Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing settings to plugin allowed list #1814

Merged
merged 19 commits into from
Jun 9, 2022
Merged

Add missing settings to plugin allowed list #1814

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
447f27a
Add missing settings to plugin allowed list
peternied Apr 29, 2022
acbbaf3
Attempt to fix test cases
peternied May 11, 2022
23ed50c
Fix test cases
peternied May 26, 2022
33a98c6
Revert build.gradle debugging
peternied May 26, 2022
ab39340
Clarify how the setup works for tests
peternied May 26, 2022
55e6af5
Merge branch 'main' into fix-1581
peternied May 26, 2022
750aa22
Remove debug statement
peternied May 26, 2022
3d2e4d8
Fix spotless issues
peternied May 26, 2022
e20a03b
Merge remote-tracking branch 'origin/main' into fix-1581
peternied May 26, 2022
be0e707
Fix broken import
peternied May 26, 2022
1545e7d
Small fix
peternied May 26, 2022
780ad32
Fix unused/missing imports
peternied May 27, 2022
f4f0048
Clarify default detection logic
peternied May 27, 2022
f6cc619
Ignore case of 'none' value
peternied May 27, 2022
63c932c
Remove invalid java
peternied May 27, 2022
d952577
Starting unit tests
peternied May 27, 2022
b134d4d
renaming?
peternied May 27, 2022
2fc5860
Add unit tests
peternied May 27, 2022
a905e8e
Also handle deprecated settings when moving values to the updated aud…
peternied May 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
Expand All @@ -48,6 +49,7 @@
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
Expand Down Expand Up @@ -122,6 +124,7 @@
import org.opensearch.security.auditlog.AuditLog.Origin;
import org.opensearch.security.auditlog.AuditLogSslExceptionHandler;
import org.opensearch.security.auditlog.NullAuditLog;
import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries;
import org.opensearch.security.auditlog.impl.AuditLogImpl;
import org.opensearch.security.auth.BackendRegistry;
import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
Expand Down Expand Up @@ -953,6 +956,31 @@ public List<Setting<?>> getSettings() {
settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Property.NodeScope, Property.Filtered));

final BiFunction<String, Boolean, Setting<Boolean>> boolSettingNodeScopeFiltered = (String keyWithNamespace, Boolean value) -> Setting.boolSetting(keyWithNamespace, value, Property.NodeScope, Property.Filtered);

Arrays.stream(FilterEntries.values()).map(filterEntry -> {
switch(filterEntry) {
case DISABLE_REST_CATEGORIES:
case DISABLE_TRANSPORT_CATEGORIES:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), disabledCategories, Function.identity(), Property.NodeScope);
case IGNORE_REQUESTS:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), Property.NodeScope);
case IGNORE_USERS:
return Setting.listSetting(filterEntry.getKeyWithNamespace(), ignoredUsers, Function.identity(), Property.NodeScope);
// All boolean settings with default of true
case ENABLE_REST:
case ENABLE_TRANSPORT:
case EXCLUDE_SENSITIVE_HEADERS:
case LOG_REQUEST_BODY:
case RESOLVE_INDICES:
return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), true);
case RESOLVE_BULK_REQUESTS:
return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), false);
default:
throw new RuntimeException("Please add support for new FilterEntries value '" + filterEntry.name() + "'");
}
}).forEach(settings::add);


// Security - Audit - Sink
settings.add(Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, Property.NodeScope, Property.Filtered));
Expand Down
105 changes: 76 additions & 29 deletions src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
import org.opensearch.security.support.WildcardMatcher;

import static org.opensearch.security.DefaultObjectMapper.getOrDefault;
import static org.opensearch.security.support.ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT;

/**
* Class represents configuration for audit logging.
Expand Down Expand Up @@ -130,9 +131,9 @@ public static AuditConfig from(final Settings settings) {
*/
@JsonInclude(JsonInclude.Include.NON_NULL)
public static class Filter {
private static Set<String> FIELDS = DefaultObjectMapper.getFields(Filter.class);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After adding changes to the .from method, this made the order of these static fields was incorrect causing static constructors to fail. A great reminder to use lazy loading avoiding static order of operations management.

@VisibleForTesting
public static final Filter DEFAULT = Filter.from(Settings.EMPTY);
private static Set<String> FIELDS = DefaultObjectMapper.getFields(Filter.class);

private final boolean isRestApiAuditEnabled;
private final boolean isTransportApiAuditEnabled;
Expand Down Expand Up @@ -174,23 +175,52 @@ public static class Filter {
this.disabledTransportCategories = disabledTransportCategories;
}

public enum FilterEntries {
ENABLE_REST("enable_rest", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST),
ENABLE_TRANSPORT("enable_transport", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT),
RESOLVE_BULK_REQUESTS("resolve_bulk_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS),
LOG_REQUEST_BODY("log_request_body", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY),
RESOLVE_INDICES("resolve_indices", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES),
EXCLUDE_SENSITIVE_HEADERS("exclude_sensitive_headers", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS),
DISABLE_REST_CATEGORIES("disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES),
DISABLE_TRANSPORT_CATEGORIES("disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES),
IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS),
IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS);

private final String key;
private final String legacyKeyWithNamespace;
FilterEntries(final String entryKey, final String legacyKeyWithNamespace) {
this.key = entryKey;
this.legacyKeyWithNamespace = legacyKeyWithNamespace;
}
public String getKey() {
return this.key;
}
public String getKeyWithNamespace() {
return SECURITY_AUDIT_CONFIG_DEFAULT + "."+ this.key;
}
public String getLegacyKeyWithNamespace() {
return this.legacyKeyWithNamespace;
}
}

@JsonCreator
@VisibleForTesting
public static Filter from(Map<String, Object> properties) throws JsonProcessingException {
if (!FIELDS.containsAll(properties.keySet())) {
throw new UnrecognizedPropertyException(null, "Unrecognized field(s) present in the input data for audit filter config", null, Filter.class, null, null);
}

final boolean isRestApiAuditEnabled = getOrDefault(properties,"enable_rest", true);
final boolean isTransportAuditEnabled = getOrDefault(properties,"enable_transport", true);
final boolean resolveBulkRequests = getOrDefault(properties, "resolve_bulk_requests", false);
final boolean logRequestBody = getOrDefault(properties, "log_request_body", true);
final boolean resolveIndices = getOrDefault(properties, "resolve_indices", true);
final boolean excludeSensitiveHeaders = getOrDefault(properties, "exclude_sensitive_headers", true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, "ignore_users", DEFAULT_IGNORED_USERS));
final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, "ignore_requests", Collections.emptyList()));
final boolean isRestApiAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_REST.getKey(), true);
final boolean isTransportAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_TRANSPORT.getKey(), true);
final boolean resolveBulkRequests = getOrDefault(properties, FilterEntries.RESOLVE_BULK_REQUESTS.getKey(), false);
final boolean logRequestBody = getOrDefault(properties, FilterEntries.LOG_REQUEST_BODY.getKey(), true);
final boolean resolveIndices = getOrDefault(properties, FilterEntries.RESOLVE_INDICES.getKey(), true);
final boolean excludeSensitiveHeaders = getOrDefault(properties, FilterEntries.EXCLUDE_SENSITIVE_HEADERS.getKey(), true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_REST_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS));
final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()));

return new Filter(
isRestApiAuditEnabled,
Expand All @@ -212,24 +242,16 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
* @return audit configuration filter
*/
public static Filter from(Settings settings) {
final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true);
final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true);
final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false);
final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true);
final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true);
final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES);
final Set<AuditCategory> disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES);

final Set<String> ignoredAuditUsers = ConfigConstants.getSettingAsSet(
settings,
ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS,
DEFAULT_IGNORED_USERS,
false);

final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(settings.getAsList(
ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS,
Collections.emptyList()));
final boolean isRestApiAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_REST, true);
final boolean isTransportAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_TRANSPORT, true);
final boolean resolveBulkRequests = fromSettingBoolean(settings, FilterEntries.RESOLVE_BULK_REQUESTS, false);
final boolean logRequestBody = fromSettingBoolean(settings, FilterEntries.LOG_REQUEST_BODY, true);
final boolean resolveIndices = fromSettingBoolean(settings, FilterEntries.RESOLVE_INDICES, true);
final boolean excludeSensitiveHeaders = fromSettingBoolean(settings, FilterEntries.EXCLUDE_SENSITIVE_HEADERS, true);
final Set<AuditCategory> disabledRestCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_REST_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<AuditCategory> disabledTransportCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_TRANSPORT_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT));
final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS);
final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList());

return new Filter(isRestApiAuditEnabled,
isTransportAuditEnabled,
Expand All @@ -243,6 +265,31 @@ public static Filter from(Settings settings) {
disabledTransportCategories);
}

static boolean fromSettingBoolean(final Settings settings, FilterEntries filterEntry, final boolean defaultValue) {
return settings.getAsBoolean(filterEntry.getKeyWithNamespace(), settings.getAsBoolean(filterEntry.getLegacyKeyWithNamespace(), defaultValue));
}

static Set<String> fromSettingStringSet(final Settings settings, FilterEntries filterEntry, final List<String> defaultValue) {
final String defaultDetectorValue = "__DEFAULT_DETECTION__";
final Set<String> stringSetOfKey = ConfigConstants.getSettingAsSet(
settings,
filterEntry.getKeyWithNamespace(),
ImmutableList.of(defaultDetectorValue),
true);

final boolean foundDefault = stringSetOfKey.stream().anyMatch(defaultDetectorValue::equals);
if (!foundDefault) {
return stringSetOfKey;
}

// Fallback to the legacy keyname
return ConfigConstants.getSettingAsSet(
settings,
filterEntry.getLegacyKeyWithNamespace(),
defaultValue,
true);
}

/**
* Checks if auditing for REST API is enabled or disabled
* @return true/false
Expand Down
7 changes: 0 additions & 7 deletions src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,6 @@

import com.google.common.collect.ImmutableSet;

import org.opensearch.common.settings.Settings;
import org.opensearch.security.support.ConfigConstants;

public enum AuditCategory {
BAD_HEADERS,
FAILED_LOGIN,
Expand All @@ -49,8 +46,4 @@ public static Set<AuditCategory> parse(final Collection<String> categories) {
.map(AuditCategory::valueOf)
.collect(ImmutableSet.toImmutableSet());
}

public static Set<AuditCategory> from(final Settings settings, final String key) {
return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true));
}
}
8 changes: 8 additions & 0 deletions src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,14 @@ public AuditCategory getCategory() {
return msgCategory;
}

public Origin getOrigin() {
return (Origin) this.auditInfo.get(ORIGIN);
}

public String getPrivilege() {
return (String) this.auditInfo.get(PRIVILEGE);
}

public String getExceptionStackTrace() {
return (String) this.auditInfo.get(EXCEPTION);
}
Expand Down
26 changes: 17 additions & 9 deletions src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@

package org.opensearch.security.auditlog;

import java.util.Arrays;
import java.util.Collection;

import com.fasterxml.jackson.databind.JsonNode;
Expand All @@ -30,6 +31,8 @@
import org.opensearch.security.test.helper.file.FileHelper;
import org.opensearch.security.test.helper.rest.RestHelper;

import static org.opensearch.security.auditlog.config.AuditConfig.DEPRECATED_KEYS;

public abstract class AbstractAuditlogiUnitTest extends SingleClusterTest {

protected RestHelper rh = null;
Expand All @@ -40,20 +43,25 @@ protected String getResourceFolder() {
return "auditlog";
}

protected final void setup(Settings additionalSettings) throws Exception {
final Settings.Builder auditSettingsBuilder = Settings.builder();
final Settings.Builder additionalSettingsBuilder = Settings.builder().put(additionalSettings);
AuditConfig.DEPRECATED_KEYS.forEach(key -> {
if (additionalSettingsBuilder.get(key) != null) {
auditSettingsBuilder.put(key, additionalSettings.get(key));
additionalSettingsBuilder.remove(key);
protected final void setup(Settings settings) throws Exception {
final Settings.Builder auditConfigSettings = Settings.builder();
final Settings.Builder defaultNodeSettings = Settings.builder();
// Separate the cluster defaults from audit settings that will be applied after the cluster is up
settings.keySet().forEach(key -> {
final boolean moveToAuditConfig = Arrays.stream(AuditConfig.Filter.FilterEntries.values())
.anyMatch(entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key))
|| DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase);
if (moveToAuditConfig) {
auditConfigSettings.put(key, settings.get(key));
} else {
defaultNodeSettings.put(key, settings.get(key));
}
});

final Settings nodeSettings = defaultNodeSettings(additionalSettingsBuilder.build());
final Settings nodeSettings = defaultNodeSettings(defaultNodeSettings.build());
setup(Settings.EMPTY, new DynamicSecurityConfig(), nodeSettings, init);
rh = restHelper();
updateAuditConfig(auditSettingsBuilder.build());
updateAuditConfig(auditConfigSettings.build());
}

protected Settings defaultNodeSettings(Settings additionalSettings) {
Expand Down
Loading