diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml deleted file mode 100644 index cf30ea89d..000000000 --- a/.github/workflows/dco.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Developer Certificate of Origin Check - -on: [pull_request] - -jobs: - check: - runs-on: ubuntu-latest - - steps: - - name: Get PR Commits - id: 'get-pr-commits' - uses: tim-actions/get-pr-commits@v1.1.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: DCO Check - uses: tim-actions/dco@v1.1.0 - with: - commits: ${{ steps.get-pr-commits.outputs.commits }} diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 58f8fb42c..26bbc371b 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -13,12 +13,12 @@ jobs: steps: - name: Download OpenSearch Core run: | - wget https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.0.0-rc1/latest/linux/x64/tar/builds/opensearch/dist/opensearch-min-2.0.0-rc1-linux-x64.tar.gz + wget https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.1.0/latest/linux/x64/tar/builds/opensearch/dist/opensearch-min-2.1.0-linux-x64.tar.gz tar -xzf opensearch-*.tar.gz rm -f opensearch-*.tar.gz - name: Download OpenSearch Security Plugin - run: wget -O opensearch-security.zip https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.0.0-rc1/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-security-2.0.0.0-rc1.zip + run: wget -O opensearch-security.zip https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.1.0/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-security-2.1.0.0.zip - name: Run OpenSearch with plugin @@ -49,7 +49,7 @@ jobs: with: path: OpenSearch-Dashboards repository: opensearch-project/OpenSearch-Dashboards - ref: 'main' + ref: '2.x' fetch-depth: 0 - name: Create plugins dir diff --git a/opensearch_dashboards.json b/opensearch_dashboards.json index 64f3c02f1..fd0ab0743 100644 --- a/opensearch_dashboards.json +++ b/opensearch_dashboards.json @@ -1,7 +1,7 @@ { "id": "securityDashboards", - "version": "2.0.0.0-rc1", - "opensearchDashboardsVersion": "2.0.0", + "version": "2.1.0.0", + "opensearchDashboardsVersion": "2.1.0", "configPath": ["opensearch_security"], "requiredPlugins": ["navigation"], "server": true, diff --git a/package.json b/package.json index bb8ee2582..6ab800622 100644 --- a/package.json +++ b/package.json @@ -1,10 +1,10 @@ { "name": "opensearch-security-dashboards", - "version": "2.0.0.0-rc1", + "version": "2.1.0.0", "main": "target/plugins/opensearch_security_dashboards", "opensearchDashboards": { - "version": "2.0.0", - "templateVersion": "2.0.0" + "version": "2.1.0", + "templateVersion": "2.1.0" }, "license": "Apache-2.0", "homepage": "https://github.com/opensearch-project/security-dashboards-plugin", diff --git a/public/apps/account/account-nav-button.tsx b/public/apps/account/account-nav-button.tsx index 0b95f928c..1100e9f31 100644 --- a/public/apps/account/account-nav-button.tsx +++ b/public/apps/account/account-nav-button.tsx @@ -66,7 +66,8 @@ export function AccountNavButton(props: { [props.config, props.coreStart] ); - if (getShouldShowTenantPopup()) { + // Check if the tenant modal should be shown on load + if (props.config.multitenancy.enabled && getShouldShowTenantPopup()) { setShouldShowTenantPopup(false); showTenantSwitchPanel(); } diff --git a/public/apps/account/utils.tsx b/public/apps/account/utils.tsx index 5c0d8d485..2a871066c 100644 --- a/public/apps/account/utils.tsx +++ b/public/apps/account/utils.tsx @@ -31,6 +31,8 @@ export async function fetchAccountInfoSafe(http: HttpStart): Promise { await httpPost(http, API_AUTH_LOGOUT); setShouldShowTenantPopup(null); + // Clear everything in the sessionStorage since they can contain sensitive information + sessionStorage.clear(); // When no basepath is set, we can take '/' as the basepath. const basePath = http.basePath.serverBasePath ? http.basePath.serverBasePath : '/'; const nextUrl = encodeURIComponent(basePath); diff --git a/public/apps/configuration/constants.tsx b/public/apps/configuration/constants.tsx index 529c40cdd..124c9bb55 100644 --- a/public/apps/configuration/constants.tsx +++ b/public/apps/configuration/constants.tsx @@ -96,7 +96,7 @@ export const CLUSTER_PERMISSIONS: string[] = [ 'cluster:admin/opensearch/ml/models/get', 'cluster:admin/opensearch/ml/models/search', 'cluster:admin/opensearch/ml/predict', - 'cluster:admin/openserach/ml/stats/nodes', + 'cluster:admin/opensearch/ml/stats/nodes', 'cluster:admin/opensearch/ml/tasks/delete', 'cluster:admin/opensearch/ml/tasks/get', 'cluster:admin/opensearch/ml/tasks/search', diff --git a/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.1.0.md b/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.1.0.md new file mode 100644 index 000000000..9d6b7f804 --- /dev/null +++ b/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.1.0.md @@ -0,0 +1,8 @@ +## Version 1.3.1.0 + +### Enhancements +* Removes test workflow branch filter from unit and integration test workflows ([#930](https://github.com/opensearch-project/security-dashboards-plugin/pull/930)) + +### Maintenance +* Bumps version to 1.3.1.0 ([#925](https://github.com/opensearch-project/security-dashboards-plugin/pull/925)) +* Adds release notes for 1.3.0.0 ([#980](https://github.com/opensearch-project/security-dashboards-plugin/pull/980)) \ No newline at end of file diff --git a/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.2.0.md b/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.2.0.md new file mode 100644 index 000000000..464dc4d75 --- /dev/null +++ b/release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.2.0.md @@ -0,0 +1,8 @@ +## Version 1.3.2.0 + +### Bug Fixes +* Fix 'openserach' typo in constants.tsx (#953) ([#959](https://github.com/opensearch-project/security-dashboards-plugin/pull/959)) + +### Maintenance +* Incremented version to 1.3.2. ([#978](https://github.com/opensearch-project/security-dashboards-plugin/pull/978)) +* Remove redundant DCO check in favor of the GitHub app ([#972](https://github.com/opensearch-project/security-dashboards-plugin/pull/972)) \ No newline at end of file diff --git a/release-notes/opensearch-security-dashboards-plugin.release-notes-2.0.0.0.md b/release-notes/opensearch-security-dashboards-plugin.release-notes-2.0.0.0.md new file mode 100644 index 000000000..51f1b89d5 --- /dev/null +++ b/release-notes/opensearch-security-dashboards-plugin.release-notes-2.0.0.0.md @@ -0,0 +1,25 @@ +## 2022-05-24 Version 2.0.0.0 + +Compatible with Opensearch-Dashboards 2.0.0 + +### Enhancements +* Change 2.0-alpha1 to 2.0-rc1. ([#946](https://github.com/opensearch-project/security-dashboards-plugin/pull/946)) +* Make Git ignore .idea/ folder ([#944](https://github.com/opensearch-project/security-dashboards-plugin/pull/944)) +* Updated issue templates from .github. ([#931](https://github.com/opensearch-project/security-dashboards-plugin/pull/931)) +* Bumps version of main to 2.0.0.0 ([#928](https://github.com/opensearch-project/security-dashboards-plugin/pull/928)) +* Enforce authentication on api/status route by default ([#968](https://github.com/opensearch-project/security-dashboards-plugin/pull/968)) + +### Bug fixes +* Fix broken `nextUrl=` parameter logic ([#940](https://github.com/opensearch-project/security-dashboards-plugin/pull/940)) +* Fix 'openserach' typo in constants.tsx ([#953](https://github.com/opensearch-project/security-dashboards-plugin/pull/953)) +* Select tenant popup only appears when mutli-tenacy is enabled ([#965](https://github.com/opensearch-project/security-dashboards-plugin/pull/965)) + +### Maintenance +* Revert "Enforce authentication on api/status route by default (#943)" ([#950](https://github.com/opensearch-project/security-dashboards-plugin/pull/950)) +* Enforce authentication on api/status route by default ([#943](https://github.com/opensearch-project/security-dashboards-plugin/pull/943)) +* [Build] restore osdVersion to 2.0.0 ([#947](https://github.com/opensearch-project/security-dashboards-plugin/pull/947)) +* [Build] bump to 2.0.0.0-rc1 ([#941](https://github.com/opensearch-project/security-dashboards-plugin/pull/941)) +* Generate release notes for 2.0.0 ([#955](https://github.com/opensearch-project/security-dashboards-plugin/pull/955)) +* Build OSD on 2.0 branch ([#986](https://github.com/opensearch-project/security-dashboards-plugin/pull/986)) +* Remove redundant DCO check for the GitHub app ([#974](https://github.com/opensearch-project/security-dashboards-plugin/pull/974)) +* Fixes broken main build which was caused due to version mismatch ([#989](https://github.com/opensearch-project/security-dashboards-plugin/pull/989)) diff --git a/server/auth/types/saml/routes.ts b/server/auth/types/saml/routes.ts index 808dfa8ae..243e786f4 100644 --- a/server/auth/types/saml/routes.ts +++ b/server/auth/types/saml/routes.ts @@ -14,21 +14,18 @@ */ import { schema } from '@osd/config-schema'; -import { - IRouter, - SessionStorageFactory, - OpenSearchDashboardsRequest, -} from '../../../../../../src/core/server'; +import { IRouter, SessionStorageFactory } from '../../../../../../src/core/server'; import { SecuritySessionCookie } from '../../../session/security_cookie'; import { SecurityPluginConfigType } from '../../..'; import { SecurityClient } from '../../../backend/opensearch_security_client'; +import { API_AUTH_LOGOUT } from '../../../../common'; import { CoreSetup } from '../../../../../../src/core/server'; import { validateNextUrl } from '../../../utils/next_url'; +import { AuthType } from '../../../../common/index'; export class SamlAuthRoutes { constructor( private readonly router: IRouter, - // @ts-ignore: unused variable private readonly config: SecurityPluginConfigType, private readonly sessionStorageFactory: SessionStorageFactory, private readonly securityClient: SecurityClient, @@ -38,7 +35,7 @@ export class SamlAuthRoutes { public setupRoutes() { this.router.get( { - path: `/auth/saml/login`, + path: '/auth/saml/login', validate: { query: schema.object({ nextUrl: schema.maybe( @@ -84,7 +81,7 @@ export class SamlAuthRoutes { this.router.post( { - path: `/_opendistro/_security/saml/acs`, + path: '/_plugins/_security/saml/acs', validate: { body: schema.any(), }, @@ -139,7 +136,7 @@ export class SamlAuthRoutes { credentials: { authHeaderValue: credentials.authorization, }, - authType: 'saml', // TODO: create constant + authType: AuthType.SAML, expiryTime, }; this.sessionStorageFactory.asScoped(request).set(cookie); @@ -160,7 +157,7 @@ export class SamlAuthRoutes { this.router.post( { - path: `/_opendistro/_security/saml/acs/idpinitiated`, + path: '/_plugins/_security/saml/acs/idpinitiated', validate: { body: schema.any(), }, @@ -169,7 +166,7 @@ export class SamlAuthRoutes { }, }, async (context, request, response) => { - const acsEndpoint = `${this.coreSetup.http.basePath.serverBasePath}/_opendistro/_security/saml/acs/idpinitiated`; + const acsEndpoint = `${this.coreSetup.http.basePath.serverBasePath}/_plugins/_security/saml/acs/idpinitiated`; try { const credentials = await this.securityClient.authToken( undefined, @@ -197,7 +194,7 @@ export class SamlAuthRoutes { credentials: { authHeaderValue: credentials.authorization, }, - authType: 'saml', // TODO: create constant + authType: AuthType.SAML, expiryTime, }; this.sessionStorageFactory.asScoped(request).set(cookie); @@ -217,7 +214,7 @@ export class SamlAuthRoutes { this.router.get( { - path: `/auth/logout`, + path: API_AUTH_LOGOUT, validate: false, }, async (context, request, response) => { diff --git a/server/index.ts b/server/index.ts index a682d070b..bf1a2699d 100644 --- a/server/index.ts +++ b/server/index.ts @@ -70,14 +70,14 @@ export const configSchema = schema.object({ }), anonymous_auth_enabled: schema.boolean({ defaultValue: false }), unauthenticated_routes: schema.arrayOf(schema.string(), { - defaultValue: ['/api/status', '/api/reporting/stats'], + defaultValue: ['/api/reporting/stats'], }), forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }), logout_url: schema.string({ defaultValue: '' }), }), basicauth: schema.object({ enabled: schema.boolean({ defaultValue: true }), - unauthenticated_routes: schema.arrayOf(schema.string(), { defaultValue: ['/api/status'] }), + unauthenticated_routes: schema.arrayOf(schema.string(), { defaultValue: [] }), forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }), header_trumps_session: schema.boolean({ defaultValue: false }), alternative_login: schema.object({ diff --git a/test/jest_integration/basic_auth.test.ts b/test/jest_integration/basic_auth.test.ts index 9c57ceffe..b4bbd3e55 100644 --- a/test/jest_integration/basic_auth.test.ts +++ b/test/jest_integration/basic_auth.test.ts @@ -208,6 +208,11 @@ describe('start OpenSearch Dashboards server', () => { expect(response.status).toEqual(302); }); + it('enforce authentication on api/status route', async () => { + const response = await osdTestServer.request.get(root, '/api/status'); + expect(response.status).toEqual(401); + }); + it('can access api/status route with admin credential', async () => { const response = await osdTestServer.request .get(root, '/api/status')