-
Notifications
You must be signed in to change notification settings - Fork 38
/
Copy pathOpenSearchSecureRestTestCase.java
187 lines (171 loc) · 8.56 KB
/
OpenSearchSecureRestTestCase.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*/
package org.opensearch.geospatial;
import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_PER_ROUTE;
import static org.opensearch.client.RestClientBuilder.DEFAULT_MAX_CONN_TOTAL;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.hc.client5.http.auth.AuthScope;
import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManager;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
import org.apache.hc.core5.http.Header;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.message.BasicHeader;
import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
import org.apache.hc.core5.ssl.SSLContextBuilder;
import org.apache.hc.core5.util.Timeout;
import org.junit.After;
import org.opensearch.client.Request;
import org.opensearch.client.Response;
import org.opensearch.client.RestClient;
import org.opensearch.client.RestClientBuilder;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.unit.TimeValue;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.core.xcontent.DeprecationHandler;
import org.opensearch.core.xcontent.MediaType;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.test.rest.OpenSearchRestTestCase;
/**
* Integration test base class to support both security disabled and enabled OpenSearch cluster.
*/
public abstract class OpenSearchSecureRestTestCase extends OpenSearchRestTestCase {
private static final String PROTOCOL_HTTP = "http";
private static final String PROTOCOL_HTTPS = "https";
private static final String SYS_PROPERTY_KEY_HTTPS = "https";
private static final String SYS_PROPERTY_KEY_CLUSTER_ENDPOINT = "tests.rest.cluster";
private static final String SYS_PROPERTY_KEY_USER = "user";
private static final String SYS_PROPERTY_KEY_PASSWORD = "password";
private static final String DEFAULT_SOCKET_TIMEOUT = "60s";
private static final String INTERNAL_INDICES_PREFIX = ".";
private static final String SYSTEM_INDEX_PREFIX = "security-auditlog";
private static String protocol;
@Override
protected String getProtocol() {
if (protocol == null) {
protocol = readProtocolFromSystemProperty();
}
return protocol;
}
private String readProtocolFromSystemProperty() {
boolean isHttps = Optional.ofNullable(System.getProperty(SYS_PROPERTY_KEY_HTTPS)).map("true"::equalsIgnoreCase).orElse(false);
if (!isHttps) {
return PROTOCOL_HTTP;
}
// currently only external cluster is supported for security enabled testing
if (Optional.ofNullable(System.getProperty(SYS_PROPERTY_KEY_CLUSTER_ENDPOINT)).isEmpty()) {
throw new RuntimeException("cluster url should be provided for security enabled testing");
}
return PROTOCOL_HTTPS;
}
@Override
protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
RestClientBuilder builder = RestClient.builder(hosts);
if (PROTOCOL_HTTPS.equals(getProtocol())) {
configureHttpsClient(builder, settings);
} else {
configureClient(builder, settings);
}
return builder.build();
}
private void configureHttpsClient(RestClientBuilder builder, Settings settings) {
Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
Header[] defaultHeaders = new Header[headers.size()];
int i = 0;
for (Map.Entry<String, String> entry : headers.entrySet()) {
defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue());
}
builder.setDefaultHeaders(defaultHeaders);
builder.setHttpClientConfigCallback(httpClientBuilder -> {
String userName = Optional.ofNullable(System.getProperty(SYS_PROPERTY_KEY_USER))
.orElseThrow(() -> new RuntimeException("user name is missing"));
String password = Optional.ofNullable(System.getProperty(SYS_PROPERTY_KEY_PASSWORD))
.orElseThrow(() -> new RuntimeException("password is missing"));
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
final AuthScope anyScope = new AuthScope(null, -1);
credentialsProvider.setCredentials(anyScope, new UsernamePasswordCredentials(userName, password.toCharArray()));
try {
final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create()
.setHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.setSslContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build())
.build();
final PoolingAsyncClientConnectionManager connectionManager = PoolingAsyncClientConnectionManagerBuilder.create()
.setMaxConnPerRoute(DEFAULT_MAX_CONN_PER_ROUTE)
.setMaxConnTotal(DEFAULT_MAX_CONN_TOTAL)
.setTlsStrategy(tlsStrategy)
.build();
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setConnectionManager(connectionManager);
} catch (Exception e) {
throw new RuntimeException(e);
}
});
final String socketTimeoutString = settings.get(CLIENT_SOCKET_TIMEOUT);
final TimeValue socketTimeout = TimeValue.parseTimeValue(
socketTimeoutString == null ? DEFAULT_SOCKET_TIMEOUT : socketTimeoutString,
CLIENT_SOCKET_TIMEOUT
);
builder.setRequestConfigCallback(conf -> {
Timeout timeout = Timeout.ofMilliseconds(Math.toIntExact(socketTimeout.getMillis()));
conf.setConnectTimeout(timeout);
conf.setResponseTimeout(timeout);
return conf;
});
if (settings.hasValue(CLIENT_PATH_PREFIX)) {
builder.setPathPrefix(settings.get(CLIENT_PATH_PREFIX));
}
}
/**
* wipeAllIndices won't work since it cannot delete security index. Use deleteExternalIndices instead.
*/
@Override
protected boolean preserveIndicesUponCompletion() {
return true;
}
@After
public void deleteExternalIndices() throws IOException {
Response response = client().performRequest(new Request("GET", "/_cat/indices?format=json&expand_wildcards=all"));
MediaType mediaType = MediaType.fromMediaType(response.getEntity().getContentType());
try (
XContentParser parser = mediaType.xContent()
.createParser(
NamedXContentRegistry.EMPTY,
DeprecationHandler.THROW_UNSUPPORTED_OPERATION,
response.getEntity().getContent()
)
) {
XContentParser.Token token = parser.nextToken();
List<Map<String, Object>> parserList;
if (token == XContentParser.Token.START_ARRAY) {
parserList = parser.listOrderedMap().stream().map(obj -> (Map<String, Object>) obj).collect(Collectors.toList());
} else {
parserList = Collections.singletonList(parser.mapOrdered());
}
List<String> externalIndices = parserList.stream()
.map(index -> (String) index.get("index"))
.filter(indexName -> indexName != null)
.filter(indexName -> !indexName.startsWith(INTERNAL_INDICES_PREFIX))
// This is hack to remove the security audit index from deletion. We will need a proper fix where
// we delete the indices after a test is completed.
// Issue: https://github.com/opensearch-project/geospatial/issues/428
.filter(indexName -> !indexName.startsWith(SYSTEM_INDEX_PREFIX))
.collect(Collectors.toList());
for (String indexName : externalIndices) {
adminClient().performRequest(new Request("DELETE", "/" + indexName));
}
}
}
}