From efad9b75a76590e5665ae7782e073137b32f387f Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Wed, 20 Dec 2023 11:34:56 -0500
Subject: [PATCH 01/14] fix dependency conflict

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 bwc-test/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle
index 6fb7fc2348..b430929c0f 100644
--- a/bwc-test/build.gradle
+++ b/bwc-test/build.gradle
@@ -47,7 +47,7 @@ buildscript {
         opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT")
         opensearch_group = "org.opensearch"
         common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
-        jackson_version = System.getProperty("jackson_version", "2.15.2")
+        jackson_version = System.getProperty("jackson_version", "2.16.0")
     }
     repositories {
         mavenLocal()

From afe8991d3ee66cfa8ce4fe3f9d5d6f7bf752dc28 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Wed, 20 Dec 2023 15:34:19 -0500
Subject: [PATCH 02/14] rework audit log fix

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/OpenSearchSecurityPlugin.java    | 15 ++++++++---
 .../security/auditlog/config/AuditConfig.java | 26 ++++++++++++++++---
 .../auditlog/impl/AbstractAuditLog.java       |  5 ----
 .../security/auditlog/impl/AuditMessage.java  |  5 ++--
 .../security/compliance/ComplianceConfig.java |  1 +
 .../security/support/ConfigConstants.java     |  1 +
 .../config/AuditConfigFilterTest.java         |  4 +++
 .../config/AuditConfigSerializeTest.java      |  9 +++++++
 .../auditlog/impl/AuditMessageTest.java       | 18 +++++++++----
 9 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 3c04816c32..e49845f64a 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1360,7 +1360,15 @@ public List<Setting<?>> getSettings() {
                     Function.identity(),
                     Property.NodeScope
                 )
-            ); // not filtered here
+            );
+            settings.add(
+                    Setting.listSetting(
+                            ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS,
+                            Collections.emptyList(),
+                            Function.identity(),
+                            Property.NodeScope
+                    )
+            );// not filtered here
             settings.add(
                 Setting.boolSetting(
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS,
@@ -1393,7 +1401,8 @@ public List<Setting<?>> getSettings() {
                             Property.NodeScope
                         );
                     case IGNORE_REQUESTS:
-                        return Setting.listSetting(
+					case IGNORE_HEADERS:
+						return Setting.listSetting(
                             filterEntry.getKeyWithNamespace(),
                             Collections.emptyList(),
                             Function.identity(),
@@ -1406,7 +1415,7 @@ public List<Setting<?>> getSettings() {
                             Function.identity(),
                             Property.NodeScope
                         );
-                    // All boolean settings with default of true
+					// All boolean settings with default of true
                     case ENABLE_REST:
                     case ENABLE_TRANSPORT:
                     case EXCLUDE_SENSITIVE_HEADERS:
diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 2cffd93dfa..093babcd4d 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -62,7 +62,8 @@
  *     "ignore_users" : [
  *       "kibanaserver"
  *     ],
- *     "ignore_requests" : [ ]
+ *     "ignore_requests" : [ ],
+ *     "ignore_headers" : [ ],
  *   },
  *   "compliance" : {
  *     "enabled": true,
@@ -82,6 +83,7 @@
 public class AuditConfig {
 
     public static final List<String> DEFAULT_IGNORED_USERS = Collections.singletonList("kibanaserver");
+
     private static Set<String> FIELDS = DefaultObjectMapper.getFields(AuditConfig.class);
 
     private AuditConfig() {
@@ -138,8 +140,11 @@ public static class Filter {
         private final Set<String> ignoredAuditUsers;
         @JsonProperty("ignore_requests")
         private final Set<String> ignoredAuditRequests;
+        @JsonProperty("ignore_headers")
+        private final Set<String> ignoredCustomHeaders;
         private final WildcardMatcher ignoredAuditUsersMatcher;
         private final WildcardMatcher ignoredAuditRequestsMatcher;
+        private final WildcardMatcher ignoredCustomHeadersMatcher;
         private final Set<AuditCategory> disabledRestCategories;
         private final Set<AuditCategory> disabledTransportCategories;
 
@@ -153,6 +158,7 @@ public static class Filter {
             final boolean excludeSensitiveHeaders,
             final Set<String> ignoredAuditUsers,
             final Set<String> ignoredAuditRequests,
+            final Set<String> ignoredCustomHeaders,
             final Set<AuditCategory> disabledRestCategories,
             final Set<AuditCategory> disabledTransportCategories
         ) {
@@ -166,6 +172,8 @@ public static class Filter {
             this.ignoredAuditUsersMatcher = WildcardMatcher.from(ignoredAuditUsers);
             this.ignoredAuditRequests = ignoredAuditRequests;
             this.ignoredAuditRequestsMatcher = WildcardMatcher.from(ignoredAuditRequests);
+            this.ignoredCustomHeaders = ignoredCustomHeaders;
+            this.ignoredCustomHeadersMatcher = WildcardMatcher.from(ignoredCustomHeaders);
             this.disabledRestCategories = disabledRestCategories;
             this.disabledTransportCategories = disabledTransportCategories;
         }
@@ -183,7 +191,8 @@ public enum FilterEntries {
                 ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES
             ),
             IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS),
-            IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS);
+            IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS),
+            IGNORE_HEADERS("ignore_headers", ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS);
 
             private final String key;
             private final String legacyKeyWithNamespace;
@@ -246,6 +255,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
             final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );
+            final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()));
 
             return new Filter(
                 isRestApiAuditEnabled,
@@ -256,6 +266,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
+                ignoreCustomHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -290,7 +301,7 @@ public static Filter from(Settings settings) {
             );
             final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS);
             final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList());
-
+            final Set<String> ignoreCustomHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList());
             return new Filter(
                 isRestApiAuditEnabled,
                 isTransportAuditEnabled,
@@ -300,6 +311,7 @@ public static Filter from(Settings settings) {
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
+                ignoreCustomHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -398,11 +410,16 @@ public boolean isAuditDisabled(String user) {
             return ignoredAuditUsersMatcher.test(user);
         }
 
+
         @VisibleForTesting
         WildcardMatcher getIgnoredAuditRequestsMatcher() {
             return ignoredAuditRequestsMatcher;
         }
 
+        public WildcardMatcher getIgnoredCustomHeadersMatcher() {
+            return ignoredCustomHeadersMatcher;
+        }
+
         /**
          * Check if request is excluded from audit
          * @param action
@@ -440,6 +457,7 @@ public void log(Logger logger) {
             logger.info("Index resolution is {} during request auditing.", resolveIndices ? "enabled" : "disabled");
             logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled");
             logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher);
+            logger.info("Auditing request headers {} is disabled.", ignoredCustomHeaders);
         }
 
         @Override
@@ -465,6 +483,8 @@ public String toString() {
                 + ignoredAuditUsersMatcher
                 + ", ignoreAuditRequests="
                 + ignoredAuditRequestsMatcher
+                    + ", ignoredCustomHeaders="
+                    + ignoredCustomHeadersMatcher
                 + '}';
         }
     }
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
index d97adc358b..e5f314cd29 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
@@ -927,11 +927,6 @@ boolean checkRestFilter(final AuditCategory category, final String effectiveUser
             }
             return false;
         }
-
-        // check rest audit enabled
-        // check category enabled
-        // check action
-        // check ignoreAuditUsers
     }
 
     protected abstract void save(final AuditMessage msg);
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 8b24a554d1..6b74beeea2 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -356,11 +356,12 @@ public void addRestParams(Map<String, String> params) {
         }
     }
 
-    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders) {
+    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, WildcardMatcher customHeaders) {
         if (headers != null && !headers.isEmpty()) {
             final Map<String, List<String>> headersClone = new HashMap<>(headers);
             if (excludeSensitiveHeaders) {
                 headersClone.keySet().removeIf(AUTHORIZATION_HEADER);
+                headersClone.keySet().removeIf(customHeaders);
             }
             auditInfo.put(REST_REQUEST_HEADERS, headersClone);
         }
@@ -376,7 +377,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
         if (request != null) {
             final String path = request.path().toString();
             addPath(path);
-            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders());
+            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter.getIgnoredCustomHeadersMatcher());
             addRestParams(request.params());
             addRestMethod(request.method());
 
diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
index edc5248781..4e24048bda 100644
--- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
+++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
@@ -235,6 +235,7 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje
         final Set<String> ignoredComplianceUsersForRead = ImmutableSet.copyOf(
             getOrDefault(properties, "read_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS)
         );
+
         final boolean logWriteMetadataOnly = getOrDefault(properties, "write_metadata_only", false);
         final boolean logDiffsForWrite = getOrDefault(properties, "write_log_diffs", false);
         final List<String> watchedWriteIndicesPatterns = getOrDefault(properties, "write_watched_indices", Collections.emptyList());
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index f10dedade3..d4383c05de 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -165,6 +165,7 @@ public class ConfigConstants {
     );
     public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users";
     public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests";
+    public static final String SECURITY_AUDIT_IGNORE_HEADERS = "plugins.security.audit.ignore_headers";
     public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests";
     public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true;
     public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false;
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
index e40e65549f..3e9d2fe245 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
@@ -57,6 +57,7 @@ public void testDefault() {
         assertTrue(auditConfigFilter.shouldExcludeSensitiveHeaders());
         assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredAuditRequestsMatcher());
         assertEquals(defaultIgnoredUserMatcher, auditConfigFilter.getIgnoredAuditUsersMatcher());
+        assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredCustomHeadersMatcher());
         assertEquals(auditConfigFilter.getDisabledRestCategories(), defaultDisabledCategories);
         assertEquals(auditConfigFilter.getDisabledTransportCategories(), defaultDisabledCategories);
     }
@@ -73,6 +74,7 @@ public void testConfig() {
             .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false)
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request")
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user")
+                .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header")
             .putList(
                 ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES,
                 BAD_HEADERS.toString(),
@@ -95,6 +97,7 @@ public void testConfig() {
         assertFalse(auditConfigFilter.shouldExcludeSensitiveHeaders());
         assertEquals(WildcardMatcher.from(Collections.singleton("test-user")), auditConfigFilter.getIgnoredAuditUsersMatcher());
         assertEquals(WildcardMatcher.from(Collections.singleton("test-request")), auditConfigFilter.getIgnoredAuditRequestsMatcher());
+        assertEquals(WildcardMatcher.from(Collections.singleton("test-header")), auditConfigFilter.getIgnoredCustomHeadersMatcher());
         assertEquals(auditConfigFilter.getDisabledRestCategories(), EnumSet.of(BAD_HEADERS, SSL_EXCEPTION));
         assertEquals(auditConfigFilter.getDisabledTransportCategories(), EnumSet.of(FAILED_LOGIN, MISSING_PRIVILEGES));
     }
@@ -121,6 +124,7 @@ public void testEmpty() {
         final Settings settings = Settings.builder()
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList())
+                .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList())
             .build();
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 0b50c2ac20..9a98c2d0e8 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -72,6 +72,7 @@ public void testDefaultSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
+                .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -107,6 +108,7 @@ public void testDefaultDeserialize() throws IOException {
         assertTrue(audit.shouldExcludeSensitiveHeaders());
         assertSame(WildcardMatcher.NONE, audit.getIgnoredAuditRequestsMatcher());
         assertEquals(DEFAULT_IGNORED_USER, audit.getIgnoredAuditUsersMatcher());
+        assertEquals(WildcardMatcher.NONE, audit.getIgnoredCustomHeadersMatcher());
         assertFalse(compliance.shouldLogExternalConfig());
         assertFalse(compliance.shouldLogInternalConfig());
         assertFalse(compliance.shouldLogReadMetadataOnly());
@@ -116,6 +118,7 @@ public void testDefaultDeserialize() throws IOException {
         assertEquals(DEFAULT_IGNORED_USER, compliance.getIgnoredComplianceUsersForWriteMatcher());
     }
 
+
     @Test
     public void testDeserialize() throws IOException {
         // arrange
@@ -196,6 +199,7 @@ public void testSerialize() throws IOException {
             true,
             ImmutableSet.of("ignore-user-1", "ignore-user-2"),
             ImmutableSet.of("ignore-request-1"),
+                ImmutableSet.of("test-header"),
             EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES),
             EnumSet.of(AUTHENTICATED)
         );
@@ -287,6 +291,9 @@ public void testNullSerialize() throws IOException {
         // act
         final String json = objectMapper.writeValueAsString(auditConfig);
         // assert
+        System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder);
+        System.out.println("JSON OUTPUT IS: " + json);
+        System.out.println(jsonBuilder.);
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 
@@ -370,6 +377,8 @@ public void testCustomSettings() throws IOException {
     private boolean compareJson(final String json1, final String json2) throws JsonProcessingException {
         ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class);
         ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class);
+
+        System.out.println("Checking if " + objectNode1 + " is equal to " + objectNode2 + ". Equal? " + objectNode1.equals(objectNode2));
         return objectNode1.equals(objectNode2);
     }
 }
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index d915c02e55..518e380e8a 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -13,6 +13,7 @@
 
 import java.nio.ByteBuffer;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -29,6 +30,7 @@
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.support.WildcardMatcher;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
@@ -70,22 +72,28 @@ public void setUp() {
     }
 
     @Test
-    public void testRestHeadersAreFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, true);
+    public void testAuthorizationRestHeadersAreFiltered() {
+        message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.NONE);
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4")));
     }
 
+    @Test
+    public void testCustomRestHeadersAreFiltered() {
+        message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.from("test-header"));
+        assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of());
+    }
+
     @Test
     public void testRestHeadersNull() {
-        message.addRestHeaders(null, true);
+        message.addRestHeaders(null, true, null);
         assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS));
-        message.addRestHeaders(Collections.emptyMap(), true);
+        message.addRestHeaders(Collections.emptyMap(), true, null);
         assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS));
     }
 
     @Test
     public void testRestHeadersAreNotFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, false);
+        message.addRestHeaders(TEST_REST_HEADERS, false, WildcardMatcher.ANY);
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS);
     }
 

From 145fac0287991689b98a345c92ac516a166f113d Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Wed, 20 Dec 2023 16:47:51 -0500
Subject: [PATCH 03/14] diff json

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/auditlog/config/AuditConfigSerializeTest.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 9a98c2d0e8..f50658b3e1 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -273,6 +273,7 @@ public void testNullSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
+                .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -293,7 +294,6 @@ public void testNullSerialize() throws IOException {
         // assert
         System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder);
         System.out.println("JSON OUTPUT IS: " + json);
-        System.out.println(jsonBuilder.);
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 

From a1d7b749dab1b499ab9f4932dfac8ccdd0d4ef41 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Wed, 20 Dec 2023 18:22:37 -0500
Subject: [PATCH 04/14] Works other than audit config logs

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/auditlog/config/AuditConfig.java         | 11 +++++++----
 .../security/auditlog/impl/AuditMessage.java          |  2 +-
 .../auditlog/config/AuditConfigSerializeTest.java     |  2 ++
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 093babcd4d..6b3723c819 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -255,7 +255,9 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
             final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );
-            final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()));
+            final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(
+                    getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())
+            );
 
             return new Filter(
                 isRestApiAuditEnabled,
@@ -416,6 +418,7 @@ WildcardMatcher getIgnoredAuditRequestsMatcher() {
             return ignoredAuditRequestsMatcher;
         }
 
+
         public WildcardMatcher getIgnoredCustomHeadersMatcher() {
             return ignoredCustomHeadersMatcher;
         }
@@ -457,7 +460,7 @@ public void log(Logger logger) {
             logger.info("Index resolution is {} during request auditing.", resolveIndices ? "enabled" : "disabled");
             logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled");
             logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher);
-            logger.info("Auditing request headers {} is disabled.", ignoredCustomHeaders);
+            logger.info("Auditing request headers {} is disabled.", ignoredCustomHeadersMatcher);
         }
 
         @Override
@@ -483,8 +486,8 @@ public String toString() {
                 + ignoredAuditUsersMatcher
                 + ", ignoreAuditRequests="
                 + ignoredAuditRequestsMatcher
-                    + ", ignoredCustomHeaders="
-                    + ignoredCustomHeadersMatcher
+                + ", ignoredCustomHeaders="
+                + ignoredCustomHeadersMatcher
                 + '}';
         }
     }
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 6b74beeea2..0335fce806 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -384,7 +384,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
             if (filter.shouldLogRequestBody()) {
 
                 if (!(request instanceof OpenSearchRequest)) {
-                    // The request body is only avaliable on some request sources
+                    // The request body is only available on some request sources
                     return;
                 }
 
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index f50658b3e1..ea78354bff 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -136,6 +136,7 @@ public void testDeserialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("test-user-1"))
             .field("ignore_requests", Collections.singletonList("test-request"))
+                .field("ignore_headers", Collections.singletonList("test-headers"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -231,6 +232,7 @@ public void testSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2"))
             .field("ignore_requests", Collections.singletonList("ignore-request-1"))
+                .field("ignore_header", Collections.singletonList("test-header"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)

From e214e18db08f4daf44fd852c2c7dcef37e760383 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Thu, 21 Dec 2023 15:36:09 -0500
Subject: [PATCH 05/14] Fix version bump

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 bwc-test/build.gradle                                    | 2 +-
 .../java/org/opensearch/test/framework/AuditFilters.java | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle
index b430929c0f..6fb7fc2348 100644
--- a/bwc-test/build.gradle
+++ b/bwc-test/build.gradle
@@ -47,7 +47,7 @@ buildscript {
         opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT")
         opensearch_group = "org.opensearch"
         common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
-        jackson_version = System.getProperty("jackson_version", "2.16.0")
+        jackson_version = System.getProperty("jackson_version", "2.15.2")
     }
     repositories {
         mavenLocal()
diff --git a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
index f984becefa..087342eb6f 100644
--- a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
+++ b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java
@@ -34,6 +34,8 @@ public class AuditFilters implements ToXContentObject {
 
     private List<String> ignoreRequests;
 
+    private List<String> ignoreHeaders;
+
     private List<String> disabledRestCategories;
 
     private List<String> disabledTransportCategories;
@@ -49,6 +51,7 @@ public AuditFilters() {
 
         this.ignoreUsers = Collections.emptyList();
         this.ignoreRequests = Collections.emptyList();
+        this.ignoreHeaders = Collections.emptyList();
         this.disabledRestCategories = Collections.emptyList();
         this.disabledTransportCategories = Collections.emptyList();
     }
@@ -93,6 +96,11 @@ public AuditFilters ignoreRequests(List<String> ignoreRequests) {
         return this;
     }
 
+    public AuditFilters ignoreHeaders(List<String> ignoreHeaders) {
+        this.ignoreHeaders = ignoreHeaders;
+        return this;
+    }
+
     public AuditFilters disabledRestCategories(List<String> disabledRestCategories) {
         this.disabledRestCategories = disabledRestCategories;
         return this;
@@ -114,6 +122,7 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params
         xContentBuilder.field("exclude_sensitive_headers", excludeSensitiveHeaders);
         xContentBuilder.field("ignore_users", ignoreUsers);
         xContentBuilder.field("ignore_requests", ignoreRequests);
+        xContentBuilder.field("ignore_headers", ignoreHeaders);
         xContentBuilder.field("disabled_rest_categories", disabledRestCategories);
         xContentBuilder.field("disabled_transport_categories", disabledTransportCategories);
         xContentBuilder.endObject();

From 23a3e4029e5cb6f40afc4c3b0868a0ad0ec8b942 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Thu, 21 Dec 2023 16:29:42 -0500
Subject: [PATCH 06/14] Working setting

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/auditlog/config/AuditConfig.java | 22 ++++++++++++++-----
 .../security/auditlog/impl/AuditMessage.java  |  8 ++++---
 .../config/AuditConfigSerializeTest.java      |  7 +++---
 .../auditlog/impl/AuditMessageTest.java       | 14 +++++++++---
 4 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 6b3723c819..0593911e13 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -255,7 +255,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
             final Set<String> ignoreAuditRequests = ImmutableSet.copyOf(
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );
-            final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(
+            final Set<String> ignoreHeaders = ImmutableSet.copyOf(
                     getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())
             );
 
@@ -268,7 +268,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
-                ignoreCustomHeaders,
+                ignoreHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -303,7 +303,7 @@ public static Filter from(Settings settings) {
             );
             final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS);
             final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList());
-            final Set<String> ignoreCustomHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList());
+            final Set<String> ignoreHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList());
             return new Filter(
                 isRestApiAuditEnabled,
                 isTransportAuditEnabled,
@@ -313,7 +313,7 @@ public static Filter from(Settings settings) {
                 excludeSensitiveHeaders,
                 ignoredAuditUsers,
                 ignoreAuditRequests,
-                ignoreCustomHeaders,
+                ignoreHeaders,
                 disabledRestCategories,
                 disabledTransportCategories
             );
@@ -418,11 +418,21 @@ WildcardMatcher getIgnoredAuditRequestsMatcher() {
             return ignoredAuditRequestsMatcher;
         }
 
-
-        public WildcardMatcher getIgnoredCustomHeadersMatcher() {
+        @VisibleForTesting
+        WildcardMatcher getIgnoredCustomHeadersMatcher() {
             return ignoredCustomHeadersMatcher;
         }
 
+        /**
+         * Check if the specified header is excluded from the audit
+         *
+         * @param header
+         * @return true if header should be excluded
+         */
+        public boolean isHeaderDisabled(String header) {
+            return ignoredCustomHeadersMatcher.test(header);
+        }
+
         /**
          * Check if request is excluded from audit
          * @param action
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 0335fce806..c26e7802a3 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -356,12 +356,14 @@ public void addRestParams(Map<String, String> params) {
         }
     }
 
-    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, WildcardMatcher customHeaders) {
+    public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, AuditConfig.Filter filter) {
         if (headers != null && !headers.isEmpty()) {
             final Map<String, List<String>> headersClone = new HashMap<>(headers);
             if (excludeSensitiveHeaders) {
                 headersClone.keySet().removeIf(AUTHORIZATION_HEADER);
-                headersClone.keySet().removeIf(customHeaders);
+            }
+            if (filter != null) {
+                headersClone.entrySet().removeIf(entry -> filter.isHeaderDisabled(entry.getKey()));
             }
             auditInfo.put(REST_REQUEST_HEADERS, headersClone);
         }
@@ -377,7 +379,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
         if (request != null) {
             final String path = request.path().toString();
             addPath(path);
-            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter.getIgnoredCustomHeadersMatcher());
+            addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter);
             addRestParams(request.params());
             addRestMethod(request.method());
 
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index ea78354bff..97970a4d9a 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -232,7 +232,7 @@ public void testSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2"))
             .field("ignore_requests", Collections.singletonList("ignore-request-1"))
-                .field("ignore_header", Collections.singletonList("test-header"))
+                .field("ignore_headers", Collections.singletonList("test-header"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -251,6 +251,8 @@ public void testSerialize() throws IOException {
         // act
         final String json = objectMapper.writeValueAsString(auditConfig);
         // assert
+        System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder);
+        System.out.println("JSON OUTPUT IS: " + json);
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 
@@ -294,8 +296,7 @@ public void testNullSerialize() throws IOException {
         // act
         final String json = objectMapper.writeValueAsString(auditConfig);
         // assert
-        System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder);
-        System.out.println("JSON OUTPUT IS: " + json);
+
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index 518e380e8a..c912fad18c 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -29,6 +29,7 @@
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.auditlog.config.AuditConfig;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.support.WildcardMatcher;
 
@@ -62,24 +63,30 @@ public class AuditMessageTest {
     );
 
     private AuditMessage message;
+    private AuditConfig auditConfig;
 
     @Before
     public void setUp() {
         final ClusterService clusterServiceMock = mock(ClusterService.class);
         when(clusterServiceMock.localNode()).thenReturn(mock(DiscoveryNode.class));
         when(clusterServiceMock.getClusterName()).thenReturn(mock(ClusterName.class));
+        auditConfig = mock(AuditConfig.class);
+        final AuditConfig.Filter auditFilter = mock(AuditConfig.Filter.class);
+        when(auditConfig.getFilter()).thenReturn(auditFilter);
         message = new AuditMessage(AuditCategory.AUTHENTICATED, clusterServiceMock, AuditLog.Origin.REST, AuditLog.Origin.REST);
     }
 
     @Test
     public void testAuthorizationRestHeadersAreFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.NONE);
+        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false);
+        message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4")));
     }
 
     @Test
     public void testCustomRestHeadersAreFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.from("test-header"));
+        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(true);
+        message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of());
     }
 
@@ -93,7 +100,8 @@ public void testRestHeadersNull() {
 
     @Test
     public void testRestHeadersAreNotFiltered() {
-        message.addRestHeaders(TEST_REST_HEADERS, false, WildcardMatcher.ANY);
+        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false);
+        message.addRestHeaders(TEST_REST_HEADERS, false, null);
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS);
     }
 

From d0f14e0cd2812ed18f8bf6378bedda5819dd4bbf Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Thu, 21 Dec 2023 16:31:56 -0500
Subject: [PATCH 07/14] spotless

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/OpenSearchSecurityPlugin.java     | 18 +++++++++---------
 .../security/auditlog/config/AuditConfig.java  |  3 +--
 .../auditlog/config/AuditConfigFilterTest.java |  4 ++--
 .../config/AuditConfigSerializeTest.java       | 11 +++++------
 .../auditlog/impl/AuditMessageTest.java        |  2 --
 5 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index e49845f64a..96553b538b 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1362,12 +1362,12 @@ public List<Setting<?>> getSettings() {
                 )
             );
             settings.add(
-                    Setting.listSetting(
-                            ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS,
-                            Collections.emptyList(),
-                            Function.identity(),
-                            Property.NodeScope
-                    )
+                Setting.listSetting(
+                    ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS,
+                    Collections.emptyList(),
+                    Function.identity(),
+                    Property.NodeScope
+                )
             );// not filtered here
             settings.add(
                 Setting.boolSetting(
@@ -1401,8 +1401,8 @@ public List<Setting<?>> getSettings() {
                             Property.NodeScope
                         );
                     case IGNORE_REQUESTS:
-					case IGNORE_HEADERS:
-						return Setting.listSetting(
+                    case IGNORE_HEADERS:
+                        return Setting.listSetting(
                             filterEntry.getKeyWithNamespace(),
                             Collections.emptyList(),
                             Function.identity(),
@@ -1415,7 +1415,7 @@ public List<Setting<?>> getSettings() {
                             Function.identity(),
                             Property.NodeScope
                         );
-					// All boolean settings with default of true
+                    // All boolean settings with default of true
                     case ENABLE_REST:
                     case ENABLE_TRANSPORT:
                     case EXCLUDE_SENSITIVE_HEADERS:
diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 0593911e13..0ba94ab41e 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -256,7 +256,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE
                 getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList())
             );
             final Set<String> ignoreHeaders = ImmutableSet.copyOf(
-                    getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())
+                getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())
             );
 
             return new Filter(
@@ -412,7 +412,6 @@ public boolean isAuditDisabled(String user) {
             return ignoredAuditUsersMatcher.test(user);
         }
 
-
         @VisibleForTesting
         WildcardMatcher getIgnoredAuditRequestsMatcher() {
             return ignoredAuditRequestsMatcher;
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
index 3e9d2fe245..a28d940862 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java
@@ -74,7 +74,7 @@ public void testConfig() {
             .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false)
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request")
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user")
-                .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header")
+            .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header")
             .putList(
                 ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES,
                 BAD_HEADERS.toString(),
@@ -124,7 +124,7 @@ public void testEmpty() {
         final Settings settings = Settings.builder()
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList())
-                .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList())
+            .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList())
             .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList())
             .build();
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 97970a4d9a..7ff300f085 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -72,7 +72,7 @@ public void testDefaultSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
-                .field("ignore_headers", Collections.emptyList())
+            .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -118,7 +118,6 @@ public void testDefaultDeserialize() throws IOException {
         assertEquals(DEFAULT_IGNORED_USER, compliance.getIgnoredComplianceUsersForWriteMatcher());
     }
 
-
     @Test
     public void testDeserialize() throws IOException {
         // arrange
@@ -136,7 +135,7 @@ public void testDeserialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", Collections.singletonList("test-user-1"))
             .field("ignore_requests", Collections.singletonList("test-request"))
-                .field("ignore_headers", Collections.singletonList("test-headers"))
+            .field("ignore_headers", Collections.singletonList("test-headers"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -200,7 +199,7 @@ public void testSerialize() throws IOException {
             true,
             ImmutableSet.of("ignore-user-1", "ignore-user-2"),
             ImmutableSet.of("ignore-request-1"),
-                ImmutableSet.of("test-header"),
+            ImmutableSet.of("test-header"),
             EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES),
             EnumSet.of(AUTHENTICATED)
         );
@@ -232,7 +231,7 @@ public void testSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2"))
             .field("ignore_requests", Collections.singletonList("ignore-request-1"))
-                .field("ignore_headers", Collections.singletonList("test-header"))
+            .field("ignore_headers", Collections.singletonList("test-header"))
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
@@ -277,7 +276,7 @@ public void testNullSerialize() throws IOException {
             .field("exclude_sensitive_headers", true)
             .field("ignore_users", ImmutableList.of("kibanaserver"))
             .field("ignore_requests", Collections.emptyList())
-                .field("ignore_headers", Collections.emptyList())
+            .field("ignore_headers", Collections.emptyList())
             .endObject()
             .startObject("compliance")
             .field("enabled", true)
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index c912fad18c..3ab7e6ed51 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -13,7 +13,6 @@
 
 import java.nio.ByteBuffer;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -31,7 +30,6 @@
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.auditlog.config.AuditConfig;
 import org.opensearch.security.securityconf.impl.CType;
-import org.opensearch.security.support.WildcardMatcher;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;

From cde5bd9b6502b554b2892c8508cc016def9ea3ce Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Thu, 21 Dec 2023 16:39:11 -0500
Subject: [PATCH 08/14] remove prints

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../security/auditlog/config/AuditConfigSerializeTest.java     | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 7ff300f085..9d4ef4e62b 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -250,8 +250,6 @@ public void testSerialize() throws IOException {
         // act
         final String json = objectMapper.writeValueAsString(auditConfig);
         // assert
-        System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder);
-        System.out.println("JSON OUTPUT IS: " + json);
         assertTrue(compareJson(jsonBuilder.toString(), json));
     }
 
@@ -380,7 +378,6 @@ private boolean compareJson(final String json1, final String json2) throws JsonP
         ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class);
         ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class);
 
-        System.out.println("Checking if " + objectNode1 + " is equal to " + objectNode2 + ". Equal? " + objectNode1.equals(objectNode2));
         return objectNode1.equals(objectNode2);
     }
 }

From c9ff35aaf2b2decaedc1cae991fc2b1ec3b66768 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Thu, 21 Dec 2023 18:26:34 -0500
Subject: [PATCH 09/14] fix tests

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../opensearch/security/dlic/rest/api/AuditApiActionTest.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
index b512ae2228..b3d916e8ed 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java
@@ -682,7 +682,7 @@ private String getTestPayload() {
             + "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"],"
             + "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"],"
             + "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true,"
-            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"]},"
+            + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"], \"ignore_headers\":[\"\"]},"
             + "\"compliance\":{"
             + "\"enabled\":true,"
             + "\"internal_config\":true,\"external_config\":true,"

From c5a7238383ee365b627ce311b9dd91730b438dac Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Tue, 2 Jan 2024 09:57:33 -0500
Subject: [PATCH 10/14] Update
 src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java

Co-authored-by: Craig Perkins <craig5008@gmail.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
---
 .../org/opensearch/security/auditlog/impl/AuditMessage.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index c26e7802a3..b57becc359 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -363,7 +363,7 @@ public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSen
                 headersClone.keySet().removeIf(AUTHORIZATION_HEADER);
             }
             if (filter != null) {
-                headersClone.entrySet().removeIf(entry -> filter.isHeaderDisabled(entry.getKey()));
+                headersClone.entrySet().removeIf(entry -> filter.shouldExcludeHeader(entry.getKey()));
             }
             auditInfo.put(REST_REQUEST_HEADERS, headersClone);
         }

From f9af98a69aa3a2048827f68c3f8a53066097ab72 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Tue, 2 Jan 2024 10:00:48 -0500
Subject: [PATCH 11/14] rename method

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 .../org/opensearch/security/auditlog/config/AuditConfig.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
index 0ba94ab41e..7b173099b5 100644
--- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
+++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java
@@ -428,7 +428,7 @@ WildcardMatcher getIgnoredCustomHeadersMatcher() {
          * @param header
          * @return true if header should be excluded
          */
-        public boolean isHeaderDisabled(String header) {
+        public boolean shouldExcludeHeader(String header) {
             return ignoredCustomHeadersMatcher.test(header);
         }
 

From 00baf13aba1eafe1cd6e1506ea3dcfc465992066 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <steecraw@amazon.com>
Date: Tue, 2 Jan 2024 13:05:04 -0500
Subject: [PATCH 12/14] spotless and fix rename

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 config/config.yml                                           | 1 +
 .../org/opensearch/security/OpenSearchSecurityPlugin.java   | 6 +++---
 .../opensearch/security/auditlog/impl/AuditMessageTest.java | 6 +++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/config/config.yml b/config/config.yml
index 1493a0d7f1..61da6ae989 100644
--- a/config/config.yml
+++ b/config/config.yml
@@ -84,6 +84,7 @@ config:
         ###### and here https://tools.ietf.org/html/rfc7239
         ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
     authc:
+
       kerberos_auth_domain:
         http_enabled: false
         transport_enabled: false
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 96553b538b..b0263e06d4 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1352,7 +1352,7 @@ public List<Setting<?>> getSettings() {
                     Function.identity(),
                     Property.NodeScope
                 )
-            ); // not filtered here
+            );
             settings.add(
                 Setting.listSetting(
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS,
@@ -1360,7 +1360,7 @@ public List<Setting<?>> getSettings() {
                     Function.identity(),
                     Property.NodeScope
                 )
-            );
+            ); // not filtered here
             settings.add(
                 Setting.listSetting(
                     ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS,
@@ -1368,7 +1368,7 @@ public List<Setting<?>> getSettings() {
                     Function.identity(),
                     Property.NodeScope
                 )
-            );// not filtered here
+            );
             settings.add(
                 Setting.boolSetting(
                     ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS,
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
index 3ab7e6ed51..3b7fc916ef 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
@@ -76,14 +76,14 @@ public void setUp() {
 
     @Test
     public void testAuthorizationRestHeadersAreFiltered() {
-        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false);
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false);
         message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4")));
     }
 
     @Test
     public void testCustomRestHeadersAreFiltered() {
-        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(true);
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(true);
         message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter());
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of());
     }
@@ -98,7 +98,7 @@ public void testRestHeadersNull() {
 
     @Test
     public void testRestHeadersAreNotFiltered() {
-        when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false);
+        when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false);
         message.addRestHeaders(TEST_REST_HEADERS, false, null);
         assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS);
     }

From bb7b530b510ff649d9ca988ec61e71bde22f7d35 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 3 Jan 2024 13:03:01 -0500
Subject: [PATCH 13/14] Apply suggestions from code review

Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
---
 .../org/opensearch/security/compliance/ComplianceConfig.java     | 1 -
 .../security/auditlog/config/AuditConfigSerializeTest.java       | 1 -
 2 files changed, 2 deletions(-)

diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
index 4e24048bda..edc5248781 100644
--- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
+++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java
@@ -235,7 +235,6 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje
         final Set<String> ignoredComplianceUsersForRead = ImmutableSet.copyOf(
             getOrDefault(properties, "read_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS)
         );
-
         final boolean logWriteMetadataOnly = getOrDefault(properties, "write_metadata_only", false);
         final boolean logDiffsForWrite = getOrDefault(properties, "write_log_diffs", false);
         final List<String> watchedWriteIndicesPatterns = getOrDefault(properties, "write_watched_indices", Collections.emptyList());
diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
index 9d4ef4e62b..b0b93afc54 100644
--- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java
@@ -377,7 +377,6 @@ public void testCustomSettings() throws IOException {
     private boolean compareJson(final String json1, final String json2) throws JsonProcessingException {
         ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class);
         ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class);
-
         return objectNode1.equals(objectNode2);
     }
 }

From 6d630d1d6bd1bb9fb5fab9eb165d94f9e2f503e7 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 3 Jan 2024 13:47:57 -0500
Subject: [PATCH 14/14] Update config/config.yml

Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
---
 config/config.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/config.yml b/config/config.yml
index 61da6ae989..1493a0d7f1 100644
--- a/config/config.yml
+++ b/config/config.yml
@@ -84,7 +84,6 @@ config:
         ###### and here https://tools.ietf.org/html/rfc7239
         ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
     authc:
-
       kerberos_auth_domain:
         http_enabled: false
         transport_enabled: false