Merge branch 'main' of github.com:opensearch-project/security into HEAD

Author: derek-ho

.github/actions/run-bwc-suite/action.yaml

@@ -50,7 +50,7 @@ runs:
           -Dbwc.version.previous=${{ steps.build-previous.outputs.built-version }}
           -Dbwc.version.next=${{ steps.build-next.outputs.built-version }} -i
 
-    - uses: alehechka/upload-tartifact@v2
+    - uses: actions/upload-artifact@v4
       if: always()
       with:
         name: ${{ inputs.report-artifact-name }}

.github/workflows/ci.yml

@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/wretry.action@v3.7.3
+        uses: Wandalen/wretry.action@v3.8.0
         with:
           attempt_limit: 5
           attempt_delay: 2000

.github/workflows/integration-tests.yml

@@ -24,7 +24,7 @@ jobs:
 
     - run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test
 
-    - uses: alehechka/upload-tartifact@v2
+    - uses: actions/upload-artifact@v4
       if: always()
       with:
         name: ${{ matrix.jdk }}-${{ matrix.test-run }}-reports

build.gradle

@@ -64,7 +64,7 @@ plugins {
     id 'maven-publish'
     id 'com.diffplug.spotless' version '6.25.0'
     id 'checkstyle'
-    id 'com.netflix.nebula.ospackage' version "11.10.0"
+    id 'com.netflix.nebula.ospackage' version "11.10.1"
     id "org.gradle.test-retry" version "1.6.0"
     id 'eclipse'
     id "com.github.spotbugs" version "5.2.5"
@@ -469,9 +469,9 @@ bundlePlugin {
 configurations {
     all {
         resolutionStrategy {
-            force 'commons-codec:commons-codec:1.17.1'
+            force 'commons-codec:commons-codec:1.17.2'
             force 'org.slf4j:slf4j-api:1.7.36'
-            force 'org.scala-lang:scala-library:2.13.15'
+            force 'org.scala-lang:scala-library:2.13.16'
             force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
             force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
             force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
@@ -496,8 +496,8 @@ configurations {
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
             force "com.google.errorprone:error_prone_annotations:2.36.0"
-            force "org.checkerframework:checker-qual:3.48.3"
-            force "ch.qos.logback:logback-classic:1.5.12"
+            force "org.checkerframework:checker-qual:3.48.4"
+            force "ch.qos.logback:logback-classic:1.5.16"
             force "commons-io:commons-io:2.18.0"
         }
     }
@@ -585,7 +585,7 @@ dependencies {
     implementation 'commons-cli:commons-cli:1.9.0'
     implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
-    implementation 'com.nimbusds:nimbus-jose-jwt:9.47'
+    implementation 'com.nimbusds:nimbus-jose-jwt:9.48'
     implementation 'com.rfksystems:blake2b:2.0.0'
     implementation 'com.password4j:password4j:1.8.2'
 
@@ -609,14 +609,14 @@ dependencies {
 
     runtimeOnly 'com.sun.activation:jakarta.activation:1.2.2'
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
-    runtimeOnly 'commons-codec:commons-codec:1.17.1'
+    runtimeOnly 'commons-codec:commons-codec:1.17.2'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
     compileOnly 'com.google.errorprone:error_prone_annotations:2.36.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.7.1'
 
-    testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.2'
+    testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.3'
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.2'
@@ -653,9 +653,9 @@ dependencies {
     runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"
     runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.7.0'
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
-    runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
+    runtimeOnly 'org.apache.santuario:xmlsec:2.3.5'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
-    runtimeOnly 'org.checkerframework:checker-qual:3.48.3'
+    runtimeOnly 'org.checkerframework:checker-qual:3.48.4'
     runtimeOnly "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
@@ -686,10 +686,10 @@ dependencies {
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test"
     testImplementation 'commons-validator:commons-validator:1.9.0'
-    testImplementation 'org.springframework.kafka:spring-kafka-test:3.3.0'
+    testImplementation 'org.springframework.kafka:spring-kafka-test:3.3.1'
     testImplementation "org.springframework:spring-beans:${spring_version}"
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.3'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.3'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.4'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.4'
     testImplementation('org.awaitility:awaitility:4.2.2') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
@@ -708,7 +708,7 @@ dependencies {
     testRuntimeOnly ("org.springframework:spring-core:${spring_version}") {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
-    testRuntimeOnly 'org.scala-lang:scala-library:2.13.15'
+    testRuntimeOnly 'org.scala-lang:scala-library:2.13.16'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.3') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
@@ -746,7 +746,7 @@ dependencies {
     integrationTestImplementation "org.apache.httpcomponents:fluent-hc:4.5.14"
     integrationTestImplementation "org.apache.httpcomponents:httpcore:4.4.16"
     integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5"
-    integrationTestImplementation "org.mockito:mockito-core:5.14.2"
+    integrationTestImplementation "org.mockito:mockito-core:5.15.2"
 
     //spotless
     implementation('com.google.googlejavaformat:google-java-format:1.25.2') {

gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
+distributionSha256Sum=7a00d51fb93147819aab76024feece20b6b84e420694101f276be952e08bef03
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java

@@ -12,6 +12,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -462,8 +463,9 @@ public void shouldPerformCatIndices_positive() throws IOException {
             Request getIndicesRequest = new Request("GET", "/_cat/indices");
             // High level client doesn't support _cat/_indices API
             Response getIndicesResponse = restHighLevelClient.getLowLevelClient().performRequest(getIndicesRequest);
-            List<String> indexes = new BufferedReader(new InputStreamReader(getIndicesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> indexes = new BufferedReader(
+                new InputStreamReader(getIndicesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             assertThat(indexes.size(), equalTo(1));
             assertThat(indexes.get(0), containsString("marvelous_songs"));
@@ -476,8 +478,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_USER)) {
             Request getAliasesRequest = new Request("GET", "/_cat/aliases");
             Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
-            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> aliases = new BufferedReader(
+                new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             // Does not fail on forbidden, but alias response only contains index which user has access to
             assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
@@ -490,8 +493,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
             Request getAliasesRequest = new Request("GET", "/_cat/aliases");
             Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
-            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> aliases = new BufferedReader(
+                new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             // Admin has access to all
             assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));

src/integrationTest/java/org/opensearch/security/ThreadPoolTests.java

@@ -21,7 +21,6 @@
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.security.http.ExampleSystemIndexPlugin;
 import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
@@ -47,7 +46,6 @@ public class ThreadPoolTests {
         .anonymousAuth(false)
         .authc(AUTHC_DOMAIN)
         .users(USER_ADMIN)
-        .plugin(ExampleSystemIndexPlugin.class)
         .nodeSettings(Map.of(SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName())))
         .build();
 

src/integrationTest/java/org/opensearch/security/http/ExampleSystemIndexPlugin.java

@@ -126,6 +126,28 @@ public void wildcard() throws Exception {
             );
         }
 
+        @Test
+        public void wildcardByUsername() throws Exception {
+            SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.empty(CType.ROLES);
+
+            ActionPrivileges subject = new ActionPrivileges(
+                roles,
+                FlattenedActionGroups.EMPTY,
+                null,
+                Settings.EMPTY,
+                Map.of("plugin:org.opensearch.sample.SamplePlugin", Set.of("*"))
+            );
+
+            assertThat(
+                subject.hasClusterPrivilege(ctxByUsername("plugin:org.opensearch.sample.SamplePlugin"), "cluster:whatever"),
+                isAllowed()
+            );
+            assertThat(
+                subject.hasClusterPrivilege(ctx("plugin:org.opensearch.other.OtherPlugin"), "cluster:whatever"),
+                isForbidden(missingPrivileges("cluster:whatever"))
+            );
+        }
+
         @Test
         public void explicit_wellKnown() throws Exception {
             SecurityDynamicConfiguration<RoleV7> roles = SecurityDynamicConfiguration.fromYaml("non_explicit_role:\n" + //
@@ -455,7 +477,8 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec, Statefulnes
                     settings,
                     WellKnownActions.CLUSTER_ACTIONS,
                     WellKnownActions.INDEX_ACTIONS,
-                    WellKnownActions.INDEX_ACTIONS
+                    WellKnownActions.INDEX_ACTIONS,
+                    Map.of()
                 );
 
                 if (statefulness == Statefulness.STATEFUL || statefulness == Statefulness.STATEFUL_LIMITED) {
@@ -1030,4 +1053,19 @@ static PrivilegesEvaluationContext ctx(String... roles) {
             null
         );
     }
+
+    static PrivilegesEvaluationContext ctxByUsername(String username) {
+        User user = new User(username);
+        user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        return new PrivilegesEvaluationContext(
+            user,
+            ImmutableSet.of(),
+            null,
+            null,
+            null,
+            null,
+            new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)),
+            null
+        );
+    }
 }