diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index baa9673f92..66530cfaed 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -36,6 +36,7 @@ import java.security.PrivilegedAction; import java.security.Security; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -44,6 +45,7 @@ import java.util.Map; import java.util.Objects; import java.util.Set; +import java.util.function.BiFunction; import java.util.function.Function; import java.util.function.Predicate; import java.util.function.Supplier; @@ -118,6 +120,7 @@ import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditLogSslExceptionHandler; import org.opensearch.security.auditlog.NullAuditLog; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditLogImpl; import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.compliance.ComplianceIndexingOperationListener; @@ -949,6 +952,31 @@ public List> getSettings() { settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Property.NodeScope, Property.Filtered)); + final BiFunction> boolSettingNodeScopeFiltered = (String keyWithNamespace, Boolean value) -> Setting.boolSetting(keyWithNamespace, value, Property.NodeScope, Property.Filtered); + + Arrays.stream(FilterEntries.values()).map(filterEntry -> { + switch(filterEntry) { + case DISABLE_REST_CATEGORIES: + case DISABLE_TRANSPORT_CATEGORIES: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), disabledCategories, Function.identity(), Property.NodeScope); + case IGNORE_REQUESTS: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), Property.NodeScope); + case IGNORE_USERS: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), ignoredUsers, Function.identity(), Property.NodeScope); + // All boolean settings with default of true + case ENABLE_REST: + case ENABLE_TRANSPORT: + case EXCLUDE_SENSITIVE_HEADERS: + case LOG_REQUEST_BODY: + case RESOLVE_INDICES: + return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), true); + case RESOLVE_BULK_REQUESTS: + return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), false); + default: + throw new RuntimeException("Please add support for new FilterEntries value '" + filterEntry.name() + "'"); + } + }).forEach(settings::add); + // Security - Audit - Sink settings.add(Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, Property.NodeScope, Property.Filtered)); diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 7e5e674245..5fb11102a8 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -37,6 +37,7 @@ import org.opensearch.security.support.WildcardMatcher; import static org.opensearch.security.DefaultObjectMapper.getOrDefault; +import static org.opensearch.security.support.ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT; /** * Class represents configuration for audit logging. @@ -126,9 +127,9 @@ public static AuditConfig from(final Settings settings) { */ @JsonInclude(JsonInclude.Include.NON_NULL) public static class Filter { + private static Set FIELDS = DefaultObjectMapper.getFields(Filter.class); @VisibleForTesting public static final Filter DEFAULT = Filter.from(Settings.EMPTY); - private static Set FIELDS = DefaultObjectMapper.getFields(Filter.class); private final boolean isRestApiAuditEnabled; private final boolean isTransportApiAuditEnabled; @@ -170,6 +171,35 @@ public static class Filter { this.disabledTransportCategories = disabledTransportCategories; } + public enum FilterEntries { + ENABLE_REST("enable_rest", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST), + ENABLE_TRANSPORT("enable_transport", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT), + RESOLVE_BULK_REQUESTS("resolve_bulk_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS), + LOG_REQUEST_BODY("log_request_body", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY), + RESOLVE_INDICES("resolve_indices", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES), + EXCLUDE_SENSITIVE_HEADERS("exclude_sensitive_headers", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS), + DISABLE_REST_CATEGORIES("disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES), + DISABLE_TRANSPORT_CATEGORIES("disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES), + IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS), + IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS); + + private final String key; + private final String legacyKeyWithNamespace; + FilterEntries(final String entryKey, final String legacyKeyWithNamespace) { + this.key = entryKey; + this.legacyKeyWithNamespace = legacyKeyWithNamespace; + } + public String getKey() { + return this.key; + } + public String getKeyWithNamespace() { + return SECURITY_AUDIT_CONFIG_DEFAULT + "."+ this.key; + } + public String getLegacyKeyWithNamespace() { + return this.legacyKeyWithNamespace; + } + } + @JsonCreator @VisibleForTesting public static Filter from(Map properties) throws JsonProcessingException { @@ -177,16 +207,16 @@ public static Filter from(Map properties) throws JsonProcessingE throw new UnrecognizedPropertyException(null, "Unrecognized field(s) present in the input data for audit filter config", null, Filter.class, null, null); } - final boolean isRestApiAuditEnabled = getOrDefault(properties,"enable_rest", true); - final boolean isTransportAuditEnabled = getOrDefault(properties,"enable_transport", true); - final boolean resolveBulkRequests = getOrDefault(properties, "resolve_bulk_requests", false); - final boolean logRequestBody = getOrDefault(properties, "log_request_body", true); - final boolean resolveIndices = getOrDefault(properties, "resolve_indices", true); - final boolean excludeSensitiveHeaders = getOrDefault(properties, "exclude_sensitive_headers", true); - final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); - final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); - final Set ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, "ignore_users", DEFAULT_IGNORED_USERS)); - final Set ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, "ignore_requests", Collections.emptyList())); + final boolean isRestApiAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_REST.getKey(), true); + final boolean isTransportAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_TRANSPORT.getKey(), true); + final boolean resolveBulkRequests = getOrDefault(properties, FilterEntries.RESOLVE_BULK_REQUESTS.getKey(), false); + final boolean logRequestBody = getOrDefault(properties, FilterEntries.LOG_REQUEST_BODY.getKey(), true); + final boolean resolveIndices = getOrDefault(properties, FilterEntries.RESOLVE_INDICES.getKey(), true); + final boolean excludeSensitiveHeaders = getOrDefault(properties, FilterEntries.EXCLUDE_SENSITIVE_HEADERS.getKey(), true); + final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_REST_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS)); + final Set ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())); return new Filter( isRestApiAuditEnabled, @@ -208,24 +238,16 @@ public static Filter from(Map properties) throws JsonProcessingE * @return audit configuration filter */ public static Filter from(Settings settings) { - final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true); - final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true); - final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false); - final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true); - final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true); - final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true); - final Set disabledRestCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); - final Set disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); - - final Set ignoredAuditUsers = ConfigConstants.getSettingAsSet( - settings, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, - DEFAULT_IGNORED_USERS, - false); - - final Set ignoreAuditRequests = ImmutableSet.copyOf(settings.getAsList( - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, - Collections.emptyList())); + final boolean isRestApiAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_REST, true); + final boolean isTransportAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_TRANSPORT, true); + final boolean resolveBulkRequests = fromSettingBoolean(settings, FilterEntries.RESOLVE_BULK_REQUESTS, false); + final boolean logRequestBody = fromSettingBoolean(settings, FilterEntries.LOG_REQUEST_BODY, true); + final boolean resolveIndices = fromSettingBoolean(settings, FilterEntries.RESOLVE_INDICES, true); + final boolean excludeSensitiveHeaders = fromSettingBoolean(settings, FilterEntries.EXCLUDE_SENSITIVE_HEADERS, true); + final Set disabledRestCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_REST_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledTransportCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_TRANSPORT_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS); + final Set ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList()); return new Filter(isRestApiAuditEnabled, isTransportAuditEnabled, @@ -239,6 +261,31 @@ public static Filter from(Settings settings) { disabledTransportCategories); } + static boolean fromSettingBoolean(final Settings settings, FilterEntries filterEntry, final boolean defaultValue) { + return settings.getAsBoolean(filterEntry.getKeyWithNamespace(), settings.getAsBoolean(filterEntry.getLegacyKeyWithNamespace(), defaultValue)); + } + + static Set fromSettingStringSet(final Settings settings, FilterEntries filterEntry, final List defaultValue) { + final String defaultDetectorValue = "__DEFAULT_DETECTION__"; + final Set stringSetOfKey = ConfigConstants.getSettingAsSet( + settings, + filterEntry.getKeyWithNamespace(), + ImmutableList.of(defaultDetectorValue), + true); + + final boolean foundDefault = stringSetOfKey.stream().anyMatch(defaultDetectorValue::equals); + if (!foundDefault) { + return stringSetOfKey; + } + + // Fallback to the legacy keyname + return ConfigConstants.getSettingAsSet( + settings, + filterEntry.getLegacyKeyWithNamespace(), + defaultValue, + true); + } + /** * Checks if auditing for REST API is enabled or disabled * @return true/false diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java index 802479a123..20f8b4e777 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java @@ -17,9 +17,6 @@ import com.google.common.collect.ImmutableSet; -import org.opensearch.common.settings.Settings; -import org.opensearch.security.support.ConfigConstants; - public enum AuditCategory { BAD_HEADERS, FAILED_LOGIN, @@ -45,8 +42,4 @@ public static Set parse(final Collection categories) { .map(AuditCategory::valueOf) .collect(ImmutableSet.toImmutableSet()); } - - public static Set from(final Settings settings, final String key) { - return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true)); - } } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 91fa164b18..12ca085f37 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -437,6 +437,14 @@ public AuditCategory getCategory() { return msgCategory; } + public Origin getOrigin() { + return (Origin) this.auditInfo.get(ORIGIN); + } + + public String getPrivilege() { + return (String) this.auditInfo.get(PRIVILEGE); + } + public String getExceptionStackTrace() { return (String) this.auditInfo.get(EXCEPTION); } diff --git a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java index 0788b0f587..dc0cd8d4cb 100644 --- a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java +++ b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java @@ -11,6 +11,7 @@ package org.opensearch.security.auditlog; +import java.util.Arrays; import java.util.Collection; import com.fasterxml.jackson.databind.JsonNode; @@ -26,6 +27,8 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; +import static org.opensearch.security.auditlog.config.AuditConfig.DEPRECATED_KEYS; + public abstract class AbstractAuditlogiUnitTest extends SingleClusterTest { protected RestHelper rh = null; @@ -36,20 +39,25 @@ protected String getResourceFolder() { return "auditlog"; } - protected final void setup(Settings additionalSettings) throws Exception { - final Settings.Builder auditSettingsBuilder = Settings.builder(); - final Settings.Builder additionalSettingsBuilder = Settings.builder().put(additionalSettings); - AuditConfig.DEPRECATED_KEYS.forEach(key -> { - if (additionalSettingsBuilder.get(key) != null) { - auditSettingsBuilder.put(key, additionalSettings.get(key)); - additionalSettingsBuilder.remove(key); + protected final void setup(Settings settings) throws Exception { + final Settings.Builder auditConfigSettings = Settings.builder(); + final Settings.Builder defaultNodeSettings = Settings.builder(); + // Separate the cluster defaults from audit settings that will be applied after the cluster is up + settings.keySet().forEach(key -> { + final boolean moveToAuditConfig = Arrays.stream(AuditConfig.Filter.FilterEntries.values()) + .anyMatch(entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key)) + || DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase); + if (moveToAuditConfig) { + auditConfigSettings.put(key, settings.get(key)); + } else { + defaultNodeSettings.put(key, settings.get(key)); } }); - final Settings nodeSettings = defaultNodeSettings(additionalSettingsBuilder.build()); + final Settings nodeSettings = defaultNodeSettings(defaultNodeSettings.build()); setup(Settings.EMPTY, new DynamicSecurityConfig(), nodeSettings, init); rh = restHelper(); - updateAuditConfig(auditSettingsBuilder.build()); + updateAuditConfig(auditConfigSettings.build()); } protected Settings defaultNodeSettings(Settings additionalSettings) { diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index 6764aaa12a..4b4676d852 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -13,14 +13,21 @@ import java.util.Collections; import java.util.EnumSet; +import java.util.List; +import java.util.Set; +import java.util.function.Function; +import com.google.common.collect.ImmutableSet; import org.junit.Test; import org.opensearch.common.settings.Settings; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditCategory; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.WildcardMatcher; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertSame; @@ -122,4 +129,103 @@ public void testEmpty() { assertTrue(auditConfigFilter.getDisabledRestCategories().isEmpty()); assertTrue(auditConfigFilter.getDisabledTransportCategories().isEmpty()); } + + + @Test + public void testFilterEntries() { + assertThat(FilterEntries.ENABLE_REST.getKey(), equalTo("enable_rest")); + assertThat(FilterEntries.ENABLE_REST.getKeyWithNamespace(), equalTo("plugins.security.audit.config.enable_rest")); + assertThat(FilterEntries.ENABLE_REST.getLegacyKeyWithNamespace(), equalTo("opendistro_security.audit.enable_rest")); + } + + @Test + public void fromSettingBoolean() { + final FilterEntries entry = FilterEntries.ENABLE_REST; + + // Use primary key + final Settings settings1 = Settings.builder() + .put(entry.getKeyWithNamespace(), false) + .put(entry.getLegacyKeyWithNamespace(), true) + .build(); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings1, entry, true), equalTo(false)); + + // Use fallback key + final Settings settings2 = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), false) + .build(); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings2, entry, true), equalTo(false)); + + // Use default + assertThat(AuditConfig.Filter.fromSettingBoolean(Settings.builder().build(), entry, true), equalTo(true)); + } + + @Test + public void fromSettingStringSet() { + final FilterEntries entry = FilterEntries.IGNORE_USERS; + + // Use primary key + final Settings settings1 = Settings.builder() + .putList(entry.getKeyWithNamespace(), "abc") + .putList(entry.getLegacyKeyWithNamespace(), "def") + .build(); + assertThat(AuditConfig.Filter.fromSettingStringSet(settings1, entry, List.of("xyz")), equalTo(ImmutableSet.of("abc"))); + + // Use fallback key + final Settings settings2 = Settings.builder() + .putList(entry.getLegacyKeyWithNamespace(), "def") + .build(); + assertThat(AuditConfig.Filter.fromSettingStringSet(settings2, entry, List.of("xyz")), equalTo(ImmutableSet.of("def"))); + + // Use default + assertThat(AuditConfig.Filter.fromSettingStringSet(Settings.builder().build(), entry, List.of("xyz")), equalTo(ImmutableSet.of("xyz"))); + } + + @Test + public void fromSettingParseAuditCategory() { + final FilterEntries entry = FilterEntries.DISABLE_REST_CATEGORIES; + final Function> parse = (settings) -> + AuditCategory.parse(AuditConfig.Filter.fromSettingStringSet(settings, entry, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + + final Settings noValues = Settings.builder().build(); + assertThat(parse.apply(noValues), equalTo(ImmutableSet.of(AUTHENTICATED, GRANTED_PRIVILEGES))); + + final Settings legacySettingNone = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), "NONE") + .build(); + assertThat(parse.apply(legacySettingNone), equalTo(ImmutableSet.of())); + + final Settings legacySettingValue = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name()) + .build(); + assertThat(parse.apply(legacySettingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); + + final Settings legacySettingMultipleValues = Settings.builder() + .putList(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .build(); + assertThat(parse.apply(legacySettingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + + final Settings settingNone = Settings.builder() + .put(entry.getKeyWithNamespace(), "NONE") + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingNone), equalTo(ImmutableSet.of())); + + final Settings settingValue = Settings.builder() + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); + + final Settings settingMultipleValues = Settings.builder() + .putList(entry.getKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + + final Settings settingMultipleValuesString = Settings.builder() + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name() + "," + BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index b127f684b7..8581a9a817 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -30,8 +30,10 @@ import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.auditlog.AbstractAuditlogiUnitTest; +import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditTestUtils; import org.opensearch.security.auditlog.config.AuditConfig; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditCategory; import org.opensearch.security.auditlog.impl.AuditMessage; import org.opensearch.security.compliance.ComplianceConfig; @@ -39,6 +41,8 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.opensearch.rest.RestRequest.Method.DELETE; import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.PATCH; @@ -75,31 +79,39 @@ public void testAuditLogEnable() throws Exception { } @Test - public void testSimpleAuthenticated() throws Exception { + public void testSimpleAuthenticatedSetting() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKeyWithNamespace(), "NONE") + .build(); + verifyAuthenticated(settings); + } - Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated") - .build(); + @Test + public void testSimpleAuthenticatedLegacySetting() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + verifyAuthenticated(settings); + } - setup(additionalSettings); - setupStarfleetIndex(); - TestAuditlogImpl.clear(); + private void verifyAuthenticated(final Settings settings) throws Exception { + setup(settings); - System.out.println("#### testSimpleAuthenticated"); - HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - Thread.sleep(1500); - Assert.assertEquals(1, TestAuditlogImpl.messages.size()); - System.out.println(TestAuditlogImpl.sb.toString()); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("GRANTED_PRIVILEGES")); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("indices:data/read/search")); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("REST")); - Assert.assertFalse(TestAuditlogImpl.sb.toString().toLowerCase().contains("authorization")); - Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); + + final List messages = TestAuditlogImpl.doThenWaitForMessages( + () -> { + final HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); + assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK)); + }, + /* expectedCount*/ 1); + + assertThat(messages.size(), equalTo(1)); + + assertThat(messages.get(0).getCategory(), equalTo(AuditCategory.GRANTED_PRIVILEGES)); + assertThat(messages.get(0).getOrigin(), equalTo(Origin.REST)); + assertThat(messages.get(0).getPrivilege(), equalTo("indices:data/read/search")); } @Test