Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds SSL test support, compatibility test support #1856

29 changes: 6 additions & 23 deletions .github/actions/download-plugin/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ inputs:
description: 'The version of security plugin that should be used, e.g "3.0.0.0"'
required: true

download-location:
description: 'The location of where to download the plugin'
required: true

runs:
using: "composite"
steps:
Expand All @@ -22,26 +26,5 @@ runs:
-DremoteRepositories=https://aws.oss.sonatype.org/content/repositories/snapshots/ \
-Dartifact=org.opensearch.plugin:${{ inputs.plugin-name }}:${{ inputs.plugin-version }}-SNAPSHOT:zip \
-Dtransitive=false \
-Ddest=${{ inputs.plugin-name }}.zip
shell: bash

- name: Create Setup Script for Linux
if: ${{ runner.os == 'Linux' }}
run: |
cat > setup.sh <<'EOF'
chmod +x ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh
/bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh -t"
echo "plugins.security.unsupported.restapi.allow_securityconfig_modification: true" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
echo "cluster.routing.allocation.disk.threshold_enabled: false" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
EOF
shell: bash

- name: Create Setup Script for Windows
if: ${{ runner.os == 'Windows' }}
run: |
New-Item .\setup.bat -type file
Set-Content .\setup.bat -Value "powershell.exe -noexit -command `".\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\plugins\${{ inputs.plugin-name }}\tools\install_demo_configuration.bat -y -i -c -t`""
Add-Content -Path .\setup.bat -Value "echo plugins.security.unsupported.restapi.allow_securityconfig_modification: true >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
Add-Content -Path .\setup.bat -Value "echo cluster.routing.allocation.disk.threshold_enabled: false >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
Get-Content .\setup.bat
shell: pwsh
-Ddest=${{ inputs.download-location }}.zip
shell: bash
1 change: 1 addition & 0 deletions .github/actions/run-cypress-tests/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ runs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with A Single Plugin
uses: derek-ho/start-opensearch@v2
Expand Down
44 changes: 3 additions & 41 deletions .github/workflows/cypress-test-multidatasources-enabled-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,45 +31,6 @@ jobs:
echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
shell: bash

- name: Create remote OpenSearch Config
if: ${{ runner.os == 'Linux' }}
run: |
cat << 'EOT' > remote_opensearch.yml
http.port: 9202
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
# TODO: change this back to true/just append to the created opensearch.yml the new port
# after the self-signed certs issue is fixed
plugins.security.ssl.http.enabled: false
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
.opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
.ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
.plugins-flow-framework-templates, .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
EOT

# Add Custom Configuration to differentiate between local and remote cluster
- name: Create Custom Configuration for Linux
if: ${{ runner.os == 'Linux'}}
Expand Down Expand Up @@ -120,16 +81,16 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{env.PLUGIN_NAME}}

- name: Run Opensearch with A Single Plugin
uses: derek-ho/start-opensearch@9202
uses: derek-ho/start-opensearch@v3
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugins: "file:$(pwd)/opensearch-security.zip"
security-enabled: true
admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
security_config_file: config_custom.yml
opensearch_yml_file: remote_opensearch.yml
opensearch_port: 9202

- name: Check OpenSearch is running
Expand All @@ -155,6 +116,7 @@ jobs:
opensearch_security.cookie.secure: false
data_source.enabled: true
home.disableWelcomeScreen: true
data_source.ssl.verificationMode: none
EOT

- name: Run Cypress Tests
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/cypress-test-tenancy-disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/cypress-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
81 changes: 16 additions & 65 deletions .github/workflows/integration-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ jobs:
fail-fast: false
matrix:
os: [ ubuntu-latest , windows-latest ]
os_bwc_version: [2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 3.0.0]
runs-on: ${{ matrix.os }}

steps:
Expand All @@ -34,85 +35,35 @@ jobs:
echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
shell: bash

- uses: browser-actions/[email protected]
- run: geckodriver --version

- name: Set up Firefox browser
if: ${{ runner.os == 'Linux' }}
uses: browser-actions/setup-firefox@v1

- run: firefox --version
if: ${{ runner.os == 'Linux' }}

# Browser-action version does not work on Windows
- name: Set up Firefox browser for Windows
if: ${{ runner.os == 'Windows' }}
uses: RyanL1997/setup-browser@main
- name: Download security plugin and create setup scripts for remote cluster
uses: ./.github/actions/download-plugin
with:
browser: firefox
version: latest
opensearch-version: ${{ matrix.os_bwc_version }}
plugin-name: ${{ env.PLUGIN_NAME }}
download-location: ${{env.PLUGIN_NAME}}-${{matrix.os_bwc_version}}
plugin-version: ${{matrix.os_bwc_version}}.0

- name: Download security plugin and create setup scripts
- name: Download security plugin and create setup scripts for local cluster
uses: ./.github/actions/download-plugin
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
download-location: ${{env.PLUGIN_NAME}}
plugin-version: ${{ env.PLUGIN_VERSION }}

- name: Create remote OpenSearch Config
run: |
cat << 'EOT' > remote_opensearch.yml
http.port: 9202
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
# TODO: change this back to true/just append to the created opensearch.yml the new port
# after the self-signed certs issue is fixed
plugins.security.ssl.http.enabled: false
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
.opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
.ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
.plugins-flow-framework-templates, .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
EOT
shell: bash

- name: Run Opensearch with A Single Plugin
uses: derek-ho/start-opensearch@9202
- name: Run Opensearch with A Single Plugin Remote Cluster
uses: derek-ho/start-opensearch@graceful-t
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugins: "file:$(pwd)/opensearch-security.zip"
opensearch-version: ${{ matrix.os_bwc_version }}
plugins: "file:$(pwd)/opensearch-security-${{matrix.os_bwc_version}}.zip"
security-enabled: true
admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
security_config_file: ${{ inputs.security_config_file }}
opensearch_yml_file: remote_opensearch.yml
opensearch_port: 9202
port: 9202

- name: Check OpenSearch is running
# Verify that the server is operational
- name: Check OpenSearch remote is running
run: |
curl http://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123!
curl https://localhost:9202/_cat/plugins -v -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k
shell: bash

- name: Run Opensearch with security
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/verify-binary-installation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
17 changes: 16 additions & 1 deletion public/apps/configuration/top-nav-menu.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
import React from 'react';
import { DataSourceSelectableConfig } from 'src/plugins/data_source_management/public';
import { DataSourceOption } from 'src/plugins/data_source_management/public/components/data_source_menu/types';
import { PLUGIN_NAME } from '../../../common';
import { AppDependencies } from '../types';

export interface TopNavMenuProps extends AppDependencies {
Expand All @@ -25,6 +24,21 @@
selectedDataSource: DataSourceOption;
}

const compatibleVersion = new Set([
'2.1',
'2.2',
'2.3',
'2.4',
'2.5',
'2.6',
'2.7',
'2.8',
'2.9',
'2.10',
'2.11',
'2.12',
]);

export const SecurityPluginTopNavMenu = (props: TopNavMenuProps) => {
const {
coreStart,
Expand All @@ -48,6 +62,7 @@
savedObjects: coreStart.savedObjects.client,
notifications: coreStart.notifications,
activeOption: [selectedDataSource],
dataSourceFilter: (ds) => compatibleVersion.has(ds.attributes.version),

Check warning on line 65 in public/apps/configuration/top-nav-menu.tsx

View check run for this annotation

Codecov / codecov/patch

public/apps/configuration/top-nav-menu.tsx#L65

Added line #L65 was not covered by tests
onSelectedDataSources: (dataSources) => {
// single select for now
setDataSource(dataSources[0]);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ describe('Multi-datasources enabled', () => {
cy.get('[data-test-subj="dataSourceSelectableContextMenuHeaderLink"]').contains('9202');
});

it.skip('Checks Auth Tab', () => {
it('Checks Auth Tab', () => {
cy.visit('http://localhost:5601/app/security-dashboards-plugin#/auth');
// Local cluster auth
cy.get('.panel-header-count').first().invoke('text').should('contain', '(6)');
Expand All @@ -98,7 +98,7 @@ describe('Multi-datasources enabled', () => {
cy.get('[data-test-subj="dataSourceSelectableContextMenuHeaderLink"]').contains('9202');
});

it('Checks Users Tab', () => {
it.skip('Checks Users Tab', () => {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipping the flaky test, will re-enable when reading from url to avoid unnecessary component clicks. #1858

cy.visit('http://localhost:5601/app/security-dashboards-plugin#/users');
// Create an internal user in the remote cluster
cy.contains('h3', 'Internal users');
Expand Down
4 changes: 2 additions & 2 deletions test/jest_integration/security_entity_api.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ describe('start OpenSearch Dashboards server multi datasources enabled', () => {
plugins: {
scanDirs: [resolve(__dirname, '../..')],
},
data_source: { enabled: true },
data_source: { enabled: true, ssl: { verificationMode: 'none' } },
opensearch: {
hosts: ['https://localhost:9200'],
ignoreVersionMismatch: true,
Expand Down Expand Up @@ -468,7 +468,7 @@ describe('start OpenSearch Dashboards server multi datasources enabled', () => {
attributes: {
title: 'test',
description: '',
endpoint: 'http://localhost:9202',
endpoint: 'https://localhost:9202',
auth: {
type: 'username_password',
credentials: {
Expand Down
Loading