From 38feee3a08d66c1387e4a1d05414fe48fccd63a8 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Thu, 9 Jun 2022 15:13:48 -0500 Subject: [PATCH] Add missing settings to plugin allowed list (#1814) * Add missing settings to plugin allowed list As settings have migrated from opendistro_security -> plugins.security, there were missed settings for the audit filter entries. This caused unknown setting errors when starting OpenSearch, and these settings values were not being applied correctly affecting the runtime behavior of the audit log filters. Signed-off-by: Stephen Crawford --- .../security/OpenSearchSecurityPlugin.java | 28 +++++ .../security/auditlog/config/AuditConfig.java | 105 ++++++++++++----- .../security/auditlog/impl/AuditCategory.java | 7 -- .../security/auditlog/impl/AuditMessage.java | 8 ++ .../auditlog/AbstractAuditlogiUnitTest.java | 26 +++-- .../config/AuditConfigFilterTest.java | 106 ++++++++++++++++++ .../integration/BasicAuditlogTest.java | 56 +++++---- 7 files changed, 269 insertions(+), 67 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index baa9673f92..66530cfaed 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -36,6 +36,7 @@ import java.security.PrivilegedAction; import java.security.Security; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -44,6 +45,7 @@ import java.util.Map; import java.util.Objects; import java.util.Set; +import java.util.function.BiFunction; import java.util.function.Function; import java.util.function.Predicate; import java.util.function.Supplier; @@ -118,6 +120,7 @@ import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditLogSslExceptionHandler; import org.opensearch.security.auditlog.NullAuditLog; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditLogImpl; import org.opensearch.security.auth.BackendRegistry; import org.opensearch.security.compliance.ComplianceIndexingOperationListener; @@ -949,6 +952,31 @@ public List> getSettings() { settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Property.NodeScope, Property.Filtered)); + final BiFunction> boolSettingNodeScopeFiltered = (String keyWithNamespace, Boolean value) -> Setting.boolSetting(keyWithNamespace, value, Property.NodeScope, Property.Filtered); + + Arrays.stream(FilterEntries.values()).map(filterEntry -> { + switch(filterEntry) { + case DISABLE_REST_CATEGORIES: + case DISABLE_TRANSPORT_CATEGORIES: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), disabledCategories, Function.identity(), Property.NodeScope); + case IGNORE_REQUESTS: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), Property.NodeScope); + case IGNORE_USERS: + return Setting.listSetting(filterEntry.getKeyWithNamespace(), ignoredUsers, Function.identity(), Property.NodeScope); + // All boolean settings with default of true + case ENABLE_REST: + case ENABLE_TRANSPORT: + case EXCLUDE_SENSITIVE_HEADERS: + case LOG_REQUEST_BODY: + case RESOLVE_INDICES: + return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), true); + case RESOLVE_BULK_REQUESTS: + return boolSettingNodeScopeFiltered.apply(filterEntry.getKeyWithNamespace(), false); + default: + throw new RuntimeException("Please add support for new FilterEntries value '" + filterEntry.name() + "'"); + } + }).forEach(settings::add); + // Security - Audit - Sink settings.add(Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, Property.NodeScope, Property.Filtered)); diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 7e5e674245..5fb11102a8 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -37,6 +37,7 @@ import org.opensearch.security.support.WildcardMatcher; import static org.opensearch.security.DefaultObjectMapper.getOrDefault; +import static org.opensearch.security.support.ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT; /** * Class represents configuration for audit logging. @@ -126,9 +127,9 @@ public static AuditConfig from(final Settings settings) { */ @JsonInclude(JsonInclude.Include.NON_NULL) public static class Filter { + private static Set FIELDS = DefaultObjectMapper.getFields(Filter.class); @VisibleForTesting public static final Filter DEFAULT = Filter.from(Settings.EMPTY); - private static Set FIELDS = DefaultObjectMapper.getFields(Filter.class); private final boolean isRestApiAuditEnabled; private final boolean isTransportApiAuditEnabled; @@ -170,6 +171,35 @@ public static class Filter { this.disabledTransportCategories = disabledTransportCategories; } + public enum FilterEntries { + ENABLE_REST("enable_rest", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST), + ENABLE_TRANSPORT("enable_transport", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT), + RESOLVE_BULK_REQUESTS("resolve_bulk_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS), + LOG_REQUEST_BODY("log_request_body", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY), + RESOLVE_INDICES("resolve_indices", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES), + EXCLUDE_SENSITIVE_HEADERS("exclude_sensitive_headers", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS), + DISABLE_REST_CATEGORIES("disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES), + DISABLE_TRANSPORT_CATEGORIES("disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES), + IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS), + IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS); + + private final String key; + private final String legacyKeyWithNamespace; + FilterEntries(final String entryKey, final String legacyKeyWithNamespace) { + this.key = entryKey; + this.legacyKeyWithNamespace = legacyKeyWithNamespace; + } + public String getKey() { + return this.key; + } + public String getKeyWithNamespace() { + return SECURITY_AUDIT_CONFIG_DEFAULT + "."+ this.key; + } + public String getLegacyKeyWithNamespace() { + return this.legacyKeyWithNamespace; + } + } + @JsonCreator @VisibleForTesting public static Filter from(Map properties) throws JsonProcessingException { @@ -177,16 +207,16 @@ public static Filter from(Map properties) throws JsonProcessingE throw new UnrecognizedPropertyException(null, "Unrecognized field(s) present in the input data for audit filter config", null, Filter.class, null, null); } - final boolean isRestApiAuditEnabled = getOrDefault(properties,"enable_rest", true); - final boolean isTransportAuditEnabled = getOrDefault(properties,"enable_transport", true); - final boolean resolveBulkRequests = getOrDefault(properties, "resolve_bulk_requests", false); - final boolean logRequestBody = getOrDefault(properties, "log_request_body", true); - final boolean resolveIndices = getOrDefault(properties, "resolve_indices", true); - final boolean excludeSensitiveHeaders = getOrDefault(properties, "exclude_sensitive_headers", true); - final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); - final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); - final Set ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, "ignore_users", DEFAULT_IGNORED_USERS)); - final Set ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, "ignore_requests", Collections.emptyList())); + final boolean isRestApiAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_REST.getKey(), true); + final boolean isTransportAuditEnabled = getOrDefault(properties, FilterEntries.ENABLE_TRANSPORT.getKey(), true); + final boolean resolveBulkRequests = getOrDefault(properties, FilterEntries.RESOLVE_BULK_REQUESTS.getKey(), false); + final boolean logRequestBody = getOrDefault(properties, FilterEntries.LOG_REQUEST_BODY.getKey(), true); + final boolean resolveIndices = getOrDefault(properties, FilterEntries.RESOLVE_INDICES.getKey(), true); + final boolean excludeSensitiveHeaders = getOrDefault(properties, FilterEntries.EXCLUDE_SENSITIVE_HEADERS.getKey(), true); + final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_REST_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKey(), ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_USERS.getKey(), DEFAULT_IGNORED_USERS)); + final Set ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())); return new Filter( isRestApiAuditEnabled, @@ -208,24 +238,16 @@ public static Filter from(Map properties) throws JsonProcessingE * @return audit configuration filter */ public static Filter from(Settings settings) { - final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true); - final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true); - final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false); - final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true); - final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true); - final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true); - final Set disabledRestCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); - final Set disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); - - final Set ignoredAuditUsers = ConfigConstants.getSettingAsSet( - settings, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, - DEFAULT_IGNORED_USERS, - false); - - final Set ignoreAuditRequests = ImmutableSet.copyOf(settings.getAsList( - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, - Collections.emptyList())); + final boolean isRestApiAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_REST, true); + final boolean isTransportAuditEnabled = fromSettingBoolean(settings, FilterEntries.ENABLE_TRANSPORT, true); + final boolean resolveBulkRequests = fromSettingBoolean(settings, FilterEntries.RESOLVE_BULK_REQUESTS, false); + final boolean logRequestBody = fromSettingBoolean(settings, FilterEntries.LOG_REQUEST_BODY, true); + final boolean resolveIndices = fromSettingBoolean(settings, FilterEntries.RESOLVE_INDICES, true); + final boolean excludeSensitiveHeaders = fromSettingBoolean(settings, FilterEntries.EXCLUDE_SENSITIVE_HEADERS, true); + final Set disabledRestCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_REST_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledTransportCategories = AuditCategory.parse(fromSettingStringSet(settings, FilterEntries.DISABLE_TRANSPORT_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS); + final Set ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList()); return new Filter(isRestApiAuditEnabled, isTransportAuditEnabled, @@ -239,6 +261,31 @@ public static Filter from(Settings settings) { disabledTransportCategories); } + static boolean fromSettingBoolean(final Settings settings, FilterEntries filterEntry, final boolean defaultValue) { + return settings.getAsBoolean(filterEntry.getKeyWithNamespace(), settings.getAsBoolean(filterEntry.getLegacyKeyWithNamespace(), defaultValue)); + } + + static Set fromSettingStringSet(final Settings settings, FilterEntries filterEntry, final List defaultValue) { + final String defaultDetectorValue = "__DEFAULT_DETECTION__"; + final Set stringSetOfKey = ConfigConstants.getSettingAsSet( + settings, + filterEntry.getKeyWithNamespace(), + ImmutableList.of(defaultDetectorValue), + true); + + final boolean foundDefault = stringSetOfKey.stream().anyMatch(defaultDetectorValue::equals); + if (!foundDefault) { + return stringSetOfKey; + } + + // Fallback to the legacy keyname + return ConfigConstants.getSettingAsSet( + settings, + filterEntry.getLegacyKeyWithNamespace(), + defaultValue, + true); + } + /** * Checks if auditing for REST API is enabled or disabled * @return true/false diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java index 802479a123..20f8b4e777 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditCategory.java @@ -17,9 +17,6 @@ import com.google.common.collect.ImmutableSet; -import org.opensearch.common.settings.Settings; -import org.opensearch.security.support.ConfigConstants; - public enum AuditCategory { BAD_HEADERS, FAILED_LOGIN, @@ -45,8 +42,4 @@ public static Set parse(final Collection categories) { .map(AuditCategory::valueOf) .collect(ImmutableSet.toImmutableSet()); } - - public static Set from(final Settings settings, final String key) { - return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true)); - } } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 91fa164b18..12ca085f37 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -437,6 +437,14 @@ public AuditCategory getCategory() { return msgCategory; } + public Origin getOrigin() { + return (Origin) this.auditInfo.get(ORIGIN); + } + + public String getPrivilege() { + return (String) this.auditInfo.get(PRIVILEGE); + } + public String getExceptionStackTrace() { return (String) this.auditInfo.get(EXCEPTION); } diff --git a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java index 0788b0f587..dc0cd8d4cb 100644 --- a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java +++ b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java @@ -11,6 +11,7 @@ package org.opensearch.security.auditlog; +import java.util.Arrays; import java.util.Collection; import com.fasterxml.jackson.databind.JsonNode; @@ -26,6 +27,8 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper; +import static org.opensearch.security.auditlog.config.AuditConfig.DEPRECATED_KEYS; + public abstract class AbstractAuditlogiUnitTest extends SingleClusterTest { protected RestHelper rh = null; @@ -36,20 +39,25 @@ protected String getResourceFolder() { return "auditlog"; } - protected final void setup(Settings additionalSettings) throws Exception { - final Settings.Builder auditSettingsBuilder = Settings.builder(); - final Settings.Builder additionalSettingsBuilder = Settings.builder().put(additionalSettings); - AuditConfig.DEPRECATED_KEYS.forEach(key -> { - if (additionalSettingsBuilder.get(key) != null) { - auditSettingsBuilder.put(key, additionalSettings.get(key)); - additionalSettingsBuilder.remove(key); + protected final void setup(Settings settings) throws Exception { + final Settings.Builder auditConfigSettings = Settings.builder(); + final Settings.Builder defaultNodeSettings = Settings.builder(); + // Separate the cluster defaults from audit settings that will be applied after the cluster is up + settings.keySet().forEach(key -> { + final boolean moveToAuditConfig = Arrays.stream(AuditConfig.Filter.FilterEntries.values()) + .anyMatch(entry -> entry.getKeyWithNamespace().equalsIgnoreCase(key) || entry.getLegacyKeyWithNamespace().equalsIgnoreCase(key)) + || DEPRECATED_KEYS.stream().anyMatch(key::equalsIgnoreCase); + if (moveToAuditConfig) { + auditConfigSettings.put(key, settings.get(key)); + } else { + defaultNodeSettings.put(key, settings.get(key)); } }); - final Settings nodeSettings = defaultNodeSettings(additionalSettingsBuilder.build()); + final Settings nodeSettings = defaultNodeSettings(defaultNodeSettings.build()); setup(Settings.EMPTY, new DynamicSecurityConfig(), nodeSettings, init); rh = restHelper(); - updateAuditConfig(auditSettingsBuilder.build()); + updateAuditConfig(auditConfigSettings.build()); } protected Settings defaultNodeSettings(Settings additionalSettings) { diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index 6764aaa12a..4b4676d852 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -13,14 +13,21 @@ import java.util.Collections; import java.util.EnumSet; +import java.util.List; +import java.util.Set; +import java.util.function.Function; +import com.google.common.collect.ImmutableSet; import org.junit.Test; import org.opensearch.common.settings.Settings; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditCategory; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.WildcardMatcher; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertSame; @@ -122,4 +129,103 @@ public void testEmpty() { assertTrue(auditConfigFilter.getDisabledRestCategories().isEmpty()); assertTrue(auditConfigFilter.getDisabledTransportCategories().isEmpty()); } + + + @Test + public void testFilterEntries() { + assertThat(FilterEntries.ENABLE_REST.getKey(), equalTo("enable_rest")); + assertThat(FilterEntries.ENABLE_REST.getKeyWithNamespace(), equalTo("plugins.security.audit.config.enable_rest")); + assertThat(FilterEntries.ENABLE_REST.getLegacyKeyWithNamespace(), equalTo("opendistro_security.audit.enable_rest")); + } + + @Test + public void fromSettingBoolean() { + final FilterEntries entry = FilterEntries.ENABLE_REST; + + // Use primary key + final Settings settings1 = Settings.builder() + .put(entry.getKeyWithNamespace(), false) + .put(entry.getLegacyKeyWithNamespace(), true) + .build(); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings1, entry, true), equalTo(false)); + + // Use fallback key + final Settings settings2 = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), false) + .build(); + assertThat(AuditConfig.Filter.fromSettingBoolean(settings2, entry, true), equalTo(false)); + + // Use default + assertThat(AuditConfig.Filter.fromSettingBoolean(Settings.builder().build(), entry, true), equalTo(true)); + } + + @Test + public void fromSettingStringSet() { + final FilterEntries entry = FilterEntries.IGNORE_USERS; + + // Use primary key + final Settings settings1 = Settings.builder() + .putList(entry.getKeyWithNamespace(), "abc") + .putList(entry.getLegacyKeyWithNamespace(), "def") + .build(); + assertThat(AuditConfig.Filter.fromSettingStringSet(settings1, entry, List.of("xyz")), equalTo(ImmutableSet.of("abc"))); + + // Use fallback key + final Settings settings2 = Settings.builder() + .putList(entry.getLegacyKeyWithNamespace(), "def") + .build(); + assertThat(AuditConfig.Filter.fromSettingStringSet(settings2, entry, List.of("xyz")), equalTo(ImmutableSet.of("def"))); + + // Use default + assertThat(AuditConfig.Filter.fromSettingStringSet(Settings.builder().build(), entry, List.of("xyz")), equalTo(ImmutableSet.of("xyz"))); + } + + @Test + public void fromSettingParseAuditCategory() { + final FilterEntries entry = FilterEntries.DISABLE_REST_CATEGORIES; + final Function> parse = (settings) -> + AuditCategory.parse(AuditConfig.Filter.fromSettingStringSet(settings, entry, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + + final Settings noValues = Settings.builder().build(); + assertThat(parse.apply(noValues), equalTo(ImmutableSet.of(AUTHENTICATED, GRANTED_PRIVILEGES))); + + final Settings legacySettingNone = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), "NONE") + .build(); + assertThat(parse.apply(legacySettingNone), equalTo(ImmutableSet.of())); + + final Settings legacySettingValue = Settings.builder() + .put(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name()) + .build(); + assertThat(parse.apply(legacySettingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); + + final Settings legacySettingMultipleValues = Settings.builder() + .putList(entry.getLegacyKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .build(); + assertThat(parse.apply(legacySettingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + + final Settings settingNone = Settings.builder() + .put(entry.getKeyWithNamespace(), "NONE") + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingNone), equalTo(ImmutableSet.of())); + + final Settings settingValue = Settings.builder() + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingValue), equalTo(ImmutableSet.of(AUTHENTICATED))); + + final Settings settingMultipleValues = Settings.builder() + .putList(entry.getKeyWithNamespace(), AUTHENTICATED.name(), BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + + final Settings settingMultipleValuesString = Settings.builder() + .put(entry.getKeyWithNamespace(), AUTHENTICATED.name() + "," + BAD_HEADERS.name()) + .put(entry.getLegacyKeyWithNamespace(), FAILED_LOGIN.name()) + .build(); + assertThat(parse.apply(settingMultipleValues), equalTo(ImmutableSet.of(AUTHENTICATED, BAD_HEADERS))); + } } diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index b127f684b7..8581a9a817 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -30,8 +30,10 @@ import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentType; import org.opensearch.security.auditlog.AbstractAuditlogiUnitTest; +import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.AuditTestUtils; import org.opensearch.security.auditlog.config.AuditConfig; +import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries; import org.opensearch.security.auditlog.impl.AuditCategory; import org.opensearch.security.auditlog.impl.AuditMessage; import org.opensearch.security.compliance.ComplianceConfig; @@ -39,6 +41,8 @@ import org.opensearch.security.test.helper.file.FileHelper; import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.opensearch.rest.RestRequest.Method.DELETE; import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.PATCH; @@ -75,31 +79,39 @@ public void testAuditLogEnable() throws Exception { } @Test - public void testSimpleAuthenticated() throws Exception { + public void testSimpleAuthenticatedSetting() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(FilterEntries.DISABLE_TRANSPORT_CATEGORIES.getKeyWithNamespace(), "NONE") + .build(); + verifyAuthenticated(settings); + } - Settings additionalSettings = Settings.builder() - .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated") - .build(); + @Test + public void testSimpleAuthenticatedLegacySetting() throws Exception { + final Settings settings = Settings.builder() + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) + .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .build(); + verifyAuthenticated(settings); + } - setup(additionalSettings); - setupStarfleetIndex(); - TestAuditlogImpl.clear(); + private void verifyAuthenticated(final Settings settings) throws Exception { + setup(settings); - System.out.println("#### testSimpleAuthenticated"); - HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); - Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); - Thread.sleep(1500); - Assert.assertEquals(1, TestAuditlogImpl.messages.size()); - System.out.println(TestAuditlogImpl.sb.toString()); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("GRANTED_PRIVILEGES")); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("indices:data/read/search")); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("REST")); - Assert.assertFalse(TestAuditlogImpl.sb.toString().toLowerCase().contains("authorization")); - Assert.assertTrue(validateMsgs(TestAuditlogImpl.messages)); + + final List messages = TestAuditlogImpl.doThenWaitForMessages( + () -> { + final HttpResponse response = rh.executeGetRequest("_search", encodeBasicHeader("admin", "admin")); + assertThat(response.getStatusCode(), equalTo(HttpStatus.SC_OK)); + }, + /* expectedCount*/ 1); + + assertThat(messages.size(), equalTo(1)); + + assertThat(messages.get(0).getCategory(), equalTo(AuditCategory.GRANTED_PRIVILEGES)); + assertThat(messages.get(0).getOrigin(), equalTo(Origin.REST)); + assertThat(messages.get(0).getPrivilege(), equalTo("indices:data/read/search")); } @Test