Adds SSL test support, compatibility test support

.github/actions/download-plugin/action.yml

@@ -14,6 +14,10 @@ inputs:
     description: 'The version of security plugin that should be used, e.g "3.0.0.0"'
     required: true
 
+  download-location:
+    description: 'The location of where to download the plugin'
+    required: true
+
 runs:
   using: "composite"
   steps:
@@ -22,26 +26,5 @@ runs:
         -DremoteRepositories=https://aws.oss.sonatype.org/content/repositories/snapshots/ \
         -Dartifact=org.opensearch.plugin:${{ inputs.plugin-name }}:${{ inputs.plugin-version }}-SNAPSHOT:zip \
         -Dtransitive=false \
-        -Ddest=${{ inputs.plugin-name }}.zip
-      shell: bash
-
-    - name: Create Setup Script for Linux
-      if: ${{ runner.os == 'Linux' }}
-      run: |
-        cat > setup.sh <<'EOF'
-        chmod +x  ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh 
-        /bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh -t"
-        echo "plugins.security.unsupported.restapi.allow_securityconfig_modification: true" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
-        echo "cluster.routing.allocation.disk.threshold_enabled: false" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
-        EOF
-      shell: bash
-
-    - name: Create Setup Script for Windows
-      if: ${{ runner.os == 'Windows' }}
-      run: |
-        New-Item .\setup.bat -type file
-        Set-Content .\setup.bat -Value "powershell.exe -noexit -command `".\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\plugins\${{ inputs.plugin-name }}\tools\install_demo_configuration.bat -y -i -c -t`""
-        Add-Content -Path .\setup.bat -Value "echo plugins.security.unsupported.restapi.allow_securityconfig_modification: true >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
-        Add-Content -Path .\setup.bat -Value "echo cluster.routing.allocation.disk.threshold_enabled: false >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
-        Get-Content .\setup.bat
-      shell: pwsh
+        -Ddest=${{ inputs.download-location }}.zip
+      shell: bash

.github/actions/run-cypress-tests/action.yml

@@ -34,6 +34,7 @@ runs:
         opensearch-version: ${{ env.OPENSEARCH_VERSION }}
         plugin-name: ${{ env.PLUGIN_NAME }}
         plugin-version: ${{ env.PLUGIN_VERSION }}
+        download-location: ${{ env.PLUGIN_NAME }}
 
     - name: Run Opensearch with A Single Plugin
       uses: derek-ho/start-opensearch@v2

.github/workflows/cypress-test-multidatasources-enabled-e2e.yml

@@ -31,45 +31,6 @@ jobs:
           echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
         shell: bash
 
-      - name: Create remote OpenSearch Config
-        if: ${{ runner.os == 'Linux' }}
-        run: | 
-          cat << 'EOT' > remote_opensearch.yml
-          http.port: 9202
-          plugins.security.ssl.transport.pemcert_filepath: esnode.pem
-          plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
-          plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-          plugins.security.ssl.transport.enforce_hostname_verification: false
-          plugins.security.ssl.http.pemcert_filepath: esnode.pem
-          plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
-          plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-          plugins.security.allow_unsafe_democertificates: true
-          plugins.security.allow_default_init_securityindex: true
-          plugins.security.authcz.admin_dn:
-            - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-          plugins.security.nodes_dn:
-            - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-            - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-          plugins.security.audit.type: internal_opensearch
-          plugins.security.enable_snapshot_restore_privilege: true
-          plugins.security.check_snapshot_restore_write_privileges: true
-          # TODO: change this back to true/just append to the created opensearch.yml the new port
-          # after the self-signed certs issue is fixed
-          plugins.security.ssl.http.enabled: false 
-          plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
-          plugins.security.system_indices.enabled: true
-          plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
-            .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
-            .plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
-            .opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
-            .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
-            .opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
-            .ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
-            .opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
-            .plugins-flow-framework-templates, .plugins-flow-framework-state]
-          node.max_local_storage_nodes: 3
-          EOT
-
       # Add Custom Configuration to differentiate between local and remote cluster
       - name: Create Custom Configuration for Linux
         if: ${{ runner.os == 'Linux'}}
@@ -120,22 +81,22 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           plugin-version: ${{ env.PLUGIN_VERSION }}
+          download-location: ${{env.PLUGIN_NAME}}
 
       - name: Run Opensearch with A Single Plugin
-        uses: derek-ho/start-opensearch@9202
+        uses: derek-ho/start-opensearch@graceful-t
         with:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugins: "file:$(pwd)/opensearch-security.zip"
           security-enabled: true
           admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
           security_config_file: config_custom.yml
-          opensearch_yml_file: remote_opensearch.yml
-          opensearch_port: 9202
+          port: 9202
 
       - name: Check OpenSearch is running
           # Verify that the server is operational
         run: |
-          curl http://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123!
+          curl https://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123! -k
         shell: bash
 
       # Configure the Dashboard for multi datasources
@@ -155,6 +116,7 @@ jobs:
           opensearch_security.cookie.secure: false
           data_source.enabled: true
           home.disableWelcomeScreen: true
+          data_source.ssl.verificationMode: none
           EOT
 
       - name: Run Cypress Tests

.github/workflows/cypress-test-tenancy-disabled.yml

@@ -44,6 +44,7 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           plugin-version: ${{ env.PLUGIN_VERSION }}
+          download-location: ${{ env.PLUGIN_NAME }}
 
       - name: Run Opensearch with security
         uses: derek-ho/start-opensearch@v2

.github/workflows/cypress-test.yml

@@ -44,6 +44,7 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           plugin-version: ${{ env.PLUGIN_VERSION }}
+          download-location: ${{ env.PLUGIN_NAME }}
 
       - name: Run Opensearch with security
         uses: derek-ho/start-opensearch@v2

.github/workflows/integration-test.yml

@@ -15,6 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ ubuntu-latest , windows-latest ]
+        os_bwc_version: [2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 3.0.0]
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -34,85 +35,35 @@ jobs:
           echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
         shell: bash
 
-      - uses: browser-actions/[email protected]
-      - run: geckodriver --version
-
-      - name: Set up Firefox browser
-        if: ${{ runner.os == 'Linux' }}
-        uses: browser-actions/setup-firefox@v1
-
-      - run: firefox --version
-        if: ${{ runner.os == 'Linux' }}
-
-      # Browser-action version does not work on Windows
-      - name: Set up Firefox browser for Windows
-        if: ${{ runner.os == 'Windows' }}
-        uses: RyanL1997/setup-browser@main
+      - name: Download security plugin and create setup scripts for remote cluster
+        uses: ./.github/actions/download-plugin
         with:
-          browser: firefox
-          version: latest
+          opensearch-version: ${{ matrix.os_bwc_version }}
+          plugin-name: ${{ env.PLUGIN_NAME }}
+          download-location: ${{env.PLUGIN_NAME}}-${{matrix.os_bwc_version}}
+          plugin-version: ${{matrix.os_bwc_version}}.0
 
-      - name: Download security plugin and create setup scripts
+      - name: Download security plugin and create setup scripts for local cluster
         uses: ./.github/actions/download-plugin
         with:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
+          download-location: ${{env.PLUGIN_NAME}}
           plugin-version: ${{ env.PLUGIN_VERSION }}
-
-      - name: Create remote OpenSearch Config
-        run: | 
-          cat << 'EOT' > remote_opensearch.yml
-          http.port: 9202
-          plugins.security.ssl.transport.pemcert_filepath: esnode.pem
-          plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
-          plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-          plugins.security.ssl.transport.enforce_hostname_verification: false
-          plugins.security.ssl.http.pemcert_filepath: esnode.pem
-          plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
-          plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-          plugins.security.allow_unsafe_democertificates: true
-          plugins.security.allow_default_init_securityindex: true
-          plugins.security.authcz.admin_dn:
-            - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-          plugins.security.nodes_dn:
-            - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-            - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-          plugins.security.audit.type: internal_opensearch
-          plugins.security.enable_snapshot_restore_privilege: true
-          plugins.security.check_snapshot_restore_write_privileges: true
-          # TODO: change this back to true/just append to the created opensearch.yml the new port
-          # after the self-signed certs issue is fixed
-          plugins.security.ssl.http.enabled: false 
-          plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
-          plugins.security.system_indices.enabled: true
-          plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
-            .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
-            .plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
-            .opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
-            .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
-            .opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
-            .ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
-            .opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
-            .plugins-flow-framework-templates, .plugins-flow-framework-state]
-          node.max_local_storage_nodes: 3
-          EOT
-        shell: bash
 
-      - name: Run Opensearch with A Single Plugin
-        uses: derek-ho/start-opensearch@9202
+      - name: Run Opensearch with A Single Plugin Remote Cluster
+        uses: derek-ho/start-opensearch@graceful-t
         with:
-          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
-          plugins: "file:$(pwd)/opensearch-security.zip"
+          opensearch-version: ${{ matrix.os_bwc_version }}
+          plugins: "file:$(pwd)/opensearch-security-${{matrix.os_bwc_version}}.zip"
           security-enabled: true
           admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
           security_config_file: ${{ inputs.security_config_file }}
-          opensearch_yml_file: remote_opensearch.yml
-          opensearch_port: 9202
+          port: 9202
 
-      - name: Check OpenSearch is running
-          # Verify that the server is operational
+      - name: Check OpenSearch remote is running
         run: |
-          curl http://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123!
+          curl https://localhost:9202/_cat/plugins -v -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k
         shell: bash
 
       - name: Run Opensearch with security

.github/workflows/verify-binary-installation.yml

@@ -36,6 +36,7 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           plugin-version: ${{ env.PLUGIN_VERSION }}
+          download-location: ${{ env.PLUGIN_NAME }}
 
       - name: Run Opensearch with security
         uses: derek-ho/start-opensearch@v2

public/apps/configuration/top-nav-menu.tsx

@@ -16,7 +16,6 @@
 import React from 'react';
 import { DataSourceSelectableConfig } from 'src/plugins/data_source_management/public';
 import { DataSourceOption } from 'src/plugins/data_source_management/public/components/data_source_menu/types';
-import { PLUGIN_NAME } from '../../../common';
 import { AppDependencies } from '../types';
 
 export interface TopNavMenuProps extends AppDependencies {
@@ -25,6 +24,21 @@
   selectedDataSource: DataSourceOption;
 }
 
+const compatibleVersion = new Set([
+  '2.1',
+  '2.2',
+  '2.3',
+  '2.4',
+  '2.5',
+  '2.6',
+  '2.7',
+  '2.8',
+  '2.9',
+  '2.10',
+  '2.11',
+  '2.12',
+]);
+
 export const SecurityPluginTopNavMenu = (props: TopNavMenuProps) => {
   const {
     coreStart,
@@ -48,6 +62,7 @@
         savedObjects: coreStart.savedObjects.client,
         notifications: coreStart.notifications,
         activeOption: [selectedDataSource],
+        dataSourceFilter: (ds) => compatibleVersion.has(ds.attributes.version),
         onSelectedDataSources: (dataSources) => {
           // single select for now
           setDataSource(dataSources[0]);

test/cypress/e2e/multi-datasources/multi_datasources_enabled.spec.js

@@ -23,7 +23,7 @@ const createDataSource = () => {
     body: {
       attributes: {
         title: `9202`,
-        endpoint: `http://localhost:9202`,
+        endpoint: `https://localhost:9202`,
         auth: {
           type: 'username_password',
           credentials: {
@@ -85,7 +85,7 @@ describe('Multi-datasources enabled', () => {
     cy.get('[data-test-subj="dataSourceSelectableContextMenuHeaderLink"]').contains('9202');
   });
 
-  it.skip('Checks Auth Tab', () => {
+  it('Checks Auth Tab', () => {
     cy.visit('http://localhost:5601/app/security-dashboards-plugin#/auth');
     // Local cluster auth
     cy.get('.panel-header-count').first().invoke('text').should('contain', '(6)');
@@ -98,7 +98,7 @@ describe('Multi-datasources enabled', () => {
     cy.get('[data-test-subj="dataSourceSelectableContextMenuHeaderLink"]').contains('9202');
   });
 
-  it('Checks Users Tab', () => {
+  it.skip('Checks Users Tab', () => {
     cy.visit('http://localhost:5601/app/security-dashboards-plugin#/users');
     // Create an internal user in the remote cluster
     cy.contains('h3', 'Internal users');

test/jest_integration/security_entity_api.test.ts

@@ -438,7 +438,7 @@ describe('start OpenSearch Dashboards server multi datasources enabled', () => {
         plugins: {
           scanDirs: [resolve(__dirname, '../..')],
         },
-        data_source: { enabled: true },
+        data_source: { enabled: true, ssl: { verificationMode: 'none' } },
         opensearch: {
           hosts: ['https://localhost:9200'],
           ignoreVersionMismatch: true,
@@ -468,7 +468,7 @@ describe('start OpenSearch Dashboards server multi datasources enabled', () => {
         attributes: {
           title: 'test',
           description: '',
-          endpoint: 'http://localhost:9202',
+          endpoint: 'https://localhost:9202',
           auth: {
             type: 'username_password',
             credentials: {