From eb9f6983e18de97c8dd5bd8bd19638936fcc04fa Mon Sep 17 00:00:00 2001
From: Josh Aguilar <87738724+jaguilar-atl@users.noreply.github.com>
Date: Tue, 1 Aug 2023 08:14:36 +1200
Subject: [PATCH] [1.3] Update guava to address CVE-2023-2976 (#3060)

### Description
Update guava to address
[CVE-2023-2976](https://www.cve.org/CVERecord?id=CVE-2023-2976).

Seems like this has been resolved for 2.x so this PR is for the 1.3
branch.

### Issues Resolved
https://github.com/opensearch-project/security/issues/2940

### Check List
- [ ] ~~New functionality includes testing~~
- [ ] ~~New functionality has been documented~~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Josh Aguilar <jaguilar3@atlassian.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
---
 build.gradle                                             | 6 +++---
 .../dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java     | 9 ++++++---
 .../security/ssl/util/SSLConnectionTestUtilTests.java    | 4 ++--
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8445f01cf6..677b878da4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -84,7 +84,7 @@ configurations.all {
         force "org.apache.commons:commons-lang3:3.4"
         force "org.springframework:spring-core:5.3.28"
         force "org.springframework:spring-expression:5.3.28"
-        force "com.google.guava:guava:30.0-jre"
+        force "com.google.guava:guava:32.1.1-jre"
         force "com.fasterxml.woodstox:woodstox-core:6.4.0"
         force "org.scala-lang:scala-library:2.13.9"
         force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
@@ -102,7 +102,7 @@ dependencies {
     implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
     implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
     implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
-    implementation 'com.google.guava:guava:30.0-jre'
+    implementation 'com.google.guava:guava:32.1.1-jre'
     implementation 'org.greenrobot:eventbus:3.2.0'
     implementation 'commons-cli:commons-cli:1.3.1'
     implementation 'org.bouncycastle:bcprov-jdk15to18:1.75'
@@ -417,4 +417,4 @@ task updateVersion {
         }
         ant.replaceregexp(file:'build.gradle', match: '"opensearch.version", "\\d.*"', replace: '"opensearch.version", "' + newVersion.tokenize('-')[0] + '-SNAPSHOT"', flags:'g', byline:true)
     }
-} 
+}
diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
index e150f33d65..24ccd41aac 100644
--- a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
+++ b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
@@ -19,6 +19,7 @@
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 
+import java.lang.reflect.Field;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -36,7 +37,6 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.mockito.Mockito;
-import org.mockito.internal.util.reflection.FieldSetter;
 
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.util.FakeRestRequest;
@@ -192,14 +192,17 @@ public void testBasicAuthHeader() throws Exception {
         Settings settings = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
         HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
         JwtParser jwtParser = Mockito.spy(JwtParser.class);
-        FieldSetter.setField(jwtAuth, HTTPJwtAuthenticator.class.getDeclaredField("jwtParser"), jwtParser);
+
+        Field jwtParserField = HTTPJwtAuthenticator.class.getDeclaredField("jwtParser");
+        jwtParserField.setAccessible(true);
+        jwtParserField.set(jwtAuth, jwtParser);
 
         String basicAuth = BaseEncoding.base64().encode("user:password".getBytes(StandardCharsets.UTF_8));
         Map<String, String> headers = Collections.singletonMap(HttpHeaders.AUTHORIZATION, "Basic " + basicAuth);
 
         AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(headers, Collections.emptyMap()), null);
         Assert.assertNull(creds);
-        Mockito.verifyZeroInteractions(jwtParser);
+        Mockito.verifyNoInteractions(jwtParser);
     }
 
     @Test
diff --git a/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java b/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java
index a8efa0fc3b..ca0acd5864 100644
--- a/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java
+++ b/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java
@@ -90,7 +90,7 @@ public void testConnectionSSLNotAvailableIOException() throws Exception {
         SSLConnectionTestResult result = connectionTestUtil.testConnection();
 
         verifyClientHelloSend();
-        Mockito.verifyZeroInteractions(inputStreamReader);
+        Mockito.verifyNoMoreInteractions(inputStreamReader);
         verifyOpenSearchPingSend();
         Mockito.verify(socket, Mockito.times(2)).close();
         Assert.assertEquals("Unexpected result for testConnection invocation", SSLConnectionTestResult.SSL_NOT_AVAILABLE, result);
@@ -152,7 +152,7 @@ public void testConnectionOpenSearchPingFailedIOException() throws Exception {
 
         verifyClientHelloSend();
         verifyOpenSearchPingSend();
-        Mockito.verifyZeroInteractions(inputStream);
+        Mockito.verifyNoInteractions(inputStream);
         Mockito.verify(socket, Mockito.times(2)).close();
         Assert.assertEquals("Unexpected result for testConnection invocation", SSLConnectionTestResult.OPENSEARCH_PING_FAILED, result);
     }