allowlisting and allowlist GET /_cluster/settings +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# +# Example 2: +# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# +# Example 3: +# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# /_cat/nodes: +# - GET +# /_cat/shards: +# - GET +# +# Example 4: +# If you want to disable the allowlisting feature, set enabled to false. +# enabled: false +# requests: +# /_cluster/settings: +# - GET +# +#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. + + +#this name must be config +config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/audit.yml b/bwc-test/src/test/resources/security/securityconfig/audit.yml new file mode 100644 index 0000000000..bf91b0dee2 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/audit.yml @@ -0,0 +1,85 @@ +_meta: + type: "audit" + config_version: 2 + +config: + # enable/disable audit logging + enabled: true + + audit: + # Enable/disable REST API auditing + enable_rest: true + + # Categories to exclude from REST API auditing + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Enable/disable Transport API auditing + enable_transport: true + + # Categories to exclude from Transport API auditing + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Users to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_users: ["test-user", "employee-*"] + ignore_users: + - kibanaserver + + # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_requests: ["indices:data/read/*", "SearchRequest"] + ignore_requests: [] + + # Log individual operations in a bulk request + resolve_bulk_requests: false + + # Include the body of the request (if available) for both REST and the transport layer + log_request_body: true + + # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns + resolve_indices: true + + # Exclude sensitive headers from being included in the logs. Eg: Authorization + exclude_sensitive_headers: true + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log external config files for the node + external_config: false + + # Log only metadata of the document for read events + read_metadata_only: true + + # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: + # read_watched_fields: { + # "twitter": ["message"] + # "logs-*": ["id", "attr*"] + # } + read_watched_fields: {} + + # List of users to ignore for read events. Wildcard patterns are supported. Eg: + # read_ignore_users: ["test-user", "employee-*"] + read_ignore_users: + - kibanaserver + + # Log only metadata of the document for write events + write_metadata_only: true + + # Log only diffs for document updates + write_log_diffs: false + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [] + + # List of users to ignore for write events. Wildcard patterns are supported. Eg: + # write_ignore_users: ["test-user", "employee-*"] + write_ignore_users: + - kibanaserver \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/config.yml b/bwc-test/src/test/resources/security/securityconfig/config.yml new file mode 100644 index 0000000000..09860931e9 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/config.yml @@ -0,0 +1,247 @@ +--- + +# This is the main OpenSearch Security configuration file where authentication +# and authorization is defined. +# +# You need to configure at least one authentication domain in the authc of this file. +# An authentication domain is responsible for extracting the user credentials from +# the request and for validating them against an authentication backend like Active Directory for example. +# +# If more than one authentication domain is configured the first one which succeeds wins. +# If all authentication domains fail then the request is unauthenticated. +# In this case an exception is thrown and/or the HTTP status is set to 401. +# +# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect +# the roles from a given backend for the authenticated user. +# +# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. +# http_enabled: true +# transport_enabled: true +# +# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to +# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. +# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous" +# and one role named "anonymous_backendrole". +# If you enable anonymous authentication all HTTP authenticators will not challenge. +# +# +# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" +# first and the challenging one last. +# Because it's not possible to challenge a client with two different authentication methods (for example +# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation +# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. +# +# Default value of the challenge flag is true. +# +# +# HTTP +# basic (challenging) +# proxy (not challenging, needs xff) +# kerberos (challenging) +# clientcert (not challenging, needs https) +# jwt (not challenging) +# host (not challenging) #DEPRECATED, will be removed in a future version. +# host based authentication is configurable in roles_mapping + +# Authc +# internal +# noop +# ldap + +# Authz +# ldap +# noop + + + +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + #kibana: + # Kibana multitenancy + #multitenancy_enabled: true + #server_username: kibanaserver + #index: '.kibana' + http: + anonymous_auth_enabled: false + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + roles_key: null + subject_key: null + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + #config goes here ... + # auth_failure_listeners: + # ip_rate_limiting: + # type: ip + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 + # internal_authentication_backend_limiting: + # type: username + # authentication_backend: intern + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/internal_users.yml b/bwc-test/src/test/resources/security/securityconfig/internal_users.yml new file mode 100644 index 0000000000..e1cff5c277 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/internal_users.yml @@ -0,0 +1,68 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +craig: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + description: "Demo craig user" + +anomalyadmin: + hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." + reserved: false + opendistro_security_roles: + - "anomaly_full_access" + description: "Demo anomaly admin user, using internal role" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo OpenSearch Dashboards user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo OpenSearch Dashboards read only user, using external role mapping" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user, using external role mapping" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user, using external role mapping" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user, using external role mapping" \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml b/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml new file mode 100644 index 0000000000..208169527c --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml @@ -0,0 +1,8 @@ +_meta: + type: "nodesdn" + config_version: 2 + +# Define nodesdn mapping name and corresponding values +# cluster1: +# nodes_dn: +# - CN=*.example.com \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example b/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example new file mode 100644 index 0000000000..ef6985521f --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example @@ -0,0 +1,228 @@ +############## OpenSearch Security configuration ############### + +########################################################### +# Add the following settings to your standard opensearch.yml +# alongside with the OpenSearch Security TLS settings. +# Settings must always be the same on all nodes in the cluster. + +############## Common configuration settings ############## + +# Specify a list of DNs which denote the other nodes in the cluster. +# This settings support wildcards and regular expressions +# The list of DNs are also read from security index **in addition** to the yml configuration if +# plugins.security.nodes_dn_dynamic_config_enabled is true. +# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. +plugins.security.nodes_dn: + - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE" + - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" + +# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to +# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured +# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs +# which provide means to update/retrieve nodesdn dynamically. +# +# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored +# in security index. +# (default: false) +# NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. +plugins.security.nodes_dn_dynamic_config_enabled: false + +# Defines the DNs (distinguished names) of certificates +# to which admin privileges should be assigned (mandatory) +plugins.security.authcz.admin_dn: + - "CN=kirk,OU=client,O=client,l=tEst, C=De" + +# Define how backend roles should be mapped to Security roles +# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default) +# BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect. +# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition +plugins.security.roles_mapping_resolution: MAPPING_ONLY + +############## REST Management API configuration settings ############## +# Enable or disable role based access to the REST management API +# Default is that no role is allowed to access the REST management API. +#plugins.security.restapi.roles_enabled: ["all_access","xyz_role"] + +# Disable particular endpoints and their HTTP methods for roles. +# By default all endpoints/methods are allowed. +#plugins.security.restapi.endpoints_disabled..: +# Example: +#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"] +#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"] + +# The following endpoints exist: +# ACTIONGROUPS +# CACHE +# CONFIG +# ROLES +# ROLESMAPPING +# INTERNALUSERS +# SYSTEMINFO +# PERMISSIONSINFO + +############## Auditlog configuration settings ############## +# General settings + +# Enable/disable rest request logging (default: true) +#plugins.security.audit.enable_rest: true +# Enable/disable transport request logging (default: false) +#plugins.security.audit.enable_transport: false +# Enable/disable bulk request logging (default: false) +# If enabled all subrequests in bulk requests will be logged too +#plugins.security.audit.resolve_bulk_requests: false +# Disable some categories +#plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"] +# Disable some requests (wildcard or regex of actions or rest request paths) +#plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"] +# Tune threadpool size, default is 10 +#plugins.security.audit.threadpool.size: 10 +# Tune threadpool max size queue length, default is 100000 +#plugins.security.audit.threadpool.max_queue_len: 100000 + +# Ignore users, e.g. do not log audit requests from that users (default: no ignored users) +#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']" + +# Destination of the auditlog events +plugins.security.audit.type: internal_opensearch +#plugins.security.audit.type: external_opensearch +#plugins.security.audit.type: debug +#plugins.security.audit.type: webhook + +# external_opensearch settings +#plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" +# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6') +#plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly +#plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly +#plugins.security.audit.config.type: auditlog +#plugins.security.audit.config.username: auditloguser +#plugins.security.audit.config.password: auditlogpassword +#plugins.security.audit.config.enable_ssl: false +#plugins.security.audit.config.verify_hostnames: false +#plugins.security.audit.config.enable_ssl_client_auth: false +#plugins.security.audit.config.cert_alias: mycert +#plugins.security.audit.config.pemkey_filepath: key.pem +#plugins.security.audit.config.pemkey_content: <...pem base 64 content> +#plugins.security.audit.config.pemkey_password: secret +#plugins.security.audit.config.pemcert_filepath: cert.pem +#plugins.security.audit.config.pemcert_content: <...pem base 64 content> +#plugins.security.audit.config.pemtrustedcas_filepath: ca.pem +#plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content> + +# webhook settings +#plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint" +# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK +#plugins.security.audit.config.webhook.format: JSON +#plugins.security.audit.config.webhook.ssl.verify: false +#plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem +#plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content> + +# log4j settings +#plugins.security.audit.config.log4j.logger_name: auditlogger +#plugins.security.audit.config.log4j.level: INFO + +############## Kerberos configuration settings ############## +# If Kerberos authentication should be used you have to configure: + +# The Path to the krb5.conf file +# Can be absolute or relative to the OpenSearch config directory +#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' + +# The Path to the keytab where the acceptor_principal credentials are stored. +# Must be relative to the OpenSearch config directory +#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab' + +# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file +#plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' + +############## Advanced configuration settings ############## +# Enable transport layer impersonation +# Allow DNs (distinguished names) to impersonate as other users +#plugins.security.authcz.impersonation_dn: +# "CN=spock,OU=client,O=client,L=Test,C=DE": +# - worf +# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": +# - user2 +# - user1 + +# Enable rest layer impersonation +# Allow users to impersonate as other users +#plugins.security.authcz.rest_impersonation_user: +# "picard": +# - worf +# "john": +# - steve +# - martin + +# If this is set to true OpenSearch Security will automatically initialize the configuration index +# with the files in the config directory if the index does not exist. +# WARNING: This will use well-known default passwords. +# Use only in a private network/environment. +#plugins.security.allow_default_init_securityindex: false + +# If this is set to true then allow to startup with demo certificates. +# These are certificates issued by floragunn GmbH for demo purposes. +# WARNING: This certificates are well known and therefore unsafe +# Use only in a private network/environment. +#plugins.security.allow_unsafe_democertificates: false + + + +# Password strength rules for password complexity. +# If you want to set up password strength rules for internal users, you can use the below settings for it. +# Password validation rules can be configured through regex. In the below regex example, a user must need +# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character. +# And a custom error message can be configured, in case if a password is not created according to the password strength rule. +# plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' +# plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character." + + +############## Expert settings ############## +# WARNING: Expert settings, do only use if you know what you are doing +# If you set wrong values here this this could be a security risk +# or make OpenSearch Security stop working + +# Name of the index where .opendistro_security stores its configuration. + +#plugins.security.config_index_name: .opendistro_security + +# This defines the OID of server node certificates +#plugins.security.cert.oid: '1.2.3.4.5.5' + +# This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator +# that is used to determine inter-cluster request. +# Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument +# constructor that takes an org.opensearch.common.settings.Settings +#plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator + +# By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore', +# 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored. +# To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'. +# This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted. +# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index +# If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted. +#plugins.security.enable_snapshot_restore_privilege: true +#plugins.security.check_snapshot_restore_write_privileges: true + +# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60) +#plugins.security.cache.ttl_minutes: 60 + +# Disable OpenSearch Security +# WARNING: This can expose your configuration (including passwords) to the public. +#plugins.security.disabled: false + + +# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role +# to be visible, listed in the plugins.security.protected_indices.roles setting. +# Enable protected indices +# plugins.security.protected_indices.enabled: true +# Specify a list of roles a user must be member of to touch any protected index. +# plugins.security.protected_indices.roles: ['all_access'] +# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# plugins.security.protected_indices.indices: [] + +# System indices are similar to security index, except the contents are not encrypted. +# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices. +# Enable system indices +# plugins.security.system_indices.enabled: true +# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store'] \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/roles.yml b/bwc-test/src/test/resources/security/securityconfig/roles.yml new file mode 100644 index 0000000000..147edb4e52 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/roles.yml @@ -0,0 +1,308 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + + +employee: + cluster_permissions: + - 'cluster_all' + index_permissions: + - index_patterns: + - 'emp*' + allowed_actions: + - 'read' + dls: '{"bool": {"should": [{"match": {"state": "NY"}}, {"match": {"state": "MA"}}, {"match": {"state": "CA"}}]}}' + - index_patterns: + - 'employee*' + allowed_actions: + - 'read' + dls: '{"bool": {"should": [{"match": {"state": "NY"}}, {"match": {"state": "TX"}}, {"match": {"state": "WA"}}]}}' + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + - 'cluster:admin/opensearch/alerting/findings/get' + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + - 'cluster:admin/opensearch/alerting/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + +# Allows users to read observability objects +observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all Observability functionality +observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + +# Allows user to use all index_management actions - ism policies, rollups, transforms +index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + - "cluster:admin/opensearch/notifications/feature/publish" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + +# Allows users to use all cross cluster replication functionality at leader cluster +cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + +# Allows users to use all cross cluster replication functionality at follower cluster +cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + +# Allow users to read ML stats/models/tasks +ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/stats/nodes' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + +# Allows users to use all ML functionality +ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + +# Allows users to use all Notifications functionality +notifications_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/*' + +# Allows users to read Notifications config/channels +notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + +# Allows users to use all snapshot management functionality +snapshot_management_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster:admin/repository/*' + - 'cluster:admin/snapshot/*' + +# Allows users to see snapshots, repositories, and snapshot management policies +snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + +# Allows user to use point in time functionality +point_in_time_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'manage_point_in_time' + +# Allows users to see security analytics detectors and others +security_analytics_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/detector/get' + - 'cluster:admin/opensearch/securityanalytics/detector/search' + - 'cluster:admin/opensearch/securityanalytics/findings/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' + - 'cluster:admin/opensearch/securityanalytics/rule/get' + - 'cluster:admin/opensearch/securityanalytics/rule/search' + +# Allows users to use all security analytics functionality +security_analytics_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/detector/*' + - 'cluster:admin/opensearch/securityanalytics/findings/*' + - 'cluster:admin/opensearch/securityanalytics/mapping/*' + - 'cluster:admin/opensearch/securityanalytics/rule/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/get' + +# Allows users to view and acknowledge alerts +security_analytics_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml b/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml new file mode 100644 index 0000000000..f93ad6f0ef --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml @@ -0,0 +1,54 @@ +--- +# In this file users, backendroles and hosts can be mapped to Security roles. +# Permissions for OpenSearch roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Demo roles mapping + +all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + +employee: + reserved: false + users: + - "craig" + +own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + backend_roles: + - "logstash" + +kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + +readall: + reserved: false + backend_roles: + - "readall" + +manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + +kibana_server: + reserved: true + users: + - "kibanaserver" \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/tenants.yml b/bwc-test/src/test/resources/security/securityconfig/tenants.yml new file mode 100644 index 0000000000..dbd0e22baa --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/tenants.yml @@ -0,0 +1,11 @@ +--- +_meta: + type: "tenants" + config_version: 2 + +# Define your tenants here + +## Demo tenants +admin_tenant: + reserved: false + description: "Demo tenant for admin user" \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/whitelist.yml b/bwc-test/src/test/resources/security/securityconfig/whitelist.yml new file mode 100644 index 0000000000..5253f43886 --- /dev/null +++ b/bwc-test/src/test/resources/security/securityconfig/whitelist.yml @@ -0,0 +1,69 @@ +--- +_meta: + type: "whitelist" + config_version: 2 + +# Description: +# enabled - feature flag. +# if enabled is false, the whitelisting feature is removed. +# This is like removing the check that checks if an API is whitelisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting. +# if enabled is true, then all users except SuperAdmin can access only the APIs in requests +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: +# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. +# +# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints + +# Examples showing how to configure this yml file (make sure the _meta data from above is also there): +# Example 1: +# To enable whitelisting and whitelist GET /_cluster/settings +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# +# Example 2: +# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT): +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# +# Example 3: +# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# /_cat/nodes: +# - GET +# /_cat/shards: +# - GET +# +# Example 4: +# If you want to disable the whitelisting feature, set enabled to false. +# enabled: false +# requests: +# /_cluster/settings: +# - GET +# +#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant. + + +#this name must be config +config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET \ No newline at end of file From 62fc4a1cd862fd55968e9f45ff403c21a1ae9a58 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 11:37:06 -0400 Subject: [PATCH 16/28] Update path Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index c26df3f116..50175acbaf 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -125,16 +125,16 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) - node.extraConfigFile("securityconfig/action_groups.yml", file("src/test/resources/security/opensearch-security/action_groups.yml")) - node.extraConfigFile("securityconfig/allowlist.yml", file("src/test/resources/security/opensearch-security/allowlist.yml")) - node.extraConfigFile("securityconfig/audit.yml", file("src/test/resources/security/opensearch-security/audit.yml")) - node.extraConfigFile("securityconfig/config.yml", file("src/test/resources/security/opensearch-security/config.yml")) - node.extraConfigFile("securityconfig/internal_users.yml", file("src/test/resources/security/opensearch-security/internal_users.yml")) - node.extraConfigFile("securityconfig/nodes_dn.yml", file("src/test/resources/security/opensearch-security/nodes_dn.yml")) - node.extraConfigFile("securityconfig/roles.yml", file("src/test/resources/security/opensearch-security/roles.yml")) - node.extraConfigFile("securityconfig/roles_mapping.yml", file("src/test/resources/security/opensearch-security/roles_mapping.yml")) - node.extraConfigFile("securityconfig/tenants.yml", file("src/test/resources/security/opensearch-security/tenants.yml")) - node.extraConfigFile("securityconfig/whitelist.yml", file("src/test/resources/security/opensearch-security/whitelist.yml")) + node.extraConfigFile("opensearch-security/action_groups.yml", file("src/test/resources/security/securityconfig/action_groups.yml")) + node.extraConfigFile("opensearch-security/allowlist.yml", file("src/test/resources/security/securityconfig/allowlist.yml")) + node.extraConfigFile("opensearch-security/audit.yml", file("src/test/resources/security/securityconfig/audit.yml")) + node.extraConfigFile("opensearch-security/config.yml", file("src/test/resources/security/securityconfig/config.yml")) + node.extraConfigFile("opensearch-security/internal_users.yml", file("src/test/resources/security/securityconfig/internal_users.yml")) + node.extraConfigFile("opensearch-security/nodes_dn.yml", file("src/test/resources/security/securityconfig/nodes_dn.yml")) + node.extraConfigFile("opensearch-security/roles.yml", file("src/test/resources/security/securityconfig/roles.yml")) + node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/securityconfig/roles_mapping.yml")) + node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/securityconfig/tenants.yml")) + node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/securityconfig/whitelist.yml")) // node.setting("network.host", "0.0.0.0") node.setting("network.bind_host", "0.0.0.0") node.setting("network.publish_host", "127.0.0.1") From c04201c9b092d1de007be8781d3ed0372ae16d80 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 14:25:06 -0400 Subject: [PATCH 17/28] Show bwc tests working with security plugin enabled Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 11 ++- .../SecurityBackwardsCompatibilityIT.java | 72 ++++++++++++++++--- .../sanity/tests/SecurityRestTestCase.java | 2 +- 3 files changed, 67 insertions(+), 18 deletions(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 50175acbaf..e983a63511 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -44,7 +44,7 @@ ext { buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.9.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") opensearch_group = "org.opensearch" common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') } @@ -135,21 +135,20 @@ def String extractVersion(versionStr) { node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/securityconfig/roles_mapping.yml")) node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/securityconfig/tenants.yml")) node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/securityconfig/whitelist.yml")) - // node.setting("network.host", "0.0.0.0") - node.setting("network.bind_host", "0.0.0.0") + node.setting("network.bind_host", "127.0.0.1") node.setting("network.publish_host", "127.0.0.1") - // node.setting("transport.publish_address", "0.0.0.0") node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem") node.setting("plugins.security.ssl.transport.enforce_hostname_verification", "false") - node.setting("plugins.security.ssl.http.enabled", "false") + node.setting("plugins.security.ssl.http.enabled", "true") node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.http.pemtrustedcas_filepath", "root-ca.pem") + // node.setting("plugins.security.ssl.http.truststore_filepath", "truststore.jks") + // node.setting("plugins.security.ssl.http.truststore_password", "password") node.setting("plugins.security.allow_unsafe_democertificates", "true") node.setting("plugins.security.allow_default_init_securityindex", "true") -// node.setting("plugins.security.nodes_dn", "\"*\"") node.setting("plugins.security.authcz.admin_dn", "\"CN=kirk,OU=client,O=client,L=test,C=de\"") node.setting("plugins.security.audit.type", "internal_opensearch") node.setting("plugins.security.enable_snapshot_restore_privilege", "true") diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index 91d5cc64d2..c0bf8c3907 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -10,13 +10,25 @@ import java.io.IOException; import java.util.List; import java.util.Map; +import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; +import org.apache.http.Header; import org.apache.http.HttpHost; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.http.client.CredentialsProvider; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.impl.client.BasicCredentialsProvider; +import org.apache.http.message.BasicHeader; +import org.apache.http.ssl.SSLContextBuilder; import org.junit.Assume; import org.junit.Before; +import org.opensearch.client.Request; +import org.opensearch.client.WarningFailureException; import org.opensearch.common.settings.Settings; +import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.test.rest.OpenSearchRestTestCase; import org.opensearch.Version; @@ -25,8 +37,14 @@ import static org.hamcrest.Matchers.hasItem; import org.opensearch.client.RestClient; +import org.opensearch.client.RestClientBuilder; import org.opensearch.commons.rest.SecureRestClientBuilder; +import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_PER_ROUTE; +import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_TOTAL; + +import org.opensearch.common.unit.TimeValue; + public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { private ClusterType CLUSTER_TYPE; @@ -40,6 +58,10 @@ private void testSetup() { CLUSTER_NAME = System.getProperty("tests.clustername"); } + @Override + protected final boolean preserveClusterUponCompletion() { + return true; + } @Override protected final boolean preserveIndicesUponCompletion() { return true; @@ -63,22 +85,50 @@ protected String getProtocol() { @Override protected final Settings restClientSettings() { return Settings.builder() - .put(super.restClientSettings()) - // increase the timeout here to 90 seconds to handle long waits for a green - // cluster health. the waits for green need to be longer than a minute to - // account for delayed shards - .put(OpenSearchRestTestCase.CLIENT_SOCKET_TIMEOUT, "90s") - .build(); + .put(super.restClientSettings()) + // increase the timeout here to 90 seconds to handle long waits for a green + // cluster health. the waits for green need to be longer than a minute to + // account for delayed shards + .put(OpenSearchRestTestCase.CLIENT_SOCKET_TIMEOUT, "90s") + .build(); } @Override protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { - String userName = System.getProperty("tests.opensearch.username"); - String password = System.getProperty("tests.opensearch.password"); + RestClientBuilder builder = RestClient.builder(hosts); + configureHttpsClient(builder, settings); + boolean strictDeprecationMode = settings.getAsBoolean("strictDeprecationMode", true); + builder.setStrictDeprecationMode(strictDeprecationMode); + return builder.build(); + } - return new SecureRestClientBuilder(hosts, true, userName, password).setSocketTimeout(60000) - .setConnectionRequestTimeout(180000) - .build(); + protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException { + Map headers = ThreadContext.buildDefaultHeaders(settings); + Header[] defaultHeaders = new Header[headers.size()]; + int i = 0; + for (Map.Entry entry : headers.entrySet()) { + defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue()); + } + builder.setDefaultHeaders(defaultHeaders); + builder.setHttpClientConfigCallback(httpClientBuilder -> { + String userName = Optional.ofNullable(System.getProperty("tests.opensearch.username")) + .orElseThrow(() -> new RuntimeException("user name is missing")); + String password = Optional.ofNullable(System.getProperty("tests.opensearch.password")) + .orElseThrow(() -> new RuntimeException("password is missing")); + CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); + credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(userName, password)); + try { + return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider) + // disable the certificate since our testing cluster just uses the default security configuration + .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) + .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build()); + } catch (Exception e) { + throw new RuntimeException(e); + } + }); + + // final TimeValue socketTimeout = TimeValue.parseTimeValue("60s"); + // builder.setRequestConfigCallback(conf -> conf.setSocketTimeout(Math.toIntExact(socketTimeout.getMillis()))); } public void testBasicBackwardsCompatibility() throws Exception { diff --git a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java index 8035ca641c..d8be588cd3 100644 --- a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java +++ b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java @@ -76,7 +76,7 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE if (keystore != null) { // create adminDN (super-admin) client - File file = new File(getClass().getClassLoader().getResource(CERT_FILE_DIRECTORY).getFile()); + File file = new File(getClass().getClassLoader().getResource(CERT_FILE_DIRECTORY).getFile().); Path configPath = PathUtils.get(file.toURI()).getParent().toAbsolutePath(); return new SecureRestClientBuilder(settings, configPath).setSocketTimeout(60000).build(); } From c9ed63e2c41d31648d40e52df32449c2bac64c9b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 14:34:11 -0400 Subject: [PATCH 18/28] Remove added period by mistake Signed-off-by: Craig Perkins --- .../opensearch/security/sanity/tests/SecurityRestTestCase.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java index d8be588cd3..8035ca641c 100644 --- a/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java +++ b/src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java @@ -76,7 +76,7 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE if (keystore != null) { // create adminDN (super-admin) client - File file = new File(getClass().getClassLoader().getResource(CERT_FILE_DIRECTORY).getFile().); + File file = new File(getClass().getClassLoader().getResource(CERT_FILE_DIRECTORY).getFile()); Path configPath = PathUtils.get(file.toURI()).getParent().toAbsolutePath(); return new SecureRestClientBuilder(settings, configPath).setSocketTimeout(60000).build(); } From d5255cd932891a29ebb8cf7434031e10e298f1b0 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 28 Aug 2023 15:02:26 -0400 Subject: [PATCH 19/28] Run spotlessApply Signed-off-by: Craig Perkins --- .github/actions/run-bwc-suite/action.yaml | 2 +- .../SecurityBackwardsCompatibilityIT.java | 31 +++++++----------- .../security/securityconfig/action_groups.yml | 2 +- .../security/securityconfig/allowlist.yml | 2 +- .../security/securityconfig/audit.yml | 2 +- .../security/securityconfig/config.yml | 2 +- .../securityconfig/internal_users.yml | 2 +- .../security/securityconfig/nodes_dn.yml | 2 +- .../security/securityconfig/roles.yml | 2 +- .../security/securityconfig/roles_mapping.yml | 2 +- .../security/securityconfig/tenants.yml | 2 +- .../security/securityconfig/whitelist.yml | 2 +- .../test/resources/security/truststore.jks | Bin 0 -> 3890 bytes 13 files changed, 23 insertions(+), 30 deletions(-) create mode 100644 bwc-test/src/test/resources/security/truststore.jks diff --git a/.github/actions/run-bwc-suite/action.yaml b/.github/actions/run-bwc-suite/action.yaml index 68f742b071..abc73627e5 100644 --- a/.github/actions/run-bwc-suite/action.yaml +++ b/.github/actions/run-bwc-suite/action.yaml @@ -37,7 +37,7 @@ runs: -Dtests.security.manager=false -Dtests.opensearch.secure=true -Dtests.opensearch.username=admin - -Dtests.opensearch.password=admin + -Dtests.opensearch.password=admin -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }} -Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i build-root-directory: bwc-test diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index c0bf8c3907..12e44abe86 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -25,8 +25,6 @@ import org.apache.http.ssl.SSLContextBuilder; import org.junit.Assume; import org.junit.Before; -import org.opensearch.client.Request; -import org.opensearch.client.WarningFailureException; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.test.rest.OpenSearchRestTestCase; @@ -38,12 +36,6 @@ import org.opensearch.client.RestClient; import org.opensearch.client.RestClientBuilder; -import org.opensearch.commons.rest.SecureRestClientBuilder; - -import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_PER_ROUTE; -import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_TOTAL; - -import org.opensearch.common.unit.TimeValue; public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { @@ -62,6 +54,7 @@ private void testSetup() { protected final boolean preserveClusterUponCompletion() { return true; } + @Override protected final boolean preserveIndicesUponCompletion() { return true; @@ -85,12 +78,12 @@ protected String getProtocol() { @Override protected final Settings restClientSettings() { return Settings.builder() - .put(super.restClientSettings()) - // increase the timeout here to 90 seconds to handle long waits for a green - // cluster health. the waits for green need to be longer than a minute to - // account for delayed shards - .put(OpenSearchRestTestCase.CLIENT_SOCKET_TIMEOUT, "90s") - .build(); + .put(super.restClientSettings()) + // increase the timeout here to 90 seconds to handle long waits for a green + // cluster health. the waits for green need to be longer than a minute to + // account for delayed shards + .put(OpenSearchRestTestCase.CLIENT_SOCKET_TIMEOUT, "90s") + .build(); } @Override @@ -112,16 +105,16 @@ protected static void configureHttpsClient(RestClientBuilder builder, Settings s builder.setDefaultHeaders(defaultHeaders); builder.setHttpClientConfigCallback(httpClientBuilder -> { String userName = Optional.ofNullable(System.getProperty("tests.opensearch.username")) - .orElseThrow(() -> new RuntimeException("user name is missing")); + .orElseThrow(() -> new RuntimeException("user name is missing")); String password = Optional.ofNullable(System.getProperty("tests.opensearch.password")) - .orElseThrow(() -> new RuntimeException("password is missing")); + .orElseThrow(() -> new RuntimeException("password is missing")); CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(userName, password)); try { return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider) - // disable the certificate since our testing cluster just uses the default security configuration - .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) - .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build()); + // disable the certificate since our testing cluster just uses the default security configuration + .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) + .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build()); } catch (Exception e) { throw new RuntimeException(e); } diff --git a/bwc-test/src/test/resources/security/securityconfig/action_groups.yml b/bwc-test/src/test/resources/security/securityconfig/action_groups.yml index aac69ab8f8..7c40612b83 100644 --- a/bwc-test/src/test/resources/security/securityconfig/action_groups.yml +++ b/bwc-test/src/test/resources/security/securityconfig/action_groups.yml @@ -1,3 +1,3 @@ _meta: type: "actiongroups" - config_version: 2 \ No newline at end of file + config_version: 2 diff --git a/bwc-test/src/test/resources/security/securityconfig/allowlist.yml b/bwc-test/src/test/resources/security/securityconfig/allowlist.yml index 0df6c158b2..e669557d7e 100644 --- a/bwc-test/src/test/resources/security/securityconfig/allowlist.yml +++ b/bwc-test/src/test/resources/security/securityconfig/allowlist.yml @@ -66,4 +66,4 @@ config: /_cluster/settings: - GET /_cat/nodes: - - GET \ No newline at end of file + - GET diff --git a/bwc-test/src/test/resources/security/securityconfig/audit.yml b/bwc-test/src/test/resources/security/securityconfig/audit.yml index bf91b0dee2..dcfbad8dd7 100644 --- a/bwc-test/src/test/resources/security/securityconfig/audit.yml +++ b/bwc-test/src/test/resources/security/securityconfig/audit.yml @@ -82,4 +82,4 @@ config: # List of users to ignore for write events. Wildcard patterns are supported. Eg: # write_ignore_users: ["test-user", "employee-*"] write_ignore_users: - - kibanaserver \ No newline at end of file + - kibanaserver diff --git a/bwc-test/src/test/resources/security/securityconfig/config.yml b/bwc-test/src/test/resources/security/securityconfig/config.yml index 09860931e9..59f5f05352 100644 --- a/bwc-test/src/test/resources/security/securityconfig/config.yml +++ b/bwc-test/src/test/resources/security/securityconfig/config.yml @@ -244,4 +244,4 @@ config: # time_window_seconds: 3600 # block_expiry_seconds: 600 # max_blocked_clients: 100000 - # max_tracked_clients: 100000 \ No newline at end of file + # max_tracked_clients: 100000 diff --git a/bwc-test/src/test/resources/security/securityconfig/internal_users.yml b/bwc-test/src/test/resources/security/securityconfig/internal_users.yml index e1cff5c277..2b77f3c58d 100644 --- a/bwc-test/src/test/resources/security/securityconfig/internal_users.yml +++ b/bwc-test/src/test/resources/security/securityconfig/internal_users.yml @@ -65,4 +65,4 @@ snapshotrestore: reserved: false backend_roles: - "snapshotrestore" - description: "Demo snapshotrestore user, using external role mapping" \ No newline at end of file + description: "Demo snapshotrestore user, using external role mapping" diff --git a/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml b/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml index 208169527c..7f8304cf0d 100644 --- a/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml +++ b/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml @@ -5,4 +5,4 @@ _meta: # Define nodesdn mapping name and corresponding values # cluster1: # nodes_dn: -# - CN=*.example.com \ No newline at end of file +# - CN=*.example.com diff --git a/bwc-test/src/test/resources/security/securityconfig/roles.yml b/bwc-test/src/test/resources/security/securityconfig/roles.yml index 147edb4e52..01dc60d48d 100644 --- a/bwc-test/src/test/resources/security/securityconfig/roles.yml +++ b/bwc-test/src/test/resources/security/securityconfig/roles.yml @@ -305,4 +305,4 @@ security_analytics_full_access: security_analytics_ack_alerts: reserved: true cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/*' \ No newline at end of file + - 'cluster:admin/opensearch/securityanalytics/alerts/*' diff --git a/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml b/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml index f93ad6f0ef..650b52230b 100644 --- a/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml +++ b/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml @@ -51,4 +51,4 @@ manage_snapshots: kibana_server: reserved: true users: - - "kibanaserver" \ No newline at end of file + - "kibanaserver" diff --git a/bwc-test/src/test/resources/security/securityconfig/tenants.yml b/bwc-test/src/test/resources/security/securityconfig/tenants.yml index dbd0e22baa..04104dce00 100644 --- a/bwc-test/src/test/resources/security/securityconfig/tenants.yml +++ b/bwc-test/src/test/resources/security/securityconfig/tenants.yml @@ -8,4 +8,4 @@ _meta: ## Demo tenants admin_tenant: reserved: false - description: "Demo tenant for admin user" \ No newline at end of file + description: "Demo tenant for admin user" diff --git a/bwc-test/src/test/resources/security/securityconfig/whitelist.yml b/bwc-test/src/test/resources/security/securityconfig/whitelist.yml index 5253f43886..1d54ff841a 100644 --- a/bwc-test/src/test/resources/security/securityconfig/whitelist.yml +++ b/bwc-test/src/test/resources/security/securityconfig/whitelist.yml @@ -66,4 +66,4 @@ config: /_cluster/settings: - GET /_cat/nodes: - - GET \ No newline at end of file + - GET diff --git a/bwc-test/src/test/resources/security/truststore.jks b/bwc-test/src/test/resources/security/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..9f6d716d19399e25a5583fa06b4b9dfecc764ee2 GIT binary patch literal 3890 zcma)9S5OlSvn3Ep=pck5B}zn!Kq5#HP?|I;N)5dT(nNaip?8pkq9UMz5$PQQ5_&IU z2w*@!igf89Ncg>T?|k3fr+XiEcJ`b-`?Par7lvdKCkIf#kc`t*AdxuDxDy5dHJ}j5 zH~>U4_WXrAU`R^L|Dq`KfJjR8UpVt`q*BrSkBXiaKwgNXRQd}lz@Gl2pk#oV!DRm} z>0zQkHfy2nW`n1dk_3Wt9`W9fhMB7OS>)t5naKeV7(Erue@`R_QIf%UsX(@IngB-% zAV37jY*5-cJ@S@2p~I!y`s9!AFc1kG*UoboDG}BQ)`ryWrNuknoR(MCg9xScisFA5 z>g>MW?r&zWJqk4{JA{J#3%O)GmZC?NEAZh=fIYF*P5-PI3+8^!6-UT zqWsbwE?xN9>2yv{a{lw$xF~lx$jjo^hu$B*z*xI3@K@gHce$0#5jm3TQ*kH64nZs& zb{`(ag_1j)(*thgrLLt+7V{l=Ni-&lIb`cl~EIowy;bEHO|5 zbGv4&Qs69C{b#4&jaygd?OQ#Y+Snym_5%A7q#c~j+D1-u7@@L1Z}~?M%49!TxN$dj zb#MPD&KrLtCO=;Equ!NkzBAqE+Tt!Ih=&9}$>&Q}?S7M5gLWXKP4f;OrZ^~E5lj`) z--D(I=eGNTLbBHwoPL9LTq=M^J}3)KAi#)u9r{h%pUJ-(RkC*}$m0Nc0fiDz0uSygSS zmNoAj5)W5+Ook?815GC7%Z}%=&J%sQ1&ZwIZ3Bu;+X5l(M^v=$N_C!blR9uSgsL8r z)Qz@P$m8>wz_AjwdFLw}iv?QuLm!gAE@DM2+J7p_-#8vIk=^h08=P945Qcfh4i^2a z!!ANlN{9;Dhfus&$ozp>yj>NsKY|cLCAK-Yphz0Qf{xId*{O~ZNq=VDuk3lQR7or> zeZnp=5KaR)1@)bgZqYyw#~X8RMxj}cF*v-6U7bszVvfD5ZcrnyvnyPv!8%!dENGSP$`pY7~Dw`^&Mks@kR}K*tA5 z1vWS_@86g5zJh`ZP3e?MUT&I=!zxsIvjZgt?T2zphBGTvy!HJTDeg9j{;?~^>GRWt zww*IN!RG1=nmrnrUdfhPbt+9*c!0Y*? zAqg4Qr;J2WL+r1@Ew_}9NBr?W7bOmZt}^dqtHZ&vkDwq|EXVk;mhX_9Jg$mk+@wd( z|IJi+Pc7`|IY!Il%Mk~~YDmTy!FvHV|MD|~_x?OjnfWl^>h&iI&vy=ye{o4PYte)M%N$vA03{Bl9=f@9w*;QkA3UE6fU3pHSjS z5KCwfX_~N9=K2e6koHw1ilR%guPipf46&hm91-+zZEDk_C}_%?)28@@b0%4sJbD0e zw)w-h3|s_{Tc;ohy1Wl}50mILMCvZHYtsZ52eWIpF)y8&l5Ps!k$xWGKmno^{sjGQ zRC|;88BGBd!Yoq#RxCeFK?qhuXV92nM>)FU705uYM;DBM&XocrJ>&Xq(}MVH_#OD= zq_8wuX&6me-V{d1Rkk_v?YdPqDRd=J8)v9n9(o8G0k|d8T4R;Y3=12?KhO0G>ZmSB z!4b9)~aqPA`Ii*-(DGK)&Xg(DRPgIlgehu>@N zX6-%B_?>vDw6B6ob7FtCyU6CbP66SybH)lP3u6>j?BtXSb-i9@7Ns~@-6_%4h8zr? zL7S9*sCcdQU$j_w%(o4=s~@(jL_JzK+Z1~yeIPt8lXN@UWfaDa&X z2a=mH1(*j{%~Q!uED(F(B1VG=J~a4>RGnI!6PAjYi>{Wx z71{tXusfjDdoOXB0|izD@Z8xtiqDmvG89l(fm;(~UZYm<)!m+b-5f~x^QAD_W+{?K z5ZmQ;?#jvU)V8H?ykv31=hBt*{X?)w}1y@jAEHy!bkOshwJquCI@OJfR@eC zli?2B^Qv=`rNi{nSLz6epc%9Y7xS?6+(D&k49d#^Mf9Zz%+qf+VZ zZIdC7Vgcn#yqJLx*t^9kqUMI{+l@+vV0*(F6pa&~IxxJ?-S%|-tD!0)V3Fm^`YXw3 zTzL!tjWbxy3^7brsb)!{6#e*~B z?F#gk(ZU%zsg9#3KdXo`*HPPcw#vD_UrA1L*=6i4Yyr|6B7%9=_7UG2-#G;JK ztfIk_kLVus+neRz3pFztx6k*u7s@lMw@{=R?QCqJ`1 zVR0WssRVWA=+f#s<|kQqy2v-v{**i}`Z=|Rk}I=IdBRz%p|$IU2_2=aH%P5yS%MWQ zX0fb`zh`c$CAthVLj-Uv@=>VsMC^N?m-%E!6|d+xou}!6AJ!jZR~cIUibilMc$tXA z^+0$YsAmdgFO!G=br52PiI0SU^c?9xM#dySltd;n zMyf0b6vWMfA7^?FX~19bk##>TK6n+v@pp@Tv@Dsv_G?xaZ&1gIGi(^yL{HM<$UZlL z?|SXLAs~dlF2hrV3eJe;Hvxoo^XZM8PR7eLDd^l@n47YhZC@7V z1DTLkbNl3#ZvbkSlN0$`o0fWqHUQMTL9kHQSfZZywSB>wd3f|N$85`Gj^mUimM z-zcvaedW=m0-rUp(|EUf&dAgA_0swwQC)FVpsw&nZDHg5BQ)(}Ru4|^FpBATqYqPa zk40CLpB(J#)dig1BvA7HI{qbWm3usuki+_yY9h59d38H fTLIZLb*XNHT%_A$q6BZ?q-6d1FM#d;bprhdG9FpL literal 0 HcmV?d00001 From dc4ed6270dba79ae29d6ccab35a6c15da3372690 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 09:58:34 -0400 Subject: [PATCH 20/28] Try w/o config files Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 10 - .../security/securityconfig/action_groups.yml | 3 - .../security/securityconfig/allowlist.yml | 69 ---- .../security/securityconfig/audit.yml | 85 ----- .../security/securityconfig/config.yml | 247 -------------- .../securityconfig/internal_users.yml | 68 ---- .../security/securityconfig/nodes_dn.yml | 8 - .../securityconfig/opensearch.yml.example | 228 ------------- .../security/securityconfig/roles.yml | 308 ------------------ .../security/securityconfig/roles_mapping.yml | 54 --- .../security/securityconfig/tenants.yml | 11 - .../security/securityconfig/whitelist.yml | 69 ---- 12 files changed, 1160 deletions(-) delete mode 100644 bwc-test/src/test/resources/security/securityconfig/action_groups.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/allowlist.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/audit.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/config.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/internal_users.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example delete mode 100644 bwc-test/src/test/resources/security/securityconfig/roles.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/tenants.yml delete mode 100644 bwc-test/src/test/resources/security/securityconfig/whitelist.yml diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index e983a63511..591371906d 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -125,16 +125,6 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) - node.extraConfigFile("opensearch-security/action_groups.yml", file("src/test/resources/security/securityconfig/action_groups.yml")) - node.extraConfigFile("opensearch-security/allowlist.yml", file("src/test/resources/security/securityconfig/allowlist.yml")) - node.extraConfigFile("opensearch-security/audit.yml", file("src/test/resources/security/securityconfig/audit.yml")) - node.extraConfigFile("opensearch-security/config.yml", file("src/test/resources/security/securityconfig/config.yml")) - node.extraConfigFile("opensearch-security/internal_users.yml", file("src/test/resources/security/securityconfig/internal_users.yml")) - node.extraConfigFile("opensearch-security/nodes_dn.yml", file("src/test/resources/security/securityconfig/nodes_dn.yml")) - node.extraConfigFile("opensearch-security/roles.yml", file("src/test/resources/security/securityconfig/roles.yml")) - node.extraConfigFile("opensearch-security/roles_mapping.yml", file("src/test/resources/security/securityconfig/roles_mapping.yml")) - node.extraConfigFile("opensearch-security/tenants.yml", file("src/test/resources/security/securityconfig/tenants.yml")) - node.extraConfigFile("opensearch-security/whitelist.yml", file("src/test/resources/security/securityconfig/whitelist.yml")) node.setting("network.bind_host", "127.0.0.1") node.setting("network.publish_host", "127.0.0.1") node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") diff --git a/bwc-test/src/test/resources/security/securityconfig/action_groups.yml b/bwc-test/src/test/resources/security/securityconfig/action_groups.yml deleted file mode 100644 index 7c40612b83..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/action_groups.yml +++ /dev/null @@ -1,3 +0,0 @@ -_meta: - type: "actiongroups" - config_version: 2 diff --git a/bwc-test/src/test/resources/security/securityconfig/allowlist.yml b/bwc-test/src/test/resources/security/securityconfig/allowlist.yml deleted file mode 100644 index e669557d7e..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/allowlist.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -_meta: - type: "allowlist" - config_version: 2 - -# Description: -# enabled - feature flag. -# if enabled is false, the allowlisting feature is removed. -# This is like removing the check that checks if an API is allowlisted. -# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting. -# if enabled is true, then all users except SuperAdmin can access only the APIs in requests -# SuperAdmin can access all APIs. -# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: -# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. -# -# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints - -# Examples showing how to configure this yml file (make sure the _meta data from above is also there): -# Example 1: -# To enable allowlisting and allowlist GET /_cluster/settings -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# -# Example 2: -# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT): -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# - PUT -# -# Example 3: -# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# - PUT -# /_cat/nodes: -# - GET -# /_cat/shards: -# - GET -# -# Example 4: -# If you want to disable the allowlisting feature, set enabled to false. -# enabled: false -# requests: -# /_cluster/settings: -# - GET -# -#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant. - - -#this name must be config -config: - enabled: false - requests: - /_cluster/settings: - - GET - /_cat/nodes: - - GET diff --git a/bwc-test/src/test/resources/security/securityconfig/audit.yml b/bwc-test/src/test/resources/security/securityconfig/audit.yml deleted file mode 100644 index dcfbad8dd7..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/audit.yml +++ /dev/null @@ -1,85 +0,0 @@ -_meta: - type: "audit" - config_version: 2 - -config: - # enable/disable audit logging - enabled: true - - audit: - # Enable/disable REST API auditing - enable_rest: true - - # Categories to exclude from REST API auditing - disabled_rest_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - - # Enable/disable Transport API auditing - enable_transport: true - - # Categories to exclude from Transport API auditing - disabled_transport_categories: - - AUTHENTICATED - - GRANTED_PRIVILEGES - - # Users to be excluded from auditing. Wildcard patterns are supported. Eg: - # ignore_users: ["test-user", "employee-*"] - ignore_users: - - kibanaserver - - # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: - # ignore_requests: ["indices:data/read/*", "SearchRequest"] - ignore_requests: [] - - # Log individual operations in a bulk request - resolve_bulk_requests: false - - # Include the body of the request (if available) for both REST and the transport layer - log_request_body: true - - # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns - resolve_indices: true - - # Exclude sensitive headers from being included in the logs. Eg: Authorization - exclude_sensitive_headers: true - - compliance: - # enable/disable compliance - enabled: true - - # Log updates to internal security changes - internal_config: true - - # Log external config files for the node - external_config: false - - # Log only metadata of the document for read events - read_metadata_only: true - - # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: - # read_watched_fields: { - # "twitter": ["message"] - # "logs-*": ["id", "attr*"] - # } - read_watched_fields: {} - - # List of users to ignore for read events. Wildcard patterns are supported. Eg: - # read_ignore_users: ["test-user", "employee-*"] - read_ignore_users: - - kibanaserver - - # Log only metadata of the document for write events - write_metadata_only: true - - # Log only diffs for document updates - write_log_diffs: false - - # List of indices to watch for write events. Wildcard patterns are supported - # write_watched_indices: ["twitter", "logs-*"] - write_watched_indices: [] - - # List of users to ignore for write events. Wildcard patterns are supported. Eg: - # write_ignore_users: ["test-user", "employee-*"] - write_ignore_users: - - kibanaserver diff --git a/bwc-test/src/test/resources/security/securityconfig/config.yml b/bwc-test/src/test/resources/security/securityconfig/config.yml deleted file mode 100644 index 59f5f05352..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/config.yml +++ /dev/null @@ -1,247 +0,0 @@ ---- - -# This is the main OpenSearch Security configuration file where authentication -# and authorization is defined. -# -# You need to configure at least one authentication domain in the authc of this file. -# An authentication domain is responsible for extracting the user credentials from -# the request and for validating them against an authentication backend like Active Directory for example. -# -# If more than one authentication domain is configured the first one which succeeds wins. -# If all authentication domains fail then the request is unauthenticated. -# In this case an exception is thrown and/or the HTTP status is set to 401. -# -# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect -# the roles from a given backend for the authenticated user. -# -# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. -# http_enabled: true -# transport_enabled: true -# -# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to -# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. -# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous" -# and one role named "anonymous_backendrole". -# If you enable anonymous authentication all HTTP authenticators will not challenge. -# -# -# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" -# first and the challenging one last. -# Because it's not possible to challenge a client with two different authentication methods (for example -# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation -# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. -# -# Default value of the challenge flag is true. -# -# -# HTTP -# basic (challenging) -# proxy (not challenging, needs xff) -# kerberos (challenging) -# clientcert (not challenging, needs https) -# jwt (not challenging) -# host (not challenging) #DEPRECATED, will be removed in a future version. -# host based authentication is configurable in roles_mapping - -# Authc -# internal -# noop -# ldap - -# Authz -# ldap -# noop - - - -_meta: - type: "config" - config_version: 2 - -config: - dynamic: - # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index - # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) - # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently - #filtered_alias_mode: warn - #do_not_fail_on_forbidden: false - #kibana: - # Kibana multitenancy - #multitenancy_enabled: true - #server_username: kibanaserver - #index: '.kibana' - http: - anonymous_auth_enabled: false - xff: - enabled: false - internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern - #internalProxies: '.*' # trust all internal proxies, regex pattern - #remoteIpHeader: 'x-forwarded-for' - ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help - ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For - ###### and here https://tools.ietf.org/html/rfc7239 - ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve - authc: - kerberos_auth_domain: - http_enabled: false - transport_enabled: false - order: 6 - http_authenticator: - type: kerberos - challenge: true - config: - # If true a lot of kerberos/security related debugging output will be logged to standard out - krb_debug: false - # If true then the realm will be stripped from the user name - strip_realm_from_principal: true - authentication_backend: - type: noop - basic_internal_auth_domain: - description: "Authenticate via HTTP Basic against internal users database" - http_enabled: true - transport_enabled: true - order: 4 - http_authenticator: - type: basic - challenge: true - authentication_backend: - type: intern - proxy_auth_domain: - description: "Authenticate via proxy" - http_enabled: false - transport_enabled: false - order: 3 - http_authenticator: - type: proxy - challenge: false - config: - user_header: "x-proxy-user" - roles_header: "x-proxy-roles" - authentication_backend: - type: noop - jwt_auth_domain: - description: "Authenticate via Json Web Token" - http_enabled: false - transport_enabled: false - order: 0 - http_authenticator: - type: jwt - challenge: false - config: - signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" - jwt_header: "Authorization" - jwt_url_parameter: null - roles_key: null - subject_key: null - authentication_backend: - type: noop - clientcert_auth_domain: - description: "Authenticate via SSL client certificates" - http_enabled: false - transport_enabled: false - order: 2 - http_authenticator: - type: clientcert - config: - username_attribute: cn #optional, if omitted DN becomes username - challenge: false - authentication_backend: - type: noop - ldap: - description: "Authenticate via LDAP or Active Directory" - http_enabled: false - transport_enabled: false - order: 5 - http_authenticator: - type: basic - challenge: false - authentication_backend: - # LDAP authentication backend (authenticate users against a LDAP or Active Directory) - type: ldap - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(sAMAccountName={0})' - # Use this attribute from the user as username (if not set then DN is used) - username_attribute: null - authz: - roles_from_myldap: - description: "Authorize via LDAP or Active Directory" - http_enabled: false - transport_enabled: false - authorization_backend: - # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) - type: ldap - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - rolebase: 'ou=groups,dc=example,dc=com' - # Filter to search for roles (currently in the whole subtree beneath rolebase) - # {0} is substituted with the DN of the user - # {1} is substituted with the username - # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute - rolesearch: '(member={0})' - # Specify the name of the attribute which value should be substituted with {2} above - userroleattribute: null - # Roles as an attribute of the user entry - userrolename: disabled - #userrolename: memberOf - # The attribute in a role entry containing the name of that role, Default is "name". - # Can also be "dn" to use the full DN as rolename. - rolename: cn - # Resolve nested roles transitive (roles which are members of other roles and so on ...) - resolve_nested_roles: true - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(uid={0})' - # Skip users matching a user name, a wildcard or a regex pattern - #skip_users: - # - 'cn=Michael Jackson,ou*people,o=TEST' - # - '/\S*/' - roles_from_another_ldap: - description: "Authorize via another Active Directory" - http_enabled: false - transport_enabled: false - authorization_backend: - type: ldap - #config goes here ... - # auth_failure_listeners: - # ip_rate_limiting: - # type: ip - # allowed_tries: 10 - # time_window_seconds: 3600 - # block_expiry_seconds: 600 - # max_blocked_clients: 100000 - # max_tracked_clients: 100000 - # internal_authentication_backend_limiting: - # type: username - # authentication_backend: intern - # allowed_tries: 10 - # time_window_seconds: 3600 - # block_expiry_seconds: 600 - # max_blocked_clients: 100000 - # max_tracked_clients: 100000 diff --git a/bwc-test/src/test/resources/security/securityconfig/internal_users.yml b/bwc-test/src/test/resources/security/securityconfig/internal_users.yml deleted file mode 100644 index 2b77f3c58d..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/internal_users.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -_meta: - type: "internalusers" - config_version: 2 - -# Define your internal users here - -## Demo users - -admin: - hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" - reserved: true - backend_roles: - - "admin" - description: "Demo admin user" - -craig: - hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" - reserved: true - description: "Demo craig user" - -anomalyadmin: - hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." - reserved: false - opendistro_security_roles: - - "anomaly_full_access" - description: "Demo anomaly admin user, using internal role" - -kibanaserver: - hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." - reserved: true - description: "Demo OpenSearch Dashboards user" - -kibanaro: - hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" - reserved: false - backend_roles: - - "kibanauser" - - "readall" - attributes: - attribute1: "value1" - attribute2: "value2" - attribute3: "value3" - description: "Demo OpenSearch Dashboards read only user, using external role mapping" - -logstash: - hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" - reserved: false - backend_roles: - - "logstash" - description: "Demo logstash user, using external role mapping" - -readall: - hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" - reserved: false - backend_roles: - - "readall" - description: "Demo readall user, using external role mapping" - -snapshotrestore: - hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" - reserved: false - backend_roles: - - "snapshotrestore" - description: "Demo snapshotrestore user, using external role mapping" diff --git a/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml b/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml deleted file mode 100644 index 7f8304cf0d..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/nodes_dn.yml +++ /dev/null @@ -1,8 +0,0 @@ -_meta: - type: "nodesdn" - config_version: 2 - -# Define nodesdn mapping name and corresponding values -# cluster1: -# nodes_dn: -# - CN=*.example.com diff --git a/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example b/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example deleted file mode 100644 index ef6985521f..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/opensearch.yml.example +++ /dev/null @@ -1,228 +0,0 @@ -############## OpenSearch Security configuration ############### - -########################################################### -# Add the following settings to your standard opensearch.yml -# alongside with the OpenSearch Security TLS settings. -# Settings must always be the same on all nodes in the cluster. - -############## Common configuration settings ############## - -# Specify a list of DNs which denote the other nodes in the cluster. -# This settings support wildcards and regular expressions -# The list of DNs are also read from security index **in addition** to the yml configuration if -# plugins.security.nodes_dn_dynamic_config_enabled is true. -# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. -plugins.security.nodes_dn: - - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE" - - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" - -# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to -# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured -# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs -# which provide means to update/retrieve nodesdn dynamically. -# -# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored -# in security index. -# (default: false) -# NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set. -plugins.security.nodes_dn_dynamic_config_enabled: false - -# Defines the DNs (distinguished names) of certificates -# to which admin privileges should be assigned (mandatory) -plugins.security.authcz.admin_dn: - - "CN=kirk,OU=client,O=client,l=tEst, C=De" - -# Define how backend roles should be mapped to Security roles -# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default) -# BACKENDROLES_ONLY - backend roles are mapped to Security roles directly. Settings in roles_mapping.yml have no effect. -# BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition -plugins.security.roles_mapping_resolution: MAPPING_ONLY - -############## REST Management API configuration settings ############## -# Enable or disable role based access to the REST management API -# Default is that no role is allowed to access the REST management API. -#plugins.security.restapi.roles_enabled: ["all_access","xyz_role"] - -# Disable particular endpoints and their HTTP methods for roles. -# By default all endpoints/methods are allowed. -#plugins.security.restapi.endpoints_disabled..: -# Example: -#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"] -#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"] - -# The following endpoints exist: -# ACTIONGROUPS -# CACHE -# CONFIG -# ROLES -# ROLESMAPPING -# INTERNALUSERS -# SYSTEMINFO -# PERMISSIONSINFO - -############## Auditlog configuration settings ############## -# General settings - -# Enable/disable rest request logging (default: true) -#plugins.security.audit.enable_rest: true -# Enable/disable transport request logging (default: false) -#plugins.security.audit.enable_transport: false -# Enable/disable bulk request logging (default: false) -# If enabled all subrequests in bulk requests will be logged too -#plugins.security.audit.resolve_bulk_requests: false -# Disable some categories -#plugins.security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"] -# Disable some requests (wildcard or regex of actions or rest request paths) -#plugins.security.audit.ignore_requests: ["indices:data/read/*","*_bulk"] -# Tune threadpool size, default is 10 -#plugins.security.audit.threadpool.size: 10 -# Tune threadpool max size queue length, default is 100000 -#plugins.security.audit.threadpool.max_queue_len: 100000 - -# Ignore users, e.g. do not log audit requests from that users (default: no ignored users) -#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']" - -# Destination of the auditlog events -plugins.security.audit.type: internal_opensearch -#plugins.security.audit.type: external_opensearch -#plugins.security.audit.type: debug -#plugins.security.audit.type: webhook - -# external_opensearch settings -#plugins.security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" -# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6') -#plugins.security.audit.config.index: auditlog6 # make sure you secure this index properly -#plugins.security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly -#plugins.security.audit.config.type: auditlog -#plugins.security.audit.config.username: auditloguser -#plugins.security.audit.config.password: auditlogpassword -#plugins.security.audit.config.enable_ssl: false -#plugins.security.audit.config.verify_hostnames: false -#plugins.security.audit.config.enable_ssl_client_auth: false -#plugins.security.audit.config.cert_alias: mycert -#plugins.security.audit.config.pemkey_filepath: key.pem -#plugins.security.audit.config.pemkey_content: <...pem base 64 content> -#plugins.security.audit.config.pemkey_password: secret -#plugins.security.audit.config.pemcert_filepath: cert.pem -#plugins.security.audit.config.pemcert_content: <...pem base 64 content> -#plugins.security.audit.config.pemtrustedcas_filepath: ca.pem -#plugins.security.audit.config.pemtrustedcas_content: <...pem base 64 content> - -# webhook settings -#plugins.security.audit.config.webhook.url: "http://mywebhook/endpoint" -# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK -#plugins.security.audit.config.webhook.format: JSON -#plugins.security.audit.config.webhook.ssl.verify: false -#plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem -#plugins.security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content> - -# log4j settings -#plugins.security.audit.config.log4j.logger_name: auditlogger -#plugins.security.audit.config.log4j.level: INFO - -############## Kerberos configuration settings ############## -# If Kerberos authentication should be used you have to configure: - -# The Path to the krb5.conf file -# Can be absolute or relative to the OpenSearch config directory -#plugins.security.kerberos.krb5_filepath: '/etc/krb5.conf' - -# The Path to the keytab where the acceptor_principal credentials are stored. -# Must be relative to the OpenSearch config directory -#plugins.security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab' - -# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file -#plugins.security.kerberos.acceptor_principal: 'HTTP/localhost' - -############## Advanced configuration settings ############## -# Enable transport layer impersonation -# Allow DNs (distinguished names) to impersonate as other users -#plugins.security.authcz.impersonation_dn: -# "CN=spock,OU=client,O=client,L=Test,C=DE": -# - worf -# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": -# - user2 -# - user1 - -# Enable rest layer impersonation -# Allow users to impersonate as other users -#plugins.security.authcz.rest_impersonation_user: -# "picard": -# - worf -# "john": -# - steve -# - martin - -# If this is set to true OpenSearch Security will automatically initialize the configuration index -# with the files in the config directory if the index does not exist. -# WARNING: This will use well-known default passwords. -# Use only in a private network/environment. -#plugins.security.allow_default_init_securityindex: false - -# If this is set to true then allow to startup with demo certificates. -# These are certificates issued by floragunn GmbH for demo purposes. -# WARNING: This certificates are well known and therefore unsafe -# Use only in a private network/environment. -#plugins.security.allow_unsafe_democertificates: false - - - -# Password strength rules for password complexity. -# If you want to set up password strength rules for internal users, you can use the below settings for it. -# Password validation rules can be configured through regex. In the below regex example, a user must need -# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character. -# And a custom error message can be configured, in case if a password is not created according to the password strength rule. -# plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' -# plugins.security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character." - - -############## Expert settings ############## -# WARNING: Expert settings, do only use if you know what you are doing -# If you set wrong values here this this could be a security risk -# or make OpenSearch Security stop working - -# Name of the index where .opendistro_security stores its configuration. - -#plugins.security.config_index_name: .opendistro_security - -# This defines the OID of server node certificates -#plugins.security.cert.oid: '1.2.3.4.5.5' - -# This specifies the implementation of org.opensearch.security.transport.InterClusterRequestEvaluator -# that is used to determine inter-cluster request. -# Instances of org.opensearch.security.transport.InterClusterRequestEvaluator must implement a single argument -# constructor that takes an org.opensearch.common.settings.Settings -#plugins.security.cert.intercluster_request_evaluator_class: org.opensearch.security.transport.DefaultInterClusterRequestEvaluator - -# By default, normal users can restore snapshots if they have the priviliges 'cluster:admin/snapshot/restore', -# 'indices:admin/create', and 'indices:data/write/index' for the indices to be restored. -# To disable snapshot restore for normal users set 'plugins.security.enable_snapshot_restore_privilege: false'. -# This makes it so that only snapshot restore requests signed by an admin TLS certificate are accepted. -# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index -# If 'plugins.security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted. -#plugins.security.enable_snapshot_restore_privilege: true -#plugins.security.check_snapshot_restore_write_privileges: true - -# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60) -#plugins.security.cache.ttl_minutes: 60 - -# Disable OpenSearch Security -# WARNING: This can expose your configuration (including passwords) to the public. -#plugins.security.disabled: false - - -# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role -# to be visible, listed in the plugins.security.protected_indices.roles setting. -# Enable protected indices -# plugins.security.protected_indices.enabled: true -# Specify a list of roles a user must be member of to touch any protected index. -# plugins.security.protected_indices.roles: ['all_access'] -# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. -# plugins.security.protected_indices.indices: [] - -# System indices are similar to security index, except the contents are not encrypted. -# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices. -# Enable system indices -# plugins.security.system_indices.enabled: true -# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. -# plugins.security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opensearch-notifications-*', '.opensearch-notebooks', '.opensearch-observability', '.opendistro-asynchronous-search-response*', '.replication-metadata-store'] \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/securityconfig/roles.yml b/bwc-test/src/test/resources/security/securityconfig/roles.yml deleted file mode 100644 index 01dc60d48d..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/roles.yml +++ /dev/null @@ -1,308 +0,0 @@ -_meta: - type: "roles" - config_version: 2 - -# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards -kibana_read_only: - reserved: true - -# The security REST API access role is used to assign specific users access to change the security settings through the REST API. -security_rest_api_access: - reserved: true - - -employee: - cluster_permissions: - - 'cluster_all' - index_permissions: - - index_patterns: - - 'emp*' - allowed_actions: - - 'read' - dls: '{"bool": {"should": [{"match": {"state": "NY"}}, {"match": {"state": "MA"}}, {"match": {"state": "CA"}}]}}' - - index_patterns: - - 'employee*' - allowed_actions: - - 'read' - dls: '{"bool": {"should": [{"match": {"state": "NY"}}, {"match": {"state": "TX"}}, {"match": {"state": "WA"}}]}}' - -# Allows users to view monitors, destinations and alerts -alerting_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/get' - - 'cluster:admin/opendistro/alerting/destination/get' - - 'cluster:admin/opendistro/alerting/monitor/get' - - 'cluster:admin/opendistro/alerting/monitor/search' - - 'cluster:admin/opensearch/alerting/findings/get' - -# Allows users to view and acknowledge alerts -alerting_ack_alerts: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/*' - -# Allows users to use all alerting functionality -alerting_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/alerting/*' - - 'cluster:admin/opensearch/alerting/*' - - 'cluster:admin/opensearch/notifications/feature/publish' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allow users to read Anomaly Detection detectors and results -anomaly_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/ad/detector/info' - - 'cluster:admin/opendistro/ad/detector/search' - - 'cluster:admin/opendistro/ad/detectors/get' - - 'cluster:admin/opendistro/ad/result/search' - - 'cluster:admin/opendistro/ad/tasks/search' - - 'cluster:admin/opendistro/ad/detector/validate' - - 'cluster:admin/opendistro/ad/result/topAnomalies' - -# Allows users to use all Anomaly Detection functionality -anomaly_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/ad/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allows users to read Notebooks -notebooks_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/list' - - 'cluster:admin/opendistro/notebooks/get' - -# Allows users to all Notebooks functionality -notebooks_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/create' - - 'cluster:admin/opendistro/notebooks/update' - - 'cluster:admin/opendistro/notebooks/delete' - - 'cluster:admin/opendistro/notebooks/get' - - 'cluster:admin/opendistro/notebooks/list' - -# Allows users to read observability objects -observability_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/observability/get' - -# Allows users to all Observability functionality -observability_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/observability/create' - - 'cluster:admin/opensearch/observability/update' - - 'cluster:admin/opensearch/observability/delete' - - 'cluster:admin/opensearch/observability/get' - -# Allows users to read and download Reports -reports_instances_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to read and download Reports and Report-definitions -reports_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to all Reports functionality -reports_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/create' - - 'cluster:admin/opendistro/reports/definition/update' - - 'cluster:admin/opendistro/reports/definition/on_demand' - - 'cluster:admin/opendistro/reports/definition/delete' - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to use all asynchronous-search functionality -asynchronous_search_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:data/read/search*' - -# Allows users to read stored asynchronous-search results -asynchronous_search_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/get' - -# Allows user to use all index_management actions - ism policies, rollups, transforms -index_management_full_access: - reserved: true - cluster_permissions: - - "cluster:admin/opendistro/ism/*" - - "cluster:admin/opendistro/rollup/*" - - "cluster:admin/opendistro/transform/*" - - "cluster:admin/opensearch/notifications/feature/publish" - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/opensearch/ism/*' - -# Allows users to use all cross cluster replication functionality at leader cluster -cross_cluster_replication_leader_full_access: - reserved: true - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - "indices:admin/plugins/replication/index/setup/validate" - - "indices:data/read/plugins/replication/changes" - - "indices:data/read/plugins/replication/file_chunk" - -# Allows users to use all cross cluster replication functionality at follower cluster -cross_cluster_replication_follower_full_access: - reserved: true - cluster_permissions: - - "cluster:admin/plugins/replication/autofollow/update" - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - "indices:admin/plugins/replication/index/setup/validate" - - "indices:data/write/plugins/replication/changes" - - "indices:admin/plugins/replication/index/start" - - "indices:admin/plugins/replication/index/pause" - - "indices:admin/plugins/replication/index/resume" - - "indices:admin/plugins/replication/index/stop" - - "indices:admin/plugins/replication/index/update" - - "indices:admin/plugins/replication/index/status_check" - -# Allow users to read ML stats/models/tasks -ml_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/ml/stats/nodes' - - 'cluster:admin/opensearch/ml/models/get' - - 'cluster:admin/opensearch/ml/models/search' - - 'cluster:admin/opensearch/ml/tasks/get' - - 'cluster:admin/opensearch/ml/tasks/search' - -# Allows users to use all ML functionality -ml_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opensearch/ml/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - -# Allows users to use all Notifications functionality -notifications_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/notifications/*' - -# Allows users to read Notifications config/channels -notifications_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/notifications/configs/get' - - 'cluster:admin/opensearch/notifications/features' - - 'cluster:admin/opensearch/notifications/channels/get' - -# Allows users to use all snapshot management functionality -snapshot_management_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/snapshot_management/*' - - 'cluster:admin/opensearch/notifications/feature/publish' - - 'cluster:admin/repository/*' - - 'cluster:admin/snapshot/*' - -# Allows users to see snapshots, repositories, and snapshot management policies -snapshot_management_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/snapshot_management/policy/get' - - 'cluster:admin/opensearch/snapshot_management/policy/search' - - 'cluster:admin/opensearch/snapshot_management/policy/explain' - - 'cluster:admin/repository/get' - - 'cluster:admin/snapshot/get' - -# Allows user to use point in time functionality -point_in_time_full_access: - reserved: true - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'manage_point_in_time' - -# Allows users to see security analytics detectors and others -security_analytics_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/get' - - 'cluster:admin/opensearch/securityanalytics/detector/get' - - 'cluster:admin/opensearch/securityanalytics/detector/search' - - 'cluster:admin/opensearch/securityanalytics/findings/get' - - 'cluster:admin/opensearch/securityanalytics/mapping/get' - - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' - - 'cluster:admin/opensearch/securityanalytics/rule/get' - - 'cluster:admin/opensearch/securityanalytics/rule/search' - -# Allows users to use all security analytics functionality -security_analytics_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/*' - - 'cluster:admin/opensearch/securityanalytics/detector/*' - - 'cluster:admin/opensearch/securityanalytics/findings/*' - - 'cluster:admin/opensearch/securityanalytics/mapping/*' - - 'cluster:admin/opensearch/securityanalytics/rule/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/mapping/put' - - 'indices:admin/mappings/get' - -# Allows users to view and acknowledge alerts -security_analytics_ack_alerts: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/*' diff --git a/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml b/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml deleted file mode 100644 index 650b52230b..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/roles_mapping.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# In this file users, backendroles and hosts can be mapped to Security roles. -# Permissions for OpenSearch roles are configured in roles.yml - -_meta: - type: "rolesmapping" - config_version: 2 - -# Define your roles mapping here - -## Demo roles mapping - -all_access: - reserved: false - backend_roles: - - "admin" - description: "Maps admin to all_access" - -employee: - reserved: false - users: - - "craig" - -own_index: - reserved: false - users: - - "*" - description: "Allow full access to an index named like the username" - -logstash: - reserved: false - backend_roles: - - "logstash" - -kibana_user: - reserved: false - backend_roles: - - "kibanauser" - description: "Maps kibanauser to kibana_user" - -readall: - reserved: false - backend_roles: - - "readall" - -manage_snapshots: - reserved: false - backend_roles: - - "snapshotrestore" - -kibana_server: - reserved: true - users: - - "kibanaserver" diff --git a/bwc-test/src/test/resources/security/securityconfig/tenants.yml b/bwc-test/src/test/resources/security/securityconfig/tenants.yml deleted file mode 100644 index 04104dce00..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/tenants.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -_meta: - type: "tenants" - config_version: 2 - -# Define your tenants here - -## Demo tenants -admin_tenant: - reserved: false - description: "Demo tenant for admin user" diff --git a/bwc-test/src/test/resources/security/securityconfig/whitelist.yml b/bwc-test/src/test/resources/security/securityconfig/whitelist.yml deleted file mode 100644 index 1d54ff841a..0000000000 --- a/bwc-test/src/test/resources/security/securityconfig/whitelist.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -_meta: - type: "whitelist" - config_version: 2 - -# Description: -# enabled - feature flag. -# if enabled is false, the whitelisting feature is removed. -# This is like removing the check that checks if an API is whitelisted. -# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting. -# if enabled is true, then all users except SuperAdmin can access only the APIs in requests -# SuperAdmin can access all APIs. -# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn: -# Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. -# -# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints - -# Examples showing how to configure this yml file (make sure the _meta data from above is also there): -# Example 1: -# To enable whitelisting and whitelist GET /_cluster/settings -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# -# Example 2: -# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT): -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# - PUT -# -# Example 3: -# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: -# -#config: -# enabled: true -# requests: -# /_cluster/settings: -# - GET -# - PUT -# /_cat/nodes: -# - GET -# /_cat/shards: -# - GET -# -# Example 4: -# If you want to disable the whitelisting feature, set enabled to false. -# enabled: false -# requests: -# /_cluster/settings: -# - GET -# -#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant. - - -#this name must be config -config: - enabled: false - requests: - /_cluster/settings: - - GET - /_cat/nodes: - - GET From 6c022dfe9da6b7f23eb9c273fbbdd46957dee326 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 10:39:54 -0400 Subject: [PATCH 21/28] Use demo certificates Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 5 ++-- .../security/generate_certificates.sh | 27 ----------------- .../test/resources/security/kirk-keystore.jks | Bin 4525 -> 0 bytes .../test/resources/security/root-ca-key.pem | 28 ------------------ .../src/test/resources/security/sample.pem | 28 ++++++++++++++++++ .../src/test/resources/security/test-kirk.jks | Bin 0 -> 3874 bytes .../test/resources/security/truststore.jks | Bin 3890 -> 0 bytes .../transport/SecurityRequestHandler.java | 1 - 8 files changed, 30 insertions(+), 59 deletions(-) delete mode 100755 bwc-test/src/test/resources/security/generate_certificates.sh delete mode 100644 bwc-test/src/test/resources/security/kirk-keystore.jks delete mode 100644 bwc-test/src/test/resources/security/root-ca-key.pem create mode 100644 bwc-test/src/test/resources/security/sample.pem create mode 100644 bwc-test/src/test/resources/security/test-kirk.jks delete mode 100644 bwc-test/src/test/resources/security/truststore.jks diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 591371906d..b91a442eb2 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -78,7 +78,7 @@ loggerUsageCheck.enabled = false testingConventions.enabled = false validateNebulaPom.enabled = false -String previousVersion = System.getProperty("bwc.version.previous", "2.10.0.0") +String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0") String nextVersion = System.getProperty("bwc.version.next", "2.10.0.0") String bwcVersion = previousVersion @@ -124,7 +124,6 @@ def String extractVersion(versionStr) { node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem")) node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem")) node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem")) - node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks")) node.setting("network.bind_host", "127.0.0.1") node.setting("network.publish_host", "127.0.0.1") node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem") @@ -139,7 +138,7 @@ def String extractVersion(versionStr) { // node.setting("plugins.security.ssl.http.truststore_password", "password") node.setting("plugins.security.allow_unsafe_democertificates", "true") node.setting("plugins.security.allow_default_init_securityindex", "true") - node.setting("plugins.security.authcz.admin_dn", "\"CN=kirk,OU=client,O=client,L=test,C=de\"") + node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de") node.setting("plugins.security.audit.type", "internal_opensearch") node.setting("plugins.security.enable_snapshot_restore_privilege", "true") node.setting("plugins.security.check_snapshot_restore_write_privileges", "true") diff --git a/bwc-test/src/test/resources/security/generate_certificates.sh b/bwc-test/src/test/resources/security/generate_certificates.sh deleted file mode 100755 index 1b57136cff..0000000000 --- a/bwc-test/src/test/resources/security/generate_certificates.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -# Root CA - -openssl genrsa -out root-ca-key.pem 2048 -openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:1 -new -x509 -sha256 -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA, CN = Example Com Inc. Root CA" -out root-ca.pem -days 730 - -# kirk cert -openssl genrsa -out kirk-key-temp.pem 2048 -openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk-key.pem -openssl req -new -key kirk-key.pem -subj "/C=de/L=test/O=client/OU=client/CN=kirk" -out kirk.csr -openssl x509 -req -in kirk.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kirk.pem -days 730 - - -openssl genrsa -out esnode-key-temp.pem 2048 -openssl pkcs8 -inform PEM -outform PEM -in esnode-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out esnode-key.pem -openssl req -new -key esnode-key.pem -subj "/C=de/L=test/O=node/OU=node/CN=node-0.example.com" -out esnode.csr -# openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-0.example.com,DNS:localhost,IP:::1,IP:127.0.0.1,RID:1.2.3.4.5.5") -in esnode.csr -out esnode.pem -CA root-ca.pem -CAkey root-ca-key.pem - - -# Cleanup -rm kirk-key-temp.pem -rm kirk.csr -rm signing-key-temp.pem -rm signing.csr -# rm esnode-key-temp.pem -# rm esnode.csr -# rm esnode.ext \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/kirk-keystore.jks b/bwc-test/src/test/resources/security/kirk-keystore.jks deleted file mode 100644 index dd7562ef81822291c9e48be60b6daef2883288a9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4525 zcmdVccT^MWwgB){LPGDoiG|JtLlcmi&;&(_6h#7rP(uq{DS;pYA_Afmm4HYQP!tF# zO+it?LY1P3NK;Ux3W)H6$9wKM=ic}3T5sJy?)_ud%--LgH8bDr`F*qXdFwL>1cER& z@XrnA;}zt?2;6|iLvA1t91KukKLBYi?ob|vHEVPXTvFy98Cf88WeS!f7A?SFPvZg)V z7v6j;sEtmwpQf&7q@7zop%6{r2s~o4`h$O*s-O*b>U-1znW*c#zSZBch%8xV*PK!@M#{2`WZYarXxm&{`QatOX?4u9M`&!g z&8@j*V|x00YnIuVYvX+t0oL3*%ZApt%D}TBgx;82*eFi6zP*KyC^rTTB}T2_jyE(_ z;f-sVA5zg)Q)lMvlIJLf*G91S{6-yTXOSiB%Pl6=)ezz52b@>D2PMdN`A#<=9WZ-| z7KW!1+>q&M9FI4m)Uo2)<*krrUc5S@Z)L7G7dgI!>|D_H@?HQ2<&8$8eAM5V`nS_j zNpG-+#Ccy*OAKTS(OGuQwm4>u0HI3?WwUI`J?nS!O@}YqX!P0n!lx^wZ-xy>9X%}X z%zmko=qLu(IqcUGH-zYG9NL}p(8Yv5_N2}HLil{#_GY+#+?8~+txTk4E?9{>Y6;8Q zEZMQQG+Zc7(ONjc_Z{R_?;uOgps(gW9B#f(6USN@W|Q~IWxj{osPJ=+k~BeQ@cQL| z$FtVYsZN!ibBkZ5nzYpH;ZHJ%>jHUIYX_z7yg_w(Pt?L{^X(1y1V;C7nhA@9^p>1jxzk4S}xL;ZtiB54PN2WN{SYvv3Rh9rlt7aOkInvb_wo?IeDCPpYvkB~u~s|dnp zzlO4kJt=!g)8MF%;L*>C7`w|&Q5;Zw^-N`BMf^2O*~k34r_QaBMiXr@B`1*OXV;sA z9gZ{qm~Tz#GUS?VMvHuD!B$x1U&)(!$F*Sp&b2~cEiXb}fOVHxav+Cc&lruM_R&V( z{43J!IB|M3ZPcwnQbKw_ebQNXOK%`r0lA@di3f&@c4}>O5mAX}`oa7CAntB*PQV6H z^L0WBm#47xTa;TPT3rIKe{dQg49MoR+S7kZUoEgm8$1*sT7hyWeFN zn%<%O^kC4vVk0^76VKU1bP6oo&2Wj(7bV7r$yWzRuT)$$b)}BoAG@t&D^9#0)4o5t z3!Xb!WQChtbPDCZqnv#{@Cy@D^Gw)@;l6aTSvhyQ&XWfqXs~EWy=uctyrPgS<;cB3 ziFkO@!mSh-w6rR5LZ+*OP##Ou?k-vUl=T*#5wv)XW2;UyNTZj8}9GudhAJ(K5qN?vK^qvH6t3LGn(B3(e+O(u*EW1 zgo5DqN~(Y+2m~`?c&GqQ{_o?!Vs@#_RA&(9SEpn!M%ab_5c z29yHk05S3?2n7rV(d*;#xkoZwk^xiERpN!)4V9H=l4Tn>l)s)UWPUlhW+IW-e}Nd?fsk@0y>16?UrrsO!Hfv0>DAFyj~ z4;Oe+Dtg6e1A$uu6@_fEHn~Tu=r`1LiAGjPWDh&kDWabnW};Hzp#zbs1*P^&lDQn3 zhr`|MiT6!+C&i|>I%eo`0eSDaQI)&vJ`Nd~4)V@wtQn-jj?ItB_B_)Xwk^s@lernM zO6lqvz0uD;>}Ldz03>%+rJfw%-gl1kJbl2iG7Yh2s)~NTOz*9{732Q!JpEGs6V6Or z?v@;35->T4fIz_@a8cZQAa0bgx9TTIG8{VR`$aOlLZ$GqH0yMO z@Y6xHgC39jse&KLbn`{{Q=Dt?sE>A+&5;&KL6?ewqvkimo8(4^)y-6@f|g&srG3>K zOR=S%Q-k-M?40&}c8i-mnBH1sjS;pxgNV#%ZPwef`YO#$*D?j$PZ$l zv{pW;Ex{36V{U;rt7KE%$r;XTZ-@9eYiWqK{GxeG!gsw=N<4qP;JB$*gcAmX#ZTkm zq-$D~{KvLfP0R=BdS#-bj(0KEcF*w_t(~hvN!;6+PE{lAeAu>?ljx1Nff@jeHBiRi z;8P7Z7*;-^Yp6&xT-dBKQxS9QF4n?^yDy1p2?1 z{23BJ<8P2)b|7Jd|FHo6E0OvuRKyY-<<1OEd3a0BM&Rq!?9JVYy#B1+Qd!I5#H&na zk30jH2V789$$yAG~m0RXuJD{3u#WSeCxe~2|f62_g>oeC8H2- ze_UH=t}fpaj}759iKB>E5tqFUk`YL%VC@Mru%ad`VPXugO{!w0WjwP{qm4bia|eAw z%*&+wPLE(jG-lJ5O7spY(>%Nwf zJoPod6ROYp-O|9-fNjCN;-j5sdwH&MMsRxO-8N?0U+SP@S1s;CxMp2EWy){1+$1-p z-DsI!@Z4bXQA?=y)QQ#3-$e2N-2dzmme zbbuEP3)|)lIMxspuEbuJf&jNE&eccAgGAH(;O4$ri-*b+2mD#*+5{X{T+%#m+hwnw zkf-(~ntl3qGJvy}XGYaA_O+L)P&_p4@%st9PcpPWv(828(5o1EE|+dIyIAoDXB5Rx z2VB*Q-H5fTW<9l){gQ8BNW*?6U`6S{ffb#a&3)ZV>)Im)?txTeS&1&gRUu8nNMOgv z+(FN+c$pG?jSUeB*?EX{HtNS#Gz{^Sc$kU#;o^jQwe_IHf@kKow7!c`4=eK)3_^Qx ze7?GX&f}#QwMYDVJliV?LGc3@|E>ar@q@9&P+{tq3gEv?*MFl5|8b7}D-UjPy+2V- zR(n5asG`m*?|e`x$VJQF^3>hqpOW4P>L+*@OdT!pG`Rd)sD7&MgFN|kU=M2@8(Y6w ztRiYPqHa?A_K*Cd0VS>?dqH_B%{`uuhc64=N%<(+p1=57=C#>Iv?CgYyQ>hI6)OpE zamrO&M9IHI$%MboyIg}=uimEGEuTd;oGskcyAn}lHDB0@@N+%$RGxMe6Cr4funqQ$ z(@D`B1+Ln_7dr$zQ;nCclkF8IVs{r0xqV`xp_b29-!1B1zY$=RRk4Wz8NU~@x|U=) z^7_KegkHLFMM4Z#0{ z2OPh900*E95B~5Q@=w3@{|^RoP6f5c3mqhA=})^K1scsL<<#R9%F6QEx{2Rb`ky~z zrY&|YhQ9HW!AbMWFK9)w`=or^w-wr%%ogmWARu$h2!fZ<*ZkVuCOohaSsN5nyOO&>*~TNv9yR<|${+cysDRR3}7H>+p?a9c8v%bU%E#C4CGWvaeW$ oIl4xa=rqgDw#QA?#n3);-E>Npf^^i;kSQ<9A)UYFuMDdGAEFEd8UO$Q diff --git a/bwc-test/src/test/resources/security/root-ca-key.pem b/bwc-test/src/test/resources/security/root-ca-key.pem deleted file mode 100644 index cc32481482..0000000000 --- a/bwc-test/src/test/resources/security/root-ca-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCq2bb3zmYpqNGF -sAlqi3ro5xCE8UMhTPiyqcO74XL7tscBWFLE/ZcdzmmSo4r0+YnCqCkVwfeWigMF -BL76rz/DIO/2USBusx/dKDKEYwA1DMdXh05uv8uUe2KhE3xY9Y70cCJFR/l1Jjzd -nzpE7bGBp3yNqq3/fa5oHeTgdCmYa4J+DWkxv1G19x5czloanS9auYiRTkycFw1E -ObsPzhtrfM54McaztoVwnPFgP7jOj64F4ZGat7NNwvdf9MBbHACcoGBjwDzM3i+/ -D1KhYrj8t12ipxFX48VWq7lWhKRvquZZuGuvyoCNjpUfyhMQq/lzkM78D3R60kkE -JmbITsXdAgMBAAECggEAI4umUIpFoRc5eEn2u48HZFtmiXI0mEIOYAWH7pfqN0qA -vtvkZI2qGg5u0o5qA6vDKJeZ7KftXgmatTmWjktVxcAdjK62Q7HKyFVrpTV/vonJ -E4HYJJyMu3isPXzzWwLD2kFWL/nYgbIR6b4N/ndBfgsdk8/V4ZkBZzIJA1XHrakh -dSE9gQEcYv9+k1G26jFtiAPQ8P6Lwylk99s5iJ6XmEtHju9A7nHixoX4s+8YJ5Fr -vPnGEeegfG9LuaP8QmVyBpM22DajJ/KtndaCcO5qWK2qN05q1x1i561jQODRFC6a -z+qmH7MuWpBmNe/VirFy3wZErAKz9lJyqxor5OhVQQKBgQDUrW4zS/OY5Vr1hmAE -cZuFaa87aoOZTouZNZahIWtZE39ziirmb4g1k2dWubONW9fIodfw2cbDxVMkSHRS -paeia6SoAApFTb/mFEzGOa+524b2NVuHYfh5ZzbXM7wbqpvJt9SG0ZstJGVWZDaN -3dprnscJC1I62lDrATYx4/Fz0QKBgQDNpx2X5k9Y+/IGzTnHRU2/BI9X5P6LF4aI -JFZvThSmdvPNJ3a49OpXcQzWwHYNBRQ+3bD9Q+KaVHPNSpz8zmmQc8MfuGDCCFSm -ccZaxh9X1zu6OeU642I8uexGta3knjziy4GWFKCTruDLtZ+orHtr6g7QuxwwzVoD -utz/6CvwTQKBgQDImwIcXqLacFSYzPQanPJ+KA7Cs5iH7d+dVz/KotQ3xD1uxT/r -9f370xshYa5sQtpKA+bE5xYmKSVgTvtxzZFOkcxRLyCA+HJu2m0EePs5C0nFSNUZ -4R5XnTTMTp87VXT3E2/i7yk4rmDr2UDgFghlhPHmpQgePTkgQhdVfdWNUQKBgGyk -gm/CzdxWjU+mj4WESURGZmuqoAZfEUVO3RLEDwi6AqY42PFxAXPcV0oENtk9+6oS -d/P0LvwU7XBgoHq1mPMlFMnnH8ahnAaqSH2f+OLw467H8x+fDEDEf9wDErCaH9Q4 -amcc0o/ybPNxKb10EWe7KMSAdK4bbhhWWXYf80ZpAoGBAMd4kVJcPV7SB7v4pFZS -ChMXK3BEKAjL7FC+JqW1LsDmoToIBJg6s+632A0GWxbR8xYXHqxEhQfP77e+EJZr -PR24ZzT89Zvp86n5NTBzR2ETF/ELrIBndu77RecJsfxpqcFVtcBKSPpbC2WhS5b7 -BEoEP10H08sPGPeqcA54aXCM ------END PRIVATE KEY----- diff --git a/bwc-test/src/test/resources/security/sample.pem b/bwc-test/src/test/resources/security/sample.pem new file mode 100644 index 0000000000..fa785ca10f --- /dev/null +++ b/bwc-test/src/test/resources/security/sample.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy +MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL +BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV +BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt +9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8 +Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL +gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl +ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq +eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw +gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB +GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs +ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw +HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv +78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg +MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq +AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI +hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0 +5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy +8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr +XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA +1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t +e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/bwc-test/src/test/resources/security/test-kirk.jks b/bwc-test/src/test/resources/security/test-kirk.jks new file mode 100644 index 0000000000000000000000000000000000000000..174dbda656f41b10341adb78ab91a46afaae8a1c GIT binary patch literal 3874 zcmY+GcQhM}zs8e@RFtSn>{Y9_XzfvZl*TSQG6F9FNd(wu zFab99cRY+FKt2CO5E21u`*&mo0s{VisDB9%$qk|Z?*;}S1PKGv1*1XCugHHEKp;B6 z69Saqd|bch;ZdXcj@o48Or^T{VjiQWQ)um?koax&EW2Jd6%cmO+99&?<0M#TkhMY0 z>TOc9NNj$5o%GwnI2>ZpA<-syd;YVlrkqVstJxqe_w8#F0dlKW!#D3WVDWfwaN@uX z{)l!>hgv`=r)M_tPedAH8wS zrMCsCM3^vbf3iWkdUoK)O(h9`bxp3s^zq4CU5%IJN;Y04OLiLfXPS%;Duo}L?EKtE z$4DyO?uRf+Ovm@OBmMKYjcI;;3k(jA`wJ`_W&){Es6Nv(A-s;NYZhfPTZJ%tBZ{1@ zc|_(P(o|Du6c{sJ4@Q6w- zF)*aVb&dDqmGoH8(8Y;T2S?DR9+P|nUT>q8177|so}DjY7IWc!jB(9r?rJ%YyVvh5 z4`BJLeFX6F2g1N^WT?dWin3^|1>$*MQP~CSqFMgQ4m&bJp``1>I(!5Pe9&NB7{wXc z+p)Bs6Durb104tWmIOYRkBU~Waz;l#k`+@Fye00vbTIQq3dY*R{KBH-UF3%r{=+v` zqu(DD1~xv;*N0vqhN9l+bCm(5u37KF+&JF&or0qB&J%}ZmdviHekDmr#GlPK60J4Q zJ#vSZYt1pSxEPM~S27`bL-X}ig&?t1ubwy1&P?lEwQUs|t?a7>dqM7^&@^5tSL9pMp+&5H?jk>BGMj!JcQ+3*rxFcY4MY2z z4C?1*^xq&(g`+u7JnXS-Yuq8?$%DG-Zs#VDo=cTmcJRfEFTG1T4~(u1j$Snc+7Cs; zyB9?mE4rqbq_*xqj?#OlN%@YGt*PgH+-~Fy+blur5jn zu_S?>vGKl_57zp6>#CW5Q&HHKl|qVToNrM`8!zz5n*{CQ+r2#n4{2tk@;0m{ zM8pbY25rVQv1<0iw2CPT?uG+>NVZVLalVoRSZQdC(&M@`0$mC@6l?zxF&LAM8XHR1Ah3S zb?4&7@N$w<+PVC^0ws=h2pqrozQ!=b!?Zy2@uQjFh1)BEPT$JlDa9Q8(%YHT_r)w# z<4bW`j)gX^ktonho#Uf=U=ZH5QT!;ug%qe!Fi?N(OjphEVY3YTU5B*j^ZMOg+XmnL zPpT%`zoHjGCw~=w|5zC`KWOFwsF`=Jjwez^hwA2rgTt^ z^10Gp<3*%@mI37QZ>P3$*PX4;4LpFQqK9AnvMxAg!|B)unEQ{13w`0LO;;mgV22L5 z=Y8bwo8Fch2UFgZEqeTdMGZMKmz)4Uzb#-R)&H4zUC45?<4&g?`6XX-=`F2|(~Esf z4P+-+Y;J{*hV8L55?o`K^wL+ zE>e|WH7ZW48)vi%Zq4nbkLikeTd&2pCr5A#jJC9jypS>*@uF<#i}Xp$3X7~b0>bXQ zd@CV7FY-$A{IR_m5uZie z+ckdOpNC4bjck=wZ@3lTl5+`W3~_4oPuGx4#mk-f?CsbGulgu|BAb)LTI|hBYM==Q zPLdu6@x)I_O{qq^{%cI*Q`-C+WZjpp^GjGiWv(#7Vr(pZ@A532u&Rn|3@4+xgKqNc zMhtgDOn)7lv}KZc^U}jD!KU{3;=7as(>uBwDx5}ii8iIz!F(WDlbe(V`WH5PS-XhZ zPJFI;eV}4{aJ?&?Sv%?zMZJ9SRFL%?ZZ0C(FdozY2R@i=1>&&E< z<(hauSRE!6;QE6ujbYrYrWNm9;!ixJV`}*=J$7wZ^0l>rTb7|)`olK^*^m3Ex%nq2 zL({r^1)T=Q7qM>-F~1lC817t!PNhq1c&?{#kiAuiMtlDELuI?Ut6LMQ6()675@U5L z_g(P7&7MR-N3z!C5a+qZ$!xmrg0qbsQn*7vqc!v-^yqc6`tlc%aQl-Fe+IYP5Pe^K z^%zx2w*a+^&+F*;<~HZ&=XwRTB6z)Uec2XkH=^cl)cHs|VxGqSQStks&td*NQbTPW z@??ewN#dRVCH?t{p-$)JDIxkVF$#9Q?iS!Qqby9p zttQuw3k2_4Hs9`5TG}3Jwk97Nste6#I!jG)f$b(~xI#)Bs7nQ7es#6RzYPh=8vCY$@K;aE z0JYYxSm&6)?GS&eI-ibs8vhi$EXK)Yhv7%bHy2C$czjfz?F4J+b%lJkXj+1&h?Ti_R;#D>}h%qh-ltN3^kJE=J$q9lGN z97&*c`aeQNBG8(G3ADz4#|D3&4&?Ix=oLK>L?VDUkp%Gi|FbTdf2<2!*X4kUenR(; zb%6=se)ca%eZ zOyn3`1eb66NoONNlb!Qgq|BuMxwULjnW>4u2iuhj(ZUV8fC!eY=nsZF*}w6V0(LxJ zVJ|ew^cV0%UizR_Y1yOEtM1}iw*f#fPAX(#E)%*G)QD7W7O$XT5e!*pv0krMED!yw zv)_h?54B@8<=GZ6ukEmkmrx<@jaUud2Y%EQU-vBcCChZ&9Xf`1Rw3w4G=@{y>I<<5 zr)BfiiXe`(Z@ksE4@BqB5d!$>pA(N&9b7XX5GBfr?j{H(J6=OSr*~9Ff8Zh0^d;HS3|V9O<+-Py zxI&YAI-gM^t2+X1O6JyQ*^8SfuZ5{?m1F14fGg;0aeF|P)4c8tw{C;?*J)`bjV2~qOsSjk^$@gQ1{3jw}OGfYhan!3#Y zHIQX-5|4fmT69zTvDd3aW(AkQqj4t}?Md}bd>>Q>N!29V@klLOr#L%^gPrlgw8ASS>!fstf*6i;ka?xLu@MUq>?r_mf*HCZ0jHy2N^B`x>Y90Tt5-jn7*G)Ai~?r^6!i zChFK}Z-Np|s#K(ct1NYcNSoxM%p~ng6bf7}uXm#_v&(wHHp4Tljgd6EW$Kg0xZkkr zi&o;({o`MC#=#JXFx-Py14vyFMbGypX`-a>1F9n21b`MXKk|zU$zEO&>l1Rjkx$4Vg-UeUetqM3xCVt2 z#4}QY$t__sQxkuq9U8E_JbjM8#9JvlSK48A@`?q^I*~JnT-!@f$l49YlT>fpGqYJ9 zr+k*tw-oT8l~Dr<$GT8lt$6D+{n7Af1%CX7h0*}>N)s;I);DZqq{57aT?|k3fr+XiEcJ`b-`?Par7lvdKCkIf#kc`t*AdxuDxDy5dHJ}j5 zH~>U4_WXrAU`R^L|Dq`KfJjR8UpVt`q*BrSkBXiaKwgNXRQd}lz@Gl2pk#oV!DRm} z>0zQkHfy2nW`n1dk_3Wt9`W9fhMB7OS>)t5naKeV7(Erue@`R_QIf%UsX(@IngB-% zAV37jY*5-cJ@S@2p~I!y`s9!AFc1kG*UoboDG}BQ)`ryWrNuknoR(MCg9xScisFA5 z>g>MW?r&zWJqk4{JA{J#3%O)GmZC?NEAZh=fIYF*P5-PI3+8^!6-UT zqWsbwE?xN9>2yv{a{lw$xF~lx$jjo^hu$B*z*xI3@K@gHce$0#5jm3TQ*kH64nZs& zb{`(ag_1j)(*thgrLLt+7V{l=Ni-&lIb`cl~EIowy;bEHO|5 zbGv4&Qs69C{b#4&jaygd?OQ#Y+Snym_5%A7q#c~j+D1-u7@@L1Z}~?M%49!TxN$dj zb#MPD&KrLtCO=;Equ!NkzBAqE+Tt!Ih=&9}$>&Q}?S7M5gLWXKP4f;OrZ^~E5lj`) z--D(I=eGNTLbBHwoPL9LTq=M^J}3)KAi#)u9r{h%pUJ-(RkC*}$m0Nc0fiDz0uSygSS zmNoAj5)W5+Ook?815GC7%Z}%=&J%sQ1&ZwIZ3Bu;+X5l(M^v=$N_C!blR9uSgsL8r z)Qz@P$m8>wz_AjwdFLw}iv?QuLm!gAE@DM2+J7p_-#8vIk=^h08=P945Qcfh4i^2a z!!ANlN{9;Dhfus&$ozp>yj>NsKY|cLCAK-Yphz0Qf{xId*{O~ZNq=VDuk3lQR7or> zeZnp=5KaR)1@)bgZqYyw#~X8RMxj}cF*v-6U7bszVvfD5ZcrnyvnyPv!8%!dENGSP$`pY7~Dw`^&Mks@kR}K*tA5 z1vWS_@86g5zJh`ZP3e?MUT&I=!zxsIvjZgt?T2zphBGTvy!HJTDeg9j{;?~^>GRWt zww*IN!RG1=nmrnrUdfhPbt+9*c!0Y*? zAqg4Qr;J2WL+r1@Ew_}9NBr?W7bOmZt}^dqtHZ&vkDwq|EXVk;mhX_9Jg$mk+@wd( z|IJi+Pc7`|IY!Il%Mk~~YDmTy!FvHV|MD|~_x?OjnfWl^>h&iI&vy=ye{o4PYte)M%N$vA03{Bl9=f@9w*;QkA3UE6fU3pHSjS z5KCwfX_~N9=K2e6koHw1ilR%guPipf46&hm91-+zZEDk_C}_%?)28@@b0%4sJbD0e zw)w-h3|s_{Tc;ohy1Wl}50mILMCvZHYtsZ52eWIpF)y8&l5Ps!k$xWGKmno^{sjGQ zRC|;88BGBd!Yoq#RxCeFK?qhuXV92nM>)FU705uYM;DBM&XocrJ>&Xq(}MVH_#OD= zq_8wuX&6me-V{d1Rkk_v?YdPqDRd=J8)v9n9(o8G0k|d8T4R;Y3=12?KhO0G>ZmSB z!4b9)~aqPA`Ii*-(DGK)&Xg(DRPgIlgehu>@N zX6-%B_?>vDw6B6ob7FtCyU6CbP66SybH)lP3u6>j?BtXSb-i9@7Ns~@-6_%4h8zr? zL7S9*sCcdQU$j_w%(o4=s~@(jL_JzK+Z1~yeIPt8lXN@UWfaDa&X z2a=mH1(*j{%~Q!uED(F(B1VG=J~a4>RGnI!6PAjYi>{Wx z71{tXusfjDdoOXB0|izD@Z8xtiqDmvG89l(fm;(~UZYm<)!m+b-5f~x^QAD_W+{?K z5ZmQ;?#jvU)V8H?ykv31=hBt*{X?)w}1y@jAEHy!bkOshwJquCI@OJfR@eC zli?2B^Qv=`rNi{nSLz6epc%9Y7xS?6+(D&k49d#^Mf9Zz%+qf+VZ zZIdC7Vgcn#yqJLx*t^9kqUMI{+l@+vV0*(F6pa&~IxxJ?-S%|-tD!0)V3Fm^`YXw3 zTzL!tjWbxy3^7brsb)!{6#e*~B z?F#gk(ZU%zsg9#3KdXo`*HPPcw#vD_UrA1L*=6i4Yyr|6B7%9=_7UG2-#G;JK ztfIk_kLVus+neRz3pFztx6k*u7s@lMw@{=R?QCqJ`1 zVR0WssRVWA=+f#s<|kQqy2v-v{**i}`Z=|Rk}I=IdBRz%p|$IU2_2=aH%P5yS%MWQ zX0fb`zh`c$CAthVLj-Uv@=>VsMC^N?m-%E!6|d+xou}!6AJ!jZR~cIUibilMc$tXA z^+0$YsAmdgFO!G=br52PiI0SU^c?9xM#dySltd;n zMyf0b6vWMfA7^?FX~19bk##>TK6n+v@pp@Tv@Dsv_G?xaZ&1gIGi(^yL{HM<$UZlL z?|SXLAs~dlF2hrV3eJe;Hvxoo^XZM8PR7eLDd^l@n47YhZC@7V z1DTLkbNl3#ZvbkSlN0$`o0fWqHUQMTL9kHQSfZZywSB>wd3f|N$85`Gj^mUimM z-zcvaedW=m0-rUp(|EUf&dAgA_0swwQC)FVpsw&nZDHg5BQ)(}Ru4|^FpBATqYqPa zk40CLpB(J#)dig1BvA7HI{qbWm3usuki+_yY9h59d38H fTLIZLb*XNHT%_A$q6BZ?q-6d1FM#d;bprhdG9FpL diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 99dde079d0..2bc1c5b9d7 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -289,7 +289,6 @@ protected void messageReceivedDecorate( || HeaderHelper.isTrustedClusterRequest(getThreadContext()) || HeaderHelper.isExtensionRequest(getThreadContext()))) { // CS-ENFORCE-SINGLE - System.out.println("Not a trusted transport request. Erroring out."); final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException(); log.error(exception.toString()); transportChannel.sendResponse(exception); From b7bf55fbb6c5197c4a2da85d5a5ab767feee96eb Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 10:49:34 -0400 Subject: [PATCH 22/28] Remove commented out settings Signed-off-by: Craig Perkins --- bwc-test/build.gradle | 3 --- 1 file changed, 3 deletions(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index b91a442eb2..9999c631dc 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -134,8 +134,6 @@ def String extractVersion(versionStr) { node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem") node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem") node.setting("plugins.security.ssl.http.pemtrustedcas_filepath", "root-ca.pem") - // node.setting("plugins.security.ssl.http.truststore_filepath", "truststore.jks") - // node.setting("plugins.security.ssl.http.truststore_password", "password") node.setting("plugins.security.allow_unsafe_democertificates", "true") node.setting("plugins.security.allow_default_init_securityindex", "true") node.setting("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,L=test,C=de") @@ -144,7 +142,6 @@ def String extractVersion(versionStr) { node.setting("plugins.security.check_snapshot_restore_write_privileges", "true") node.setting("plugins.security.restapi.roles_enabled", "[\"all_access\", \"security_rest_api_access\"]") node.setting("plugins.security.system_indices.enabled", "true") - node.setting("logger.org.opensearch.gradle.testclusters", "debug") } setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" From c84d017408d6bb5f5ed3e854f1b6a29eda6e5f5f Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 10:54:21 -0400 Subject: [PATCH 23/28] Use demo certs Signed-off-by: Craig Perkins --- .../test/resources/security/esnode-key.pem | 52 ++++++------- .../src/test/resources/security/esnode.pem | 74 +++++++------------ .../src/test/resources/security/kirk-key.pem | 52 ++++++------- bwc-test/src/test/resources/security/kirk.pem | 43 ++++++----- .../src/test/resources/security/root-ca.pem | 45 ++++++----- .../src/test/resources/security/sample.pem | 2 +- 6 files changed, 125 insertions(+), 143 deletions(-) diff --git a/bwc-test/src/test/resources/security/esnode-key.pem b/bwc-test/src/test/resources/security/esnode-key.pem index 8dd1db0923..4ac2cb57a7 100644 --- a/bwc-test/src/test/resources/security/esnode-key.pem +++ b/bwc-test/src/test/resources/security/esnode-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1uCtmgJW3zlvo -6VM6dpGHH/vnj73x6Xi19I3FzVMSok6Bd3ZaUZ09jqy1xz58uUc4QJcPW79CdqjN -zEWRUkCyNBtgi21LGV0FY6tUtcm7Dh82Y0Jpk8DPzw6WgUIDqfp2Zr4ric88asaI -R7dzjr7NTlIKKjcC+zuo1NqgYg0ElYtOof2wdxZ/17akOQmLAKrdDwtYfBgbBkYD -PDvAYNYVM7+DhWhtLbjizskc20u1En4UikWWwq+1mWR2DyvDoRuRtem//JYmK7+B -YzXV6aTm7Erw8KAWpUL5F7HcgmGWHOIPEPNfskB1egdKoTdDRosKOOVxHVAr7+fj -Wj8610BJAgMBAAECggEACJy44LHXDYctD3/GDAGF3j+Pu7D9DlKJiY8VvP4SUE/i -AoWmX0oHAdZTVVezZ/mydlVFNiOYE4NHLVdghNRmMhjDcOHSJdSwvvScV667cFPx -Yh2egUbNdjsinsHPB4PYpHe7aJk+6zYu2S3yTxmMtHNvSq3qGa+miqdTNlXZcPSf -RWh9iXrk+XDkq8iFknI7U8NNoVXkk0UyNpw0o0CG/Vh6k6HnIR6CwOy3asxdaKug -Jqndm5MyvCy/NOknsjA6eJwwJDEZg4ARzalyEpT5jxoQHngFRI6+9hRUPZC8tD+6 -osg5IB0iLp7JR4TYe+CVOups/a3J2jLqbPbSm5j3UQKBgQD8mcw+JY2VwVXx1dQr -BixMuuT7fIX0H0yb9sAKq4/LQlAfWT6DBgbLy2r+Z09SQ5m69H6aqn/gqhUI/7Jk -DpZfIZz8OXgj8E/+1I/dCdVdxPFoywTViUgzsJNC6G3Oxc3xC8AUqObzVyJRhIWw -Mel5nfo3WsK7BnDNWjA5noOMNQKBgQD5Bqpmf2J8lUkHRCzFOS1UcBvdMJrfiPUf -32mp14A23E9n+2okCQRkEjXyqYjUqTFXxFIS2zsVjRROy5TFjSa/dwuU4W74Gygs -XY6cqsAeHFaU9zVEFFPc7W44Icb5dd/Ww+quTqvW5ddUx1HNpXkHq889n3YptdmH -/iie6yteRQKBgQDPjySncD4N7sZLKBPlonXmOrALAYAkX0+Y3EFiwyQttXiWucNG -8D3HWYe6MXOZOhjo6RvaxPy8w6TzNwADfYUL+FfBXQueJEnnMAxiaUEcgsaHAEMh -n2NnrdDjao9IF3sodSpJD5xuGYwGhalAZVLebvP6ZiaafSlVY6U6w0h+fQKBgQDR -4XdOacBU5fElyaS+GIGG7/HcC3IMQj7uPPquJa2vDyFxruj3NA5aVSrYuWBUc8Dd -it3tfI4gjMX33wclNODab/f348QGIcVLFxLyIctH1XR3mp5vIX7I7ed+MaGkcF9W -f8rUXAPiW9aPYmokm3kVKQ3Cjxok71pGjsQnpGbpzQKBgAqd1RwnhotvkcldmLEq -AB3Ayb0XhsJLl0ubyf37DodPsIdMlSPKyg4YnYRpnrATeGVweS9rxdmDDnsvtEEv -8E+/RhSn9temcZV7J8M4uQlZBDHbyL8Q5g3Bg/mq2fAMS0szaAcAqS+CXJ1UnDYd -UaMFpGE7ajMoVZOg8ItfEAGn +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCWvn+O+rywfgMC +ud24mAclMDfuNA/IzCKLxl5usIE/PvUm7PPfXQ14LfQhNQXqOuaD9fiVM+HO1BzK +wmN3j4g7eHInR1cxENoNGKFa0Fr9EXnUv8sfwyobPD8NTu9eaH7T+d6f9oow+Q4n +xb9Xin5IRR/pcJ8v7zEjcXpZaZejcSU4iVZ0PR2Di4H9rfe9SEyR5wLrsVBePB3L +jaL1uK4bZF3n/JGgDe3BNy1PgPU+O+FCzQipBBTyJWQCjd4iTRXVbMa01PglAR85 +O9w6NXApBLyWdGRY6dGd8vMC2P4KlhnxlcgPZdglKniGTX+eTzT7Rszq77zjYrou +PLwSh9S7AgMBAAECggEABwiohxFoEIwws8XcdKqTWsbfNTw0qFfuHLuK2Htf7IWR +htlzn66F3F+4jnwc5IsPCoVFriCXnsEC/usHHSMTZkL+gJqxlNaGdin6DXS/aiOQ +nb69SaQfqNmsz4ApZyxVDqsQGkK0vAhDAtQVU45gyhp/nLLmmqP8lPzMirOEodmp +U9bA8t/ttrzng7SVAER42f6IVpW0iTKTLyFii0WZbq+ObViyqib9hVFrI6NJuQS+ +IelcZB0KsSi6rqIjXg1XXyMiIUcSlhq+GfEa18AYgmsbPwMbExate7/8Ci7ZtCbh +lx9bves2+eeqq5EMm3sMHyhdcg61yzd5UYXeZhwJkQKBgQDS9YqrAtztvLY2gMgv +d+wOjb9awWxYbQTBjx33kf66W+pJ+2j8bI/XX2CpZ98w/oq8VhMqbr9j5b8MfsrF +EoQvedA4joUo8sXd4j1mR2qKF4/KLmkgy6YYusNP2UrVSw7sh77bzce+YaVVoO/e +0wIVTHuD/QZ6fG6MasOqcbl6hwKBgQC27cQruaHFEXR/16LrMVAX+HyEEv44KOCZ +ij5OE4P7F0twb+okngG26+OJV3BtqXf0ULlXJ+YGwXCRf6zUZkld3NMy3bbKPgH6 +H/nf3BxqS2tudj7+DV52jKtisBghdvtlKs56oc9AAuwOs37DvhptBKUPdzDDqfys +Qchv5JQdLQKBgERev+pcqy2Bk6xmYHrB6wdseS/4sByYeIoi0BuEfYH4eB4yFPx6 +UsQCbVl6CKPgWyZe3ydJbU37D8gE78KfFagtWoZ56j4zMF2RDUUwsB7BNCDamce/ +OL2bCeG/Erm98cBG3lxufOX+z47I8fTNfkdY2k8UmhzoZwurLm73HJ3RAoGBAKsp +6yamuXF2FbYRhUXgjHsBbTD/vJO72/yO2CGiLRpi/5mjfkjo99269trp0C8sJSub +5PBiSuADXFsoRgUv+HI1UAEGaCTwxFTQWrRWdtgW3d0sE2EQDVWL5kmfT9TwSeat +mSoyAYR5t3tCBNkPJhbgA7pm4mASzHQ50VyxWs25AoGBAKPFx9X2oKhYQa+mW541 +bbqRuGFMoXIIcr/aeM3LayfLETi48o5NDr2NDP11j4yYuz26YLH0Dj8aKpWuehuH +uB27n6j6qu0SVhQi6mMJBe1JrKbzhqMKQjYOoy8VsC2gdj5pCUP/kLQPW7zm9diX +CiKTtKgPIeYdigor7V3AHcVT -----END PRIVATE KEY----- diff --git a/bwc-test/src/test/resources/security/esnode.pem b/bwc-test/src/test/resources/security/esnode.pem index 76c52035ed..7ba92534e4 100644 --- a/bwc-test/src/test/resources/security/esnode.pem +++ b/bwc-test/src/test/resources/security/esnode.pem @@ -1,50 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEITCCAwmgAwIBAgIUGPqmZdMIOqjgbQ0nRdJ2F/VUkPgwDQYJKoZIhvcNAQEL -BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx -NTA3WhcNMzMwODA3MjExNTA3WjBXMQswCQYDVQQGEwJkZTENMAsGA1UEBwwEdGVz -dDENMAsGA1UECgwEbm9kZTENMAsGA1UECwwEbm9kZTEbMBkGA1UEAwwSbm9kZS0w -LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bgr -ZoCVt85b6OlTOnaRhx/754+98el4tfSNxc1TEqJOgXd2WlGdPY6stcc+fLlHOECX -D1u/QnaozcxFkVJAsjQbYIttSxldBWOrVLXJuw4fNmNCaZPAz88OloFCA6n6dma+ -K4nPPGrGiEe3c46+zU5SCio3Avs7qNTaoGINBJWLTqH9sHcWf9e2pDkJiwCq3Q8L -WHwYGwZGAzw7wGDWFTO/g4VobS244s7JHNtLtRJ+FIpFlsKvtZlkdg8rw6EbkbXp -v/yWJiu/gWM11emk5uxK8PCgFqVC+Rex3IJhlhziDxDzX7JAdXoHSqE3Q0aLCjjl -cR1QK+/n41o/OtdASQIDAQABo4GMMIGJMEcGA1UdEQRAMD6CEm5vZGUtMC5leGFt -cGxlLmNvbYIJbG9jYWxob3N0hxAAAAAAAAAAAAAAAAAAAAABhwR/AAABiAUqAwQF -BTAdBgNVHQ4EFgQUwEDN1zWWQ4ULvKofWCRi+a/uTt8wHwYDVR0jBBgwFoAU6bJR -I4km9IzZNac3Yt+Jyn9KkskwDQYJKoZIhvcNAQELBQADggEBAJd/5+cVSmsL2Gx4 -Dq36U4XOHfUSIVJUuOuu19ZxQ5a9ObUfNX0gSLXbcWnLcdOCUgN4OutjxUw16FeL -G9t2tT/dKbJZiCkF0QPorugNGeeMt0fExRQ3D0a8OisGdqYurcHxVDjViyWurh1B -ETFU6Gm2E1Rya3zCrW5wEll2GSNe1Xdc+1ANh1mW8E8TbzX3vhY6gXu9o8uNCXLU -N0JE0ggugkOBLSSP9MbFvQDWWAY7nMaQxuXwULyiXMSm2QQOOlNqcGMASWo7sWij -ELDpYc5XPVplpQObdTkEFrooHe7oBl91WZ9oY9iu/H2Yx6HS/zJs6knZvwNxz3uY -ZcvdYXw= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL -BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx -NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG -CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x -ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh -bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw -CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE -vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f -OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 -uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P -UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm -ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G -A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C -AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G -XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n -Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto -KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ -FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x -p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= +MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy +MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL +BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV +BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt +9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8 +Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL +gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl +ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq +eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw +gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB +GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs +ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw +HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv +78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg +MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq +AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI +hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0 +5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy +8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr +XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA +1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t +e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs= -----END CERTIFICATE----- diff --git a/bwc-test/src/test/resources/security/kirk-key.pem b/bwc-test/src/test/resources/security/kirk-key.pem index d9405abfe5..bacb22c215 100644 --- a/bwc-test/src/test/resources/security/kirk-key.pem +++ b/bwc-test/src/test/resources/security/kirk-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDu8gQ5Sl7I1h1m -AfGxFfdcBAwz3zsta1nzJzkWdwDeSa1NFAVOke8dOHFHnbsaYMJuCBh9t7NbcHiX -e8A7CGX7XfwBZHhLNEU6Yjq8rfVoP5ySPyk80nGen56+dmeli0B+BC4GDCO4J8Hm -DdTnYtdWGK6NzOceJpbAXywtixLly6H+aYGE9MBcBtOJuVHzEvVUP/xGToCIDdi2 -wsoySoqbyTbWFB6t3LUlir9qVIn05EdzurmTUVNXIzL0BFUGiejqxE7uHEu3O7ro -Pr47y3rZ6jSgt5ynrQr2ng1qxiY3bB9l4Xqs2wbNe1isS5H533s7REsq57ma1w2y -aDpvR1SzAgMBAAECggEABngmiAxn9t7+big4FkzKLtv7CsB+HvwmjJ3KtQxPBI5R -CUA1Ic5zsKmwUe+uLCqUzL2yS3DFIYriF7rxx6xPiZ9GL6d3GzycDzklxwv/AEaQ -oOQcvI83murYNYRiZnjJGCVFmDAq4FVO7N7uOtLIL8FBoJwkJhZydL9e6V+Gzf6r -B42P8VSmd+xyDg/9r6l69nNB7zSz+wF6UCphhkNtjc/pZS3/Z+gL2Q1LkP/9txkK -Arh9bdptPxWI0fPQYJSTfdbSW6AyJDCpptqDvhG5mYFBP2uQKHXDY1E4HH65vHp2 -+lS0AEK7NsY0u0/JPcyAvpomo2tnmfUb/3I8RtLrYQKBgQD5lykdqlghDajR7POK -RIeX/T185cc1IKMYIOzbT9sB9NbUq0dM5HHz/RqJybj7Dd+s8EKj6i/daTOfQ1Hk -FGshE8m3yBY7wYx1AzA9cgxZjC12q7+1s9rR66fQ0ycpoITuwI8uVEUgmYxZBYvw -yc2XrEWi4EQpwmftCWTmk8/IQwKBgQD1FN+qRpl/2VbI1sDpMVKYsQRUKSgoKkRU -Ov9XK1LkzGFP+a287NJB8sqomwXGXngTJr0gYy2N58N8osQmjcRMac5WBuFT8k5J -jJpaZKcx4mUrVMtknOmEeeN8U1XzMXh/j4Ps6yy1oZbATm7MzsbBBz8ofgRVmEBH -H69G9r1y0QKBgG/j+Ca4avHGcdxKYZOmzTKx8JLBX+DNVNBIUmavEft6i6SjdD9g -WkWLPg5vRGIoAhJBU16waezUcLQBNgENtkkJ2fBt3qnDRvheCY5CRo8ObIM606Ld -kkdxYbYYMwJSV8XAxW97j9HhhC2UcvvrPCO2szElYOlnobd98qH7ubaJAoGBAO0/ -Qa2CHoInEN3nFmQnfP+XDMuz88297NtlKV1m8R3Pw7w5xTgIQRnaQNirCRIYzUAs -1hSOLcEbRKBYqG1x+z7Fhhq9Gk+7VpHYbGto2Hlv4ePqd+J0C5JUtCTcP23my/Eg -KuOkXWmOfXK3+oaE/N5Ld5ZpNyTs9/xh7blSjd6hAoGBANuixtW8ZxxNvA8AEhIc -NqRcLfQJgjSGY82PffDura0C1gXrfNRaz6gvFDU9oIYNrllG5uf/qITkKBoQzJuA -q330xqf18B0Gp6p/TaqAU48LBi6hLBsuEvsMVOrpJNfBN97SeXWw3wmmz11YDdF1 -Jpv7Qh0XM/NaSDjMN1ILQNQ2 +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCwgBOoO88uMM8 +dREJsk58Yt4Jn0zwQ2wUThbvy3ICDiEWhiAhUbg6dTggpS5vWWJto9bvaaqgMVoh +ElfYHdTDncX3UQNBEP8tqzHON6BFEFSGgJRGLd6f5dri6rK32nCotYS61CFXBFxf +WumXjSukjyrcTsdkR3C5QDo2oN7F883MOQqRENPzAtZi9s3jNX48u+/e3yvJzXsB +GS9Qmsye6C71enbIujM4CVwDT/7a5jHuaUp6OuNCFbdRPnu/wLYwOS2/yOtzAqk7 +/PFnPCe7YOa10ShnV/jx2sAHhp7ZQBJgFkkgnIERz9Ws74Au+EbptWnsWuB+LqRL +x5G02IzpAgMBAAECggEAEzwnMkeBbqqDgyRqFbO/PgMNvD7i0b/28V0dCtCPEVY6 +klzrg3RCERP5V9AN8VVkppYjPkCzZ2A4b0JpMUu7ncOmr7HCnoSCj2IfEyePSVg+ +4OHbbcBOAoDTHiI2myM/M9++8izNS34qGV4t6pfjaDyeQQ/5cBVWNBWnKjS34S5H +rJWpAcDgxYk5/ah2Xs2aULZlXDMxbSikjrv+n4JIYTKFQo8ydzL8HQDBRmXAFLjC +gNOSHf+5u1JdpY3uPIxK1ugVf8zPZ4/OEB23j56uu7c8+sZ+kZwfRWAQmMhFVG/y +OXxoT5mOruBsAw29m2Ijtxg252/YzSTxiDqFziB/eQKBgQDjeVAdi55GW/bvhuqn +xME/An8E3hI/FyaaITrMQJUBjiCUaStTEqUgQ6A7ZfY/VX6qafOX7sli1svihrXC +uelmKrdve/CFEEqzX9JWWRiPiQ0VZD+EQRsJvX85Tw2UGvVUh6dO3UGPS0BhplMD +jeVpyXgZ7Gy5we+DWjfwhYrCmwKBgQDbLmQhRy+IdVljObZmv3QtJ0cyxxZETWzU +MKmgBFvcRw+KvNwO+Iy0CHEbDu06Uj63kzI2bK3QdINaSrjgr8iftXIQpBmcgMF+ +a1l5HtHlCp6RWd55nWQOEvn36IGN3cAaQkXuh4UYM7QfEJaAbzJhyJ+wXA3jWqUd +8bDTIAZ0ywKBgFuZ44gyTAc7S2JDa0Up90O/ZpT4NFLRqMrSbNIJg7d/m2EIRNkM +HhCzCthAg/wXGo3XYq+hCdnSc4ICCzmiEfoBY6LyPvXmjJ5VDOeWs0xBvVIK74T7 +jr7KX2wdiHNGs9pZUidw89CXVhK8nptEzcheyA1wZowbK68yamph7HHXAoGBAK3x +7D9Iyl1mnDEWPT7f1Gh9UpDm1TIRrDvd/tBihTCVKK13YsFy2d+LD5Bk0TpGyUVR +STlOGMdloFUJFh4jA3pUOpkgUr8Uo/sbYN+x6Ov3+I3sH5aupRhSURVA7YhUIz/z +tqIt5R+m8Nzygi6dkQNvf+Qruk3jw0S3ahizwsvvAoGAL7do6dTLp832wFVxkEf4 +gg1M6DswfkgML5V/7GQ3MkIX/Hrmiu+qSuHhDGrp9inZdCDDYg5+uy1+2+RBMRZ3 +vDUUacvc4Fep05zp7NcjgU5y+/HWpuKVvLIlZAO1MBY4Xinqqii6RdxukIhxw7eT +C6TPL5KAcV1R/XAihDhI18Y= -----END PRIVATE KEY----- diff --git a/bwc-test/src/test/resources/security/kirk.pem b/bwc-test/src/test/resources/security/kirk.pem index 681c4cb79d..c32b21cd89 100644 --- a/bwc-test/src/test/resources/security/kirk.pem +++ b/bwc-test/src/test/resources/security/kirk.pem @@ -1,21 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIDgzCCAmsCFBj6pmXTCDqo4G0NJ0XSdhf1VJD3MA0GCSqGSIb3DQEBCwUAMIGu -MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZ -MBcGA1UECgwQRXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20g -SW5jLiBSb290IENBMUAwPgYDVQQDDDdFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0Es -IENOID0gRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTIzMDgxMDIxMTQ1MVoX -DTI1MDgwOTIxMTQ1MVowTTELMAkGA1UEBhMCZGUxDTALBgNVBAcMBHRlc3QxDzAN -BgNVBAoMBmNsaWVudDEPMA0GA1UECwwGY2xpZW50MQ0wCwYDVQQDDARraXJrMIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7vIEOUpeyNYdZgHxsRX3XAQM -M987LWtZ8yc5FncA3kmtTRQFTpHvHThxR527GmDCbggYfbezW3B4l3vAOwhl+138 -AWR4SzRFOmI6vK31aD+ckj8pPNJxnp+evnZnpYtAfgQuBgwjuCfB5g3U52LXVhiu -jcznHiaWwF8sLYsS5cuh/mmBhPTAXAbTiblR8xL1VD/8Rk6AiA3YtsLKMkqKm8k2 -1hQerdy1JYq/alSJ9ORHc7q5k1FTVyMy9ARVBono6sRO7hxLtzu66D6+O8t62eo0 -oLecp60K9p4NasYmN2wfZeF6rNsGzXtYrEuR+d97O0RLKue5mtcNsmg6b0dUswID -AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCEW7neR3+hpQSnkvwIM0lUua/uFjIqNCf8 -4syKeYqyl/2fLVTx2NdXzSeMcMOa03xt2pSuRT2m1qhrtajEUNHwtlaNOUSXQFpz -BRliDug4oKKNlssKZTbY2DsmfsKrucrbeGxPxIoJlBB4ryx0Z6XlhtVDIc90mInY -d6hQG7jVhTStSGtz1pRp5Ze/3TgA7rcKH1jgGkawVBwDsBeR9rvRncQ6kuLR8/8z -o9HLSWD74syp7v22BfmhEEIDHz+x4iAbJ6r/5VOwuCvIVbPRggmkaW4b7YLgfQo0 -YsIUj2TTWBTx6SVHrbZ/uTWakYE70BQWv7WpTWDQ/DzMih8EGprv +MIIEdzCCA1+gAwIBAgIGAWLrc1O4MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy +MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBNMQswCQYDVQQGEwJkZTENMAsGA1UEBwwE +dGVzdDEPMA0GA1UECgwGY2xpZW50MQ8wDQYDVQQLDAZjbGllbnQxDTALBgNVBAMM +BGtpcmswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCwgBOoO88uMM8 +dREJsk58Yt4Jn0zwQ2wUThbvy3ICDiEWhiAhUbg6dTggpS5vWWJto9bvaaqgMVoh +ElfYHdTDncX3UQNBEP8tqzHON6BFEFSGgJRGLd6f5dri6rK32nCotYS61CFXBFxf +WumXjSukjyrcTsdkR3C5QDo2oN7F883MOQqRENPzAtZi9s3jNX48u+/e3yvJzXsB +GS9Qmsye6C71enbIujM4CVwDT/7a5jHuaUp6OuNCFbdRPnu/wLYwOS2/yOtzAqk7 +/PFnPCe7YOa10ShnV/jx2sAHhp7ZQBJgFkkgnIERz9Ws74Au+EbptWnsWuB+LqRL +x5G02IzpAgMBAAGjggEYMIIBFDCBvAYDVR0jBIG0MIGxgBSSNQzgDx4rRfZNOfN7 +X6LmEpdAc6GBlaSBkjCBjzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT +8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4xITAfBgNV +BAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEhMB8GA1UEAwwYRXhhbXBsZSBD +b20gSW5jLiBSb290IENBggEBMB0GA1UdDgQWBBRsdhuHn3MGDvZxOe22+1wliCJB +mDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAWBgNVHSUBAf8EDDAKBggr +BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAkPrUTKKn+/6g0CjhTPBFeX8mKXhG +zw5z9Oq+xnwefZwxV82E/tgFsPcwXcJIBg0f43BaVSygPiV7bXqWhxASwn73i24z +lveIR4+z56bKIhP6c3twb8WWR9yDcLu2Iroin7dYEm3dfVUrhz/A90WHr6ddwmLL +3gcFF2kBu3S3xqM5OmN/tqRXFmo+EvwrdJRiTh4Fsf0tX1ZT07rrGvBFYktK7Kma +lqDl4UDCF1UWkiiFubc0Xw+DR6vNAa99E0oaphzvCmITU1wITNnYZTKzVzQ7vUCq +kLmXOFLTcxTQpptxSo5xDD3aTpzWGCvjExCKpXQtsITUOYtZc02AGjjPOQ== -----END CERTIFICATE----- diff --git a/bwc-test/src/test/resources/security/root-ca.pem b/bwc-test/src/test/resources/security/root-ca.pem index ed97e17ec8..4015d866e1 100644 --- a/bwc-test/src/test/resources/security/root-ca.pem +++ b/bwc-test/src/test/resources/security/root-ca.pem @@ -1,25 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEQjCCAyqgAwIBAgIUFhF0GAuR4yaen/L/JyIXdSxFstcwDQYJKoZIhvcNAQEL -BQAwga4xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt -cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl -IENvbSBJbmMuIFJvb3QgQ0ExQDA+BgNVBAMMN0V4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQSwgQ04gPSBFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMjMwODEwMjEx -NDUxWhcNMjUwODA5MjExNDUxWjCBrjETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUG -CgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1wbGUgQ29tIEluYy4x -ITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTFAMD4GA1UEAww3RXhh -bXBsZSBDb20gSW5jLiBSb290IENBLCBDTiA9IEV4YW1wbGUgQ29tIEluYy4gUm9v -dCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrZtvfOZimo0YWw -CWqLeujnEITxQyFM+LKpw7vhcvu2xwFYUsT9lx3OaZKjivT5icKoKRXB95aKAwUE -vvqvP8Mg7/ZRIG6zH90oMoRjADUMx1eHTm6/y5R7YqETfFj1jvRwIkVH+XUmPN2f -OkTtsYGnfI2qrf99rmgd5OB0KZhrgn4NaTG/UbX3HlzOWhqdL1q5iJFOTJwXDUQ5 -uw/OG2t8zngxxrO2hXCc8WA/uM6PrgXhkZq3s03C91/0wFscAJygYGPAPMzeL78P -UqFiuPy3XaKnEVfjxVaruVaEpG+q5lm4a6/KgI2OlR/KExCr+XOQzvwPdHrSSQQm -ZshOxd0CAwEAAaNWMFQwHQYDVR0OBBYEFOmyUSOJJvSM2TWnN2Lficp/SpLJMB8G -A1UdIwQYMBaAFOmyUSOJJvSM2TWnN2Lficp/SpLJMBIGA1UdEwEB/wQIMAYBAf8C -AQEwDQYJKoZIhvcNAQELBQADggEBAGd8tl2b04fbb5ACYZNtYC4LFyj8D9CMuy+G -XBXx4KdXevduEoXlz8EZUrvL6KyCtYN4EW1I65JY60eJ74Ugntbl9lxHdscKfz4n -Yy5PRAxqS+9BQQxJJ4fxn0rKh7oR2qrf7rhRRl/BI3JLbk8c7nuMquVlTvBqAhto -KpGEF0YIw/lP4LF73ew8UCVk/AnH1cyso7QWZZj/EmJiwi3TtntviRJwezQMEkkQ -FMxwO9E85H3eyP53hOjg99EV7JZhtMlMmQB3Jw6lXq1jZEdsMlagalI/jYjsGU7x -p82p85JT+Z7s3VQnSC1w+r17lYQxjHJzjRRUdT1Dip65bGsq4GA= +MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjzETMBEGCgmSJomT8ixk +ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w +bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh +MB8GA1UEAwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMB4XDTE4MDQyMjAzNDM0 +NloXDTI4MDQxOTAzNDM0NlowgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJ +kiaJk/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEw +HwYDVQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1w +bGUgQ29tIEluYy4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAK/u+GARP5innhpXK0c0q7s1Su1VTEaIgmZr8VWI6S8amf5cU3ktV7WT9SuV +TsAm2i2A5P+Ctw7iZkfnHWlsC3HhPUcd6mvzGZ4moxnamM7r+a9otRp3owYoGStX +ylVTQusAjbq9do8CMV4hcBTepCd+0w0v4h6UlXU8xjhj1xeUIz4DKbRgf36q0rv4 +VIX46X72rMJSETKOSxuwLkov1ZOVbfSlPaygXIxqsHVlj1iMkYRbQmaTib6XWHKf +MibDaqDejOhukkCjzpptGZOPFQ8002UtTTNv1TiaKxkjMQJNwz6jfZ53ws3fh1I0 +RWT6WfM4oeFRFnyFRmc4uYTUgAkCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAf +BgNVHSMEGDAWgBSSNQzgDx4rRfZNOfN7X6LmEpdAczAdBgNVHQ4EFgQUkjUM4A8e +K0X2TTnze1+i5hKXQHMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IB +AQBoQHvwsR34hGO2m8qVR9nQ5Klo5HYPyd6ySKNcT36OZ4AQfaCGsk+SecTi35QF +RHL3g2qffED4tKR0RBNGQSgiLavmHGCh3YpDupKq2xhhEeS9oBmQzxanFwWFod4T +nnsG2cCejyR9WXoRzHisw0KJWeuNlwjUdJY0xnn16srm1zL/M/f0PvCyh9HU1mF1 +ivnOSqbDD2Z7JSGyckgKad1Omsg/rr5XYtCeyJeXUPcmpeX6erWJJNTUh6yWC/hY +G/dFC4xrJhfXwz6Z0ytUygJO32bJG4Np2iGAwvvgI9EfxzEv/KP+FGrJOvQJAq4/ +BU36ZAa80W/8TBnqZTkNnqZV -----END CERTIFICATE----- diff --git a/bwc-test/src/test/resources/security/sample.pem b/bwc-test/src/test/resources/security/sample.pem index fa785ca10f..7ba92534e4 100644 --- a/bwc-test/src/test/resources/security/sample.pem +++ b/bwc-test/src/test/resources/security/sample.pem @@ -25,4 +25,4 @@ hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0 XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA 1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs= ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- From 745826721ec54e68bdc72626a8c5381df8f35143 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 11:17:32 -0400 Subject: [PATCH 24/28] Add more inputs to run-bwc-suite Signed-off-by: Craig Perkins --- .github/actions/run-bwc-suite/action.yaml | 18 +++++++++++++++--- .github/workflows/ci.yml | 3 +++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/actions/run-bwc-suite/action.yaml b/.github/actions/run-bwc-suite/action.yaml index abc73627e5..9cdd452db8 100644 --- a/.github/actions/run-bwc-suite/action.yaml +++ b/.github/actions/run-bwc-suite/action.yaml @@ -14,6 +14,18 @@ inputs: description: 'The name of the artifacts for this run, e.g. "BWC-2.1-to-2.4-results"' required: true + use-https: + description: 'Use HTTPS for wait for cluster health check in testClusters' + required: true + + username: + description: 'Username to user for wait for cluster health check in testClusters' + required: true + + password: + description: 'Password to use for cluster health check in testClusters' + required: true + runs: using: "composite" steps: @@ -35,9 +47,9 @@ runs: arguments: | bwcTestSuite -Dtests.security.manager=false - -Dtests.opensearch.secure=true - -Dtests.opensearch.username=admin - -Dtests.opensearch.password=admin + -Dtests.opensearch.secure=${{ inputs.use-https }} + -Dtests.opensearch.username=${{ inputs.username }} + -Dtests.opensearch.password=${{ inputs.password }} -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }} -Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i build-root-directory: bwc-test diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ecbf4242dd..f76f872780 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,6 +94,9 @@ jobs: plugin-previous-branch: "2.9" plugin-next-branch: "current_branch" report-artifact-name: bwc-${{ matrix.platform }}-jdk${{ matrix.jdk }} + use-https: true + username: admin + password: admin code-ql: runs-on: ubuntu-latest From 675ca43cd16995a7fdb753a2acf8e1451b548de2 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 11:24:20 -0400 Subject: [PATCH 25/28] Remove use-https param Signed-off-by: Craig Perkins --- .github/actions/run-bwc-suite/action.yaml | 6 +----- .github/workflows/ci.yml | 1 - 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/actions/run-bwc-suite/action.yaml b/.github/actions/run-bwc-suite/action.yaml index 9cdd452db8..fd6dd47e9a 100644 --- a/.github/actions/run-bwc-suite/action.yaml +++ b/.github/actions/run-bwc-suite/action.yaml @@ -14,10 +14,6 @@ inputs: description: 'The name of the artifacts for this run, e.g. "BWC-2.1-to-2.4-results"' required: true - use-https: - description: 'Use HTTPS for wait for cluster health check in testClusters' - required: true - username: description: 'Username to user for wait for cluster health check in testClusters' required: true @@ -47,7 +43,7 @@ runs: arguments: | bwcTestSuite -Dtests.security.manager=false - -Dtests.opensearch.secure=${{ inputs.use-https }} + -Dtests.opensearch.secure=true -Dtests.opensearch.username=${{ inputs.username }} -Dtests.opensearch.password=${{ inputs.password }} -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f76f872780..d7525835fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,7 +94,6 @@ jobs: plugin-previous-branch: "2.9" plugin-next-branch: "current_branch" report-artifact-name: bwc-${{ matrix.platform }}-jdk${{ matrix.jdk }} - use-https: true username: admin password: admin From 0b82a1640164a3a6cf5c0ade892f9e2149464114 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 11:27:07 -0400 Subject: [PATCH 26/28] Remove commented out code Signed-off-by: Craig Perkins --- bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index 12e44abe86..fb0ca2671f 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -119,9 +119,6 @@ protected static void configureHttpsClient(RestClientBuilder builder, Settings s throw new RuntimeException(e); } }); - - // final TimeValue socketTimeout = TimeValue.parseTimeValue("60s"); - // builder.setRequestConfigCallback(conf -> conf.setSocketTimeout(Math.toIntExact(socketTimeout.getMillis()))); } public void testBasicBackwardsCompatibility() throws Exception { From 2545807a3dfbdf50da6bb1b6685105e24f208050 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 12:12:15 -0400 Subject: [PATCH 27/28] Fix description Signed-off-by: Craig Perkins --- .github/actions/run-bwc-suite/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/run-bwc-suite/action.yaml b/.github/actions/run-bwc-suite/action.yaml index fd6dd47e9a..6e6a17fb3f 100644 --- a/.github/actions/run-bwc-suite/action.yaml +++ b/.github/actions/run-bwc-suite/action.yaml @@ -15,7 +15,7 @@ inputs: required: true username: - description: 'Username to user for wait for cluster health check in testClusters' + description: 'Username to use for cluster health check in testClusters' required: true password: From 7fb2ef280bc775aa938dee5ae2ebf48d00e2382b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 29 Aug 2023 15:47:06 -0400 Subject: [PATCH 28/28] Add WhoAmI test Signed-off-by: Craig Perkins --- .../src/test/java/SecurityBackwardsCompatibilityIT.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java index fb0ca2671f..2447bb9fa9 100644 --- a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java +++ b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java @@ -37,6 +37,8 @@ import org.opensearch.client.RestClient; import org.opensearch.client.RestClientBuilder; +import org.junit.Assert; + public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase { private ClusterType CLUSTER_TYPE; @@ -133,6 +135,12 @@ public void testBasicBackwardsCompatibility() throws Exception { } } + @SuppressWarnings("unchecked") + public void testWhoAmI() throws Exception { + Map responseMap = (Map) getAsMap("_plugins/_security/whoami"); + Assert.assertTrue(responseMap.containsKey("dn")); + } + private enum ClusterType { OLD, MIXED,