Expanding Authentication with SecurityRequest Abstraction

[peternied]

Description

Introduced a new abstraction, SecurityRequest & SecurityRequestChannel, to streamline and secure the authentication process in the OpenSearch Security plugin. By isolating the essential request components needed for authentication, we minimize potential risks associated with previous designs and provide a more maintainable architecture.

graph TD
    A[SecurityRequestFactory] -->|Creates| E[SecurityRequest]
    A -->|Creates| B[SecurityRequestChannel]
    C[Netty Channel Handler] -->|Provides data to| A
    D[OpenSearch Rest Controller] -->|Provides data to| A
    
    subgraph SecurityRequest Objects
        E --> B[SecurityRequestChannel]
    end
    
    B --> |Used in| SecurityFilter
    B --> |Used in| BackendRegistry
    B --> |Used in| HttpAuthenticator

    style A fill:#f9d,stroke:#333,stroke-width:2px;
    style B fill:#afd,stroke:#333,stroke-width:2px;
    style C fill:#fea,stroke:#333,stroke-width:2px;
    style D fill:#fea,stroke:#333,stroke-width:2px;
    style E fill:#afd,stroke:#333,stroke-width:2px;

Loading

To Do items:

• Unit tests for new components
• Check code coverage on impacted changes, add / update tests

Issues Resolved

• Related [Feature] Improve compressed request handling OpenSearch#10260

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #3430 (e7b0916) into main (bfba97a) will increase coverage by 0.02%.
The diff coverage is 64.85%.

@@             Coverage Diff              @@
##               main    #3430      +/-   ##
============================================
+ Coverage     64.57%   64.60%   +0.02%     
- Complexity     3549     3573      +24     
============================================
  Files           269      275       +6     
  Lines         20365    20451      +86     
  Branches       3377     3382       +5     
============================================
+ Hits          13151    13212      +61     
- Misses         5526     5544      +18     
- Partials       1688     1695       +7     

Files	Coverage Δ
...ava/org/opensearch/security/auditlog/AuditLog.java	100.00% <ø> (ø)
...security/auditlog/AuditLogSslExceptionHandler.java	57.14% <ø> (ø)
...org/opensearch/security/auditlog/NullAuditLog.java	0.00% <ø> (ø)
...earch/security/auditlog/impl/AbstractAuditLog.java	76.59% <ø> (ø)
...pensearch/security/auditlog/impl/AuditLogImpl.java	88.09% <ø> (ø)
...ava/org/opensearch/security/auth/UserInjector.java	90.66% <ø> (ø)
...arch/security/dlic/rest/api/AbstractApiAction.java	88.61% <100.00%> (ø)
...earch/security/dlic/rest/api/NodesDnApiAction.java	89.74% <ø> (ø)
...rity/dlic/rest/api/RestApiPrivilegesEvaluator.java	69.23% <100.00%> (+0.15%)	⬆️
...curity/dlic/rest/validation/EndpointValidator.java	94.20% <ø> (ø)
... and 32 more

[RyanL1997]

Hi @peternied, great change. I just left some comments

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3430-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f435c052a826b15683b8a6a6f2ccd9dd107070f9
# Push it to GitHub
git push --set-upstream origin backport/backport-3430-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3430-to-2.x.

[opensearch-trigger-bot]

The backport to 2.11 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.11 2.11
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.11
# Create a new branch
git switch --create backport/backport-3430-to-2.11
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f435c052a826b15683b8a6a6f2ccd9dd107070f9
# Push it to GitHub
git push --set-upstream origin backport/backport-3430-to-2.11
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.11

Then, create a pull request where the base branch is 2.11 and the compare/head branch is backport/backport-3430-to-2.11.