From efad9b75a76590e5665ae7782e073137b32f387f Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Wed, 20 Dec 2023 11:34:56 -0500 Subject: [PATCH 01/14] fix dependency conflict Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- bwc-test/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index 6fb7fc2348..b430929c0f 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -47,7 +47,7 @@ buildscript { opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") opensearch_group = "org.opensearch" common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') - jackson_version = System.getProperty("jackson_version", "2.15.2") + jackson_version = System.getProperty("jackson_version", "2.16.0") } repositories { mavenLocal() From afe8991d3ee66cfa8ce4fe3f9d5d6f7bf752dc28 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Wed, 20 Dec 2023 15:34:19 -0500 Subject: [PATCH 02/14] rework audit log fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/OpenSearchSecurityPlugin.java | 15 ++++++++--- .../security/auditlog/config/AuditConfig.java | 26 ++++++++++++++++--- .../auditlog/impl/AbstractAuditLog.java | 5 ---- .../security/auditlog/impl/AuditMessage.java | 5 ++-- .../security/compliance/ComplianceConfig.java | 1 + .../security/support/ConfigConstants.java | 1 + .../config/AuditConfigFilterTest.java | 4 +++ .../config/AuditConfigSerializeTest.java | 9 +++++++ .../auditlog/impl/AuditMessageTest.java | 18 +++++++++---- 9 files changed, 66 insertions(+), 18 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 3c04816c32..e49845f64a 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1360,7 +1360,15 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ) - ); // not filtered here + ); + settings.add( + Setting.listSetting( + ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, + Collections.emptyList(), + Function.identity(), + Property.NodeScope + ) + );// not filtered here settings.add( Setting.boolSetting( ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, @@ -1393,7 +1401,8 @@ public List<Setting<?>> getSettings() { Property.NodeScope ); case IGNORE_REQUESTS: - return Setting.listSetting( + case IGNORE_HEADERS: + return Setting.listSetting( filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), @@ -1406,7 +1415,7 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ); - // All boolean settings with default of true + // All boolean settings with default of true case ENABLE_REST: case ENABLE_TRANSPORT: case EXCLUDE_SENSITIVE_HEADERS: diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 2cffd93dfa..093babcd4d 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -62,7 +62,8 @@ * "ignore_users" : [ * "kibanaserver" * ], - * "ignore_requests" : [ ] + * "ignore_requests" : [ ], + * "ignore_headers" : [ ], * }, * "compliance" : { * "enabled": true, @@ -82,6 +83,7 @@ public class AuditConfig { public static final List<String> DEFAULT_IGNORED_USERS = Collections.singletonList("kibanaserver"); + private static Set<String> FIELDS = DefaultObjectMapper.getFields(AuditConfig.class); private AuditConfig() { @@ -138,8 +140,11 @@ public static class Filter { private final Set<String> ignoredAuditUsers; @JsonProperty("ignore_requests") private final Set<String> ignoredAuditRequests; + @JsonProperty("ignore_headers") + private final Set<String> ignoredCustomHeaders; private final WildcardMatcher ignoredAuditUsersMatcher; private final WildcardMatcher ignoredAuditRequestsMatcher; + private final WildcardMatcher ignoredCustomHeadersMatcher; private final Set<AuditCategory> disabledRestCategories; private final Set<AuditCategory> disabledTransportCategories; @@ -153,6 +158,7 @@ public static class Filter { final boolean excludeSensitiveHeaders, final Set<String> ignoredAuditUsers, final Set<String> ignoredAuditRequests, + final Set<String> ignoredCustomHeaders, final Set<AuditCategory> disabledRestCategories, final Set<AuditCategory> disabledTransportCategories ) { @@ -166,6 +172,8 @@ public static class Filter { this.ignoredAuditUsersMatcher = WildcardMatcher.from(ignoredAuditUsers); this.ignoredAuditRequests = ignoredAuditRequests; this.ignoredAuditRequestsMatcher = WildcardMatcher.from(ignoredAuditRequests); + this.ignoredCustomHeaders = ignoredCustomHeaders; + this.ignoredCustomHeadersMatcher = WildcardMatcher.from(ignoredCustomHeaders); this.disabledRestCategories = disabledRestCategories; this.disabledTransportCategories = disabledTransportCategories; } @@ -183,7 +191,8 @@ public enum FilterEntries { ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES ), IGNORE_USERS("ignore_users", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS), - IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS); + IGNORE_REQUESTS("ignore_requests", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS), + IGNORE_HEADERS("ignore_headers", ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS); private final String key; private final String legacyKeyWithNamespace; @@ -246,6 +255,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE final Set<String> ignoreAuditRequests = ImmutableSet.copyOf( getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()) ); + final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())); return new Filter( isRestApiAuditEnabled, @@ -256,6 +266,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE excludeSensitiveHeaders, ignoredAuditUsers, ignoreAuditRequests, + ignoreCustomHeaders, disabledRestCategories, disabledTransportCategories ); @@ -290,7 +301,7 @@ public static Filter from(Settings settings) { ); final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS); final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList()); - + final Set<String> ignoreCustomHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList()); return new Filter( isRestApiAuditEnabled, isTransportAuditEnabled, @@ -300,6 +311,7 @@ public static Filter from(Settings settings) { excludeSensitiveHeaders, ignoredAuditUsers, ignoreAuditRequests, + ignoreCustomHeaders, disabledRestCategories, disabledTransportCategories ); @@ -398,11 +410,16 @@ public boolean isAuditDisabled(String user) { return ignoredAuditUsersMatcher.test(user); } + @VisibleForTesting WildcardMatcher getIgnoredAuditRequestsMatcher() { return ignoredAuditRequestsMatcher; } + public WildcardMatcher getIgnoredCustomHeadersMatcher() { + return ignoredCustomHeadersMatcher; + } + /** * Check if request is excluded from audit * @param action @@ -440,6 +457,7 @@ public void log(Logger logger) { logger.info("Index resolution is {} during request auditing.", resolveIndices ? "enabled" : "disabled"); logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled"); logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher); + logger.info("Auditing request headers {} is disabled.", ignoredCustomHeaders); } @Override @@ -465,6 +483,8 @@ public String toString() { + ignoredAuditUsersMatcher + ", ignoreAuditRequests=" + ignoredAuditRequestsMatcher + + ", ignoredCustomHeaders=" + + ignoredCustomHeadersMatcher + '}'; } } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index d97adc358b..e5f314cd29 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -927,11 +927,6 @@ boolean checkRestFilter(final AuditCategory category, final String effectiveUser } return false; } - - // check rest audit enabled - // check category enabled - // check action - // check ignoreAuditUsers } protected abstract void save(final AuditMessage msg); diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 8b24a554d1..6b74beeea2 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -356,11 +356,12 @@ public void addRestParams(Map<String, String> params) { } } - public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders) { + public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, WildcardMatcher customHeaders) { if (headers != null && !headers.isEmpty()) { final Map<String, List<String>> headersClone = new HashMap<>(headers); if (excludeSensitiveHeaders) { headersClone.keySet().removeIf(AUTHORIZATION_HEADER); + headersClone.keySet().removeIf(customHeaders); } auditInfo.put(REST_REQUEST_HEADERS, headersClone); } @@ -376,7 +377,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter if (request != null) { final String path = request.path().toString(); addPath(path); - addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders()); + addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter.getIgnoredCustomHeadersMatcher()); addRestParams(request.params()); addRestMethod(request.method()); diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java index edc5248781..4e24048bda 100644 --- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java +++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java @@ -235,6 +235,7 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje final Set<String> ignoredComplianceUsersForRead = ImmutableSet.copyOf( getOrDefault(properties, "read_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS) ); + final boolean logWriteMetadataOnly = getOrDefault(properties, "write_metadata_only", false); final boolean logDiffsForWrite = getOrDefault(properties, "write_log_diffs", false); final List<String> watchedWriteIndicesPatterns = getOrDefault(properties, "write_watched_indices", Collections.emptyList()); diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index f10dedade3..d4383c05de 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -165,6 +165,7 @@ public class ConfigConstants { ); public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users"; public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests"; + public static final String SECURITY_AUDIT_IGNORE_HEADERS = "plugins.security.audit.ignore_headers"; public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests"; public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true; public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false; diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index e40e65549f..3e9d2fe245 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -57,6 +57,7 @@ public void testDefault() { assertTrue(auditConfigFilter.shouldExcludeSensitiveHeaders()); assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredAuditRequestsMatcher()); assertEquals(defaultIgnoredUserMatcher, auditConfigFilter.getIgnoredAuditUsersMatcher()); + assertSame(WildcardMatcher.NONE, auditConfigFilter.getIgnoredCustomHeadersMatcher()); assertEquals(auditConfigFilter.getDisabledRestCategories(), defaultDisabledCategories); assertEquals(auditConfigFilter.getDisabledTransportCategories(), defaultDisabledCategories); } @@ -73,6 +74,7 @@ public void testConfig() { .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user") + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header") .putList( ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, BAD_HEADERS.toString(), @@ -95,6 +97,7 @@ public void testConfig() { assertFalse(auditConfigFilter.shouldExcludeSensitiveHeaders()); assertEquals(WildcardMatcher.from(Collections.singleton("test-user")), auditConfigFilter.getIgnoredAuditUsersMatcher()); assertEquals(WildcardMatcher.from(Collections.singleton("test-request")), auditConfigFilter.getIgnoredAuditRequestsMatcher()); + assertEquals(WildcardMatcher.from(Collections.singleton("test-header")), auditConfigFilter.getIgnoredCustomHeadersMatcher()); assertEquals(auditConfigFilter.getDisabledRestCategories(), EnumSet.of(BAD_HEADERS, SSL_EXCEPTION)); assertEquals(auditConfigFilter.getDisabledTransportCategories(), EnumSet.of(FAILED_LOGIN, MISSING_PRIVILEGES)); } @@ -121,6 +124,7 @@ public void testEmpty() { final Settings settings = Settings.builder() .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList()) .build(); diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 0b50c2ac20..9a98c2d0e8 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -72,6 +72,7 @@ public void testDefaultSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", Collections.singletonList("kibanaserver")) .field("ignore_requests", Collections.emptyList()) + .field("ignore_headers", Collections.emptyList()) .endObject() .startObject("compliance") .field("enabled", true) @@ -107,6 +108,7 @@ public void testDefaultDeserialize() throws IOException { assertTrue(audit.shouldExcludeSensitiveHeaders()); assertSame(WildcardMatcher.NONE, audit.getIgnoredAuditRequestsMatcher()); assertEquals(DEFAULT_IGNORED_USER, audit.getIgnoredAuditUsersMatcher()); + assertEquals(WildcardMatcher.NONE, audit.getIgnoredCustomHeadersMatcher()); assertFalse(compliance.shouldLogExternalConfig()); assertFalse(compliance.shouldLogInternalConfig()); assertFalse(compliance.shouldLogReadMetadataOnly()); @@ -116,6 +118,7 @@ public void testDefaultDeserialize() throws IOException { assertEquals(DEFAULT_IGNORED_USER, compliance.getIgnoredComplianceUsersForWriteMatcher()); } + @Test public void testDeserialize() throws IOException { // arrange @@ -196,6 +199,7 @@ public void testSerialize() throws IOException { true, ImmutableSet.of("ignore-user-1", "ignore-user-2"), ImmutableSet.of("ignore-request-1"), + ImmutableSet.of("test-header"), EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES), EnumSet.of(AUTHENTICATED) ); @@ -287,6 +291,9 @@ public void testNullSerialize() throws IOException { // act final String json = objectMapper.writeValueAsString(auditConfig); // assert + System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder); + System.out.println("JSON OUTPUT IS: " + json); + System.out.println(jsonBuilder.); assertTrue(compareJson(jsonBuilder.toString(), json)); } @@ -370,6 +377,8 @@ public void testCustomSettings() throws IOException { private boolean compareJson(final String json1, final String json2) throws JsonProcessingException { ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class); ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class); + + System.out.println("Checking if " + objectNode1 + " is equal to " + objectNode2 + ". Equal? " + objectNode1.equals(objectNode2)); return objectNode1.equals(objectNode2); } } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java index d915c02e55..518e380e8a 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java @@ -13,6 +13,7 @@ import java.nio.ByteBuffer; import java.util.Collections; +import java.util.HashMap; import java.util.List; import java.util.Map; @@ -29,6 +30,7 @@ import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.securityconf.impl.CType; +import org.opensearch.security.support.WildcardMatcher; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; @@ -70,22 +72,28 @@ public void setUp() { } @Test - public void testRestHeadersAreFiltered() { - message.addRestHeaders(TEST_REST_HEADERS, true); + public void testAuthorizationRestHeadersAreFiltered() { + message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.NONE); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4"))); } + @Test + public void testCustomRestHeadersAreFiltered() { + message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.from("test-header")); + assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of()); + } + @Test public void testRestHeadersNull() { - message.addRestHeaders(null, true); + message.addRestHeaders(null, true, null); assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS)); - message.addRestHeaders(Collections.emptyMap(), true); + message.addRestHeaders(Collections.emptyMap(), true, null); assertNull(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS)); } @Test public void testRestHeadersAreNotFiltered() { - message.addRestHeaders(TEST_REST_HEADERS, false); + message.addRestHeaders(TEST_REST_HEADERS, false, WildcardMatcher.ANY); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS); } From 145fac0287991689b98a345c92ac516a166f113d Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Wed, 20 Dec 2023 16:47:51 -0500 Subject: [PATCH 03/14] diff json Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/auditlog/config/AuditConfigSerializeTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 9a98c2d0e8..f50658b3e1 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -273,6 +273,7 @@ public void testNullSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", ImmutableList.of("kibanaserver")) .field("ignore_requests", Collections.emptyList()) + .field("ignore_headers", Collections.emptyList()) .endObject() .startObject("compliance") .field("enabled", true) @@ -293,7 +294,6 @@ public void testNullSerialize() throws IOException { // assert System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder); System.out.println("JSON OUTPUT IS: " + json); - System.out.println(jsonBuilder.); assertTrue(compareJson(jsonBuilder.toString(), json)); } From a1d7b749dab1b499ab9f4932dfac8ccdd0d4ef41 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Wed, 20 Dec 2023 18:22:37 -0500 Subject: [PATCH 04/14] Works other than audit config logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/auditlog/config/AuditConfig.java | 11 +++++++---- .../security/auditlog/impl/AuditMessage.java | 2 +- .../auditlog/config/AuditConfigSerializeTest.java | 2 ++ 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 093babcd4d..6b3723c819 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -255,7 +255,9 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE final Set<String> ignoreAuditRequests = ImmutableSet.copyOf( getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()) ); - final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf(getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList())); + final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf( + getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()) + ); return new Filter( isRestApiAuditEnabled, @@ -416,6 +418,7 @@ WildcardMatcher getIgnoredAuditRequestsMatcher() { return ignoredAuditRequestsMatcher; } + public WildcardMatcher getIgnoredCustomHeadersMatcher() { return ignoredCustomHeadersMatcher; } @@ -457,7 +460,7 @@ public void log(Logger logger) { logger.info("Index resolution is {} during request auditing.", resolveIndices ? "enabled" : "disabled"); logger.info("Sensitive headers auditing is {}.", excludeSensitiveHeaders ? "enabled" : "disabled"); logger.info("Auditing requests from {} users is disabled.", ignoredAuditUsersMatcher); - logger.info("Auditing request headers {} is disabled.", ignoredCustomHeaders); + logger.info("Auditing request headers {} is disabled.", ignoredCustomHeadersMatcher); } @Override @@ -483,8 +486,8 @@ public String toString() { + ignoredAuditUsersMatcher + ", ignoreAuditRequests=" + ignoredAuditRequestsMatcher - + ", ignoredCustomHeaders=" - + ignoredCustomHeadersMatcher + + ", ignoredCustomHeaders=" + + ignoredCustomHeadersMatcher + '}'; } } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 6b74beeea2..0335fce806 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -384,7 +384,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter if (filter.shouldLogRequestBody()) { if (!(request instanceof OpenSearchRequest)) { - // The request body is only avaliable on some request sources + // The request body is only available on some request sources return; } diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index f50658b3e1..ea78354bff 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -136,6 +136,7 @@ public void testDeserialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", Collections.singletonList("test-user-1")) .field("ignore_requests", Collections.singletonList("test-request")) + .field("ignore_headers", Collections.singletonList("test-headers")) .endObject() .startObject("compliance") .field("enabled", true) @@ -231,6 +232,7 @@ public void testSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2")) .field("ignore_requests", Collections.singletonList("ignore-request-1")) + .field("ignore_header", Collections.singletonList("test-header")) .endObject() .startObject("compliance") .field("enabled", true) From e214e18db08f4daf44fd852c2c7dcef37e760383 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Thu, 21 Dec 2023 15:36:09 -0500 Subject: [PATCH 05/14] Fix version bump Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- bwc-test/build.gradle | 2 +- .../java/org/opensearch/test/framework/AuditFilters.java | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle index b430929c0f..6fb7fc2348 100644 --- a/bwc-test/build.gradle +++ b/bwc-test/build.gradle @@ -47,7 +47,7 @@ buildscript { opensearch_version = System.getProperty("opensearch.version", "3.0.0-SNAPSHOT") opensearch_group = "org.opensearch" common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT') - jackson_version = System.getProperty("jackson_version", "2.16.0") + jackson_version = System.getProperty("jackson_version", "2.15.2") } repositories { mavenLocal() diff --git a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java index f984becefa..087342eb6f 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java +++ b/src/integrationTest/java/org/opensearch/test/framework/AuditFilters.java @@ -34,6 +34,8 @@ public class AuditFilters implements ToXContentObject { private List<String> ignoreRequests; + private List<String> ignoreHeaders; + private List<String> disabledRestCategories; private List<String> disabledTransportCategories; @@ -49,6 +51,7 @@ public AuditFilters() { this.ignoreUsers = Collections.emptyList(); this.ignoreRequests = Collections.emptyList(); + this.ignoreHeaders = Collections.emptyList(); this.disabledRestCategories = Collections.emptyList(); this.disabledTransportCategories = Collections.emptyList(); } @@ -93,6 +96,11 @@ public AuditFilters ignoreRequests(List<String> ignoreRequests) { return this; } + public AuditFilters ignoreHeaders(List<String> ignoreHeaders) { + this.ignoreHeaders = ignoreHeaders; + return this; + } + public AuditFilters disabledRestCategories(List<String> disabledRestCategories) { this.disabledRestCategories = disabledRestCategories; return this; @@ -114,6 +122,7 @@ public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params xContentBuilder.field("exclude_sensitive_headers", excludeSensitiveHeaders); xContentBuilder.field("ignore_users", ignoreUsers); xContentBuilder.field("ignore_requests", ignoreRequests); + xContentBuilder.field("ignore_headers", ignoreHeaders); xContentBuilder.field("disabled_rest_categories", disabledRestCategories); xContentBuilder.field("disabled_transport_categories", disabledTransportCategories); xContentBuilder.endObject(); From 23a3e4029e5cb6f40afc4c3b0868a0ad0ec8b942 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Thu, 21 Dec 2023 16:29:42 -0500 Subject: [PATCH 06/14] Working setting Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/auditlog/config/AuditConfig.java | 22 ++++++++++++++----- .../security/auditlog/impl/AuditMessage.java | 8 ++++--- .../config/AuditConfigSerializeTest.java | 7 +++--- .../auditlog/impl/AuditMessageTest.java | 14 +++++++++--- 4 files changed, 36 insertions(+), 15 deletions(-) diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 6b3723c819..0593911e13 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -255,7 +255,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE final Set<String> ignoreAuditRequests = ImmutableSet.copyOf( getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()) ); - final Set<String> ignoreCustomHeaders = ImmutableSet.copyOf( + final Set<String> ignoreHeaders = ImmutableSet.copyOf( getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()) ); @@ -268,7 +268,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE excludeSensitiveHeaders, ignoredAuditUsers, ignoreAuditRequests, - ignoreCustomHeaders, + ignoreHeaders, disabledRestCategories, disabledTransportCategories ); @@ -303,7 +303,7 @@ public static Filter from(Settings settings) { ); final Set<String> ignoredAuditUsers = fromSettingStringSet(settings, FilterEntries.IGNORE_USERS, DEFAULT_IGNORED_USERS); final Set<String> ignoreAuditRequests = fromSettingStringSet(settings, FilterEntries.IGNORE_REQUESTS, Collections.emptyList()); - final Set<String> ignoreCustomHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList()); + final Set<String> ignoreHeaders = fromSettingStringSet(settings, FilterEntries.IGNORE_HEADERS, Collections.emptyList()); return new Filter( isRestApiAuditEnabled, isTransportAuditEnabled, @@ -313,7 +313,7 @@ public static Filter from(Settings settings) { excludeSensitiveHeaders, ignoredAuditUsers, ignoreAuditRequests, - ignoreCustomHeaders, + ignoreHeaders, disabledRestCategories, disabledTransportCategories ); @@ -418,11 +418,21 @@ WildcardMatcher getIgnoredAuditRequestsMatcher() { return ignoredAuditRequestsMatcher; } - - public WildcardMatcher getIgnoredCustomHeadersMatcher() { + @VisibleForTesting + WildcardMatcher getIgnoredCustomHeadersMatcher() { return ignoredCustomHeadersMatcher; } + /** + * Check if the specified header is excluded from the audit + * + * @param header + * @return true if header should be excluded + */ + public boolean isHeaderDisabled(String header) { + return ignoredCustomHeadersMatcher.test(header); + } + /** * Check if request is excluded from audit * @param action diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 0335fce806..c26e7802a3 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -356,12 +356,14 @@ public void addRestParams(Map<String, String> params) { } } - public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, WildcardMatcher customHeaders) { + public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSensitiveHeaders, AuditConfig.Filter filter) { if (headers != null && !headers.isEmpty()) { final Map<String, List<String>> headersClone = new HashMap<>(headers); if (excludeSensitiveHeaders) { headersClone.keySet().removeIf(AUTHORIZATION_HEADER); - headersClone.keySet().removeIf(customHeaders); + } + if (filter != null) { + headersClone.entrySet().removeIf(entry -> filter.isHeaderDisabled(entry.getKey())); } auditInfo.put(REST_REQUEST_HEADERS, headersClone); } @@ -377,7 +379,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter if (request != null) { final String path = request.path().toString(); addPath(path); - addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter.getIgnoredCustomHeadersMatcher()); + addRestHeaders(request.getHeaders(), filter.shouldExcludeSensitiveHeaders(), filter); addRestParams(request.params()); addRestMethod(request.method()); diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index ea78354bff..97970a4d9a 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -232,7 +232,7 @@ public void testSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2")) .field("ignore_requests", Collections.singletonList("ignore-request-1")) - .field("ignore_header", Collections.singletonList("test-header")) + .field("ignore_headers", Collections.singletonList("test-header")) .endObject() .startObject("compliance") .field("enabled", true) @@ -251,6 +251,8 @@ public void testSerialize() throws IOException { // act final String json = objectMapper.writeValueAsString(auditConfig); // assert + System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder); + System.out.println("JSON OUTPUT IS: " + json); assertTrue(compareJson(jsonBuilder.toString(), json)); } @@ -294,8 +296,7 @@ public void testNullSerialize() throws IOException { // act final String json = objectMapper.writeValueAsString(auditConfig); // assert - System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder); - System.out.println("JSON OUTPUT IS: " + json); + assertTrue(compareJson(jsonBuilder.toString(), json)); } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java index 518e380e8a..c912fad18c 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java @@ -29,6 +29,7 @@ import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.security.auditlog.AuditLog; +import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.support.WildcardMatcher; @@ -62,24 +63,30 @@ public class AuditMessageTest { ); private AuditMessage message; + private AuditConfig auditConfig; @Before public void setUp() { final ClusterService clusterServiceMock = mock(ClusterService.class); when(clusterServiceMock.localNode()).thenReturn(mock(DiscoveryNode.class)); when(clusterServiceMock.getClusterName()).thenReturn(mock(ClusterName.class)); + auditConfig = mock(AuditConfig.class); + final AuditConfig.Filter auditFilter = mock(AuditConfig.Filter.class); + when(auditConfig.getFilter()).thenReturn(auditFilter); message = new AuditMessage(AuditCategory.AUTHENTICATED, clusterServiceMock, AuditLog.Origin.REST, AuditLog.Origin.REST); } @Test public void testAuthorizationRestHeadersAreFiltered() { - message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.NONE); + when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false); + message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter()); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4"))); } @Test public void testCustomRestHeadersAreFiltered() { - message.addRestHeaders(TEST_REST_HEADERS, true, WildcardMatcher.from("test-header")); + when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(true); + message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter()); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of()); } @@ -93,7 +100,8 @@ public void testRestHeadersNull() { @Test public void testRestHeadersAreNotFiltered() { - message.addRestHeaders(TEST_REST_HEADERS, false, WildcardMatcher.ANY); + when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false); + message.addRestHeaders(TEST_REST_HEADERS, false, null); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS); } From d0f14e0cd2812ed18f8bf6378bedda5819dd4bbf Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Thu, 21 Dec 2023 16:31:56 -0500 Subject: [PATCH 07/14] spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/OpenSearchSecurityPlugin.java | 18 +++++++++--------- .../security/auditlog/config/AuditConfig.java | 3 +-- .../auditlog/config/AuditConfigFilterTest.java | 4 ++-- .../config/AuditConfigSerializeTest.java | 11 +++++------ .../auditlog/impl/AuditMessageTest.java | 2 -- 5 files changed, 17 insertions(+), 21 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index e49845f64a..96553b538b 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1362,12 +1362,12 @@ public List<Setting<?>> getSettings() { ) ); settings.add( - Setting.listSetting( - ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, - Collections.emptyList(), - Function.identity(), - Property.NodeScope - ) + Setting.listSetting( + ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, + Collections.emptyList(), + Function.identity(), + Property.NodeScope + ) );// not filtered here settings.add( Setting.boolSetting( @@ -1401,8 +1401,8 @@ public List<Setting<?>> getSettings() { Property.NodeScope ); case IGNORE_REQUESTS: - case IGNORE_HEADERS: - return Setting.listSetting( + case IGNORE_HEADERS: + return Setting.listSetting( filterEntry.getKeyWithNamespace(), Collections.emptyList(), Function.identity(), @@ -1415,7 +1415,7 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ); - // All boolean settings with default of true + // All boolean settings with default of true case ENABLE_REST: case ENABLE_TRANSPORT: case EXCLUDE_SENSITIVE_HEADERS: diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 0593911e13..0ba94ab41e 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -256,7 +256,7 @@ public static Filter from(Map<String, Object> properties) throws JsonProcessingE getOrDefault(properties, FilterEntries.IGNORE_REQUESTS.getKey(), Collections.emptyList()) ); final Set<String> ignoreHeaders = ImmutableSet.copyOf( - getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()) + getOrDefault(properties, FilterEntries.IGNORE_HEADERS.getKey(), Collections.emptyList()) ); return new Filter( @@ -412,7 +412,6 @@ public boolean isAuditDisabled(String user) { return ignoredAuditUsersMatcher.test(user); } - @VisibleForTesting WildcardMatcher getIgnoredAuditRequestsMatcher() { return ignoredAuditRequestsMatcher; diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index 3e9d2fe245..a28d940862 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -74,7 +74,7 @@ public void testConfig() { .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user") - .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header") + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, "test-header") .putList( ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, BAD_HEADERS.toString(), @@ -124,7 +124,7 @@ public void testEmpty() { final Settings settings = Settings.builder() .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) - .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList()) + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList()) .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList()) .build(); diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 97970a4d9a..7ff300f085 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -72,7 +72,7 @@ public void testDefaultSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", Collections.singletonList("kibanaserver")) .field("ignore_requests", Collections.emptyList()) - .field("ignore_headers", Collections.emptyList()) + .field("ignore_headers", Collections.emptyList()) .endObject() .startObject("compliance") .field("enabled", true) @@ -118,7 +118,6 @@ public void testDefaultDeserialize() throws IOException { assertEquals(DEFAULT_IGNORED_USER, compliance.getIgnoredComplianceUsersForWriteMatcher()); } - @Test public void testDeserialize() throws IOException { // arrange @@ -136,7 +135,7 @@ public void testDeserialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", Collections.singletonList("test-user-1")) .field("ignore_requests", Collections.singletonList("test-request")) - .field("ignore_headers", Collections.singletonList("test-headers")) + .field("ignore_headers", Collections.singletonList("test-headers")) .endObject() .startObject("compliance") .field("enabled", true) @@ -200,7 +199,7 @@ public void testSerialize() throws IOException { true, ImmutableSet.of("ignore-user-1", "ignore-user-2"), ImmutableSet.of("ignore-request-1"), - ImmutableSet.of("test-header"), + ImmutableSet.of("test-header"), EnumSet.of(AuditCategory.FAILED_LOGIN, AuditCategory.GRANTED_PRIVILEGES), EnumSet.of(AUTHENTICATED) ); @@ -232,7 +231,7 @@ public void testSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", ImmutableList.of("ignore-user-1", "ignore-user-2")) .field("ignore_requests", Collections.singletonList("ignore-request-1")) - .field("ignore_headers", Collections.singletonList("test-header")) + .field("ignore_headers", Collections.singletonList("test-header")) .endObject() .startObject("compliance") .field("enabled", true) @@ -277,7 +276,7 @@ public void testNullSerialize() throws IOException { .field("exclude_sensitive_headers", true) .field("ignore_users", ImmutableList.of("kibanaserver")) .field("ignore_requests", Collections.emptyList()) - .field("ignore_headers", Collections.emptyList()) + .field("ignore_headers", Collections.emptyList()) .endObject() .startObject("compliance") .field("enabled", true) diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java index c912fad18c..3ab7e6ed51 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java @@ -13,7 +13,6 @@ import java.nio.ByteBuffer; import java.util.Collections; -import java.util.HashMap; import java.util.List; import java.util.Map; @@ -31,7 +30,6 @@ import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.securityconf.impl.CType; -import org.opensearch.security.support.WildcardMatcher; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; From cde5bd9b6502b554b2892c8508cc016def9ea3ce Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Thu, 21 Dec 2023 16:39:11 -0500 Subject: [PATCH 08/14] remove prints Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../security/auditlog/config/AuditConfigSerializeTest.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 7ff300f085..9d4ef4e62b 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -250,8 +250,6 @@ public void testSerialize() throws IOException { // act final String json = objectMapper.writeValueAsString(auditConfig); // assert - System.out.println("JSON BUILDER OUTPUT IS: " + jsonBuilder); - System.out.println("JSON OUTPUT IS: " + json); assertTrue(compareJson(jsonBuilder.toString(), json)); } @@ -380,7 +378,6 @@ private boolean compareJson(final String json1, final String json2) throws JsonP ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class); ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class); - System.out.println("Checking if " + objectNode1 + " is equal to " + objectNode2 + ". Equal? " + objectNode1.equals(objectNode2)); return objectNode1.equals(objectNode2); } } From c9ff35aaf2b2decaedc1cae991fc2b1ec3b66768 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Thu, 21 Dec 2023 18:26:34 -0500 Subject: [PATCH 09/14] fix tests Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../opensearch/security/dlic/rest/api/AuditApiActionTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java index b512ae2228..b3d916e8ed 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java @@ -682,7 +682,7 @@ private String getTestPayload() { + "\"enable_rest\":true,\"disabled_rest_categories\":[\"AUTHENTICATED\"]," + "\"enable_transport\":true,\"disabled_transport_categories\":[\"SSL_EXCEPTION\"]," + "\"resolve_bulk_requests\":true,\"log_request_body\":true,\"resolve_indices\":true,\"exclude_sensitive_headers\":true," - + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"]}," + + "\"ignore_users\":[\"test-user-1\"],\"ignore_requests\":[\"test-request\"], \"ignore_headers\":[\"\"]}," + "\"compliance\":{" + "\"enabled\":true," + "\"internal_config\":true,\"external_config\":true," From c5a7238383ee365b627ce311b9dd91730b438dac Mon Sep 17 00:00:00 2001 From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Date: Tue, 2 Jan 2024 09:57:33 -0500 Subject: [PATCH 10/14] Update src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java Co-authored-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> --- .../org/opensearch/security/auditlog/impl/AuditMessage.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index c26e7802a3..b57becc359 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -363,7 +363,7 @@ public void addRestHeaders(Map<String, List<String>> headers, boolean excludeSen headersClone.keySet().removeIf(AUTHORIZATION_HEADER); } if (filter != null) { - headersClone.entrySet().removeIf(entry -> filter.isHeaderDisabled(entry.getKey())); + headersClone.entrySet().removeIf(entry -> filter.shouldExcludeHeader(entry.getKey())); } auditInfo.put(REST_REQUEST_HEADERS, headersClone); } From f9af98a69aa3a2048827f68c3f8a53066097ab72 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Tue, 2 Jan 2024 10:00:48 -0500 Subject: [PATCH 11/14] rename method Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- .../org/opensearch/security/auditlog/config/AuditConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index 0ba94ab41e..7b173099b5 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -428,7 +428,7 @@ WildcardMatcher getIgnoredCustomHeadersMatcher() { * @param header * @return true if header should be excluded */ - public boolean isHeaderDisabled(String header) { + public boolean shouldExcludeHeader(String header) { return ignoredCustomHeadersMatcher.test(header); } From 00baf13aba1eafe1cd6e1506ea3dcfc465992066 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <steecraw@amazon.com> Date: Tue, 2 Jan 2024 13:05:04 -0500 Subject: [PATCH 12/14] spotless and fix rename Signed-off-by: Stephen Crawford <steecraw@amazon.com> --- config/config.yml | 1 + .../org/opensearch/security/OpenSearchSecurityPlugin.java | 6 +++--- .../opensearch/security/auditlog/impl/AuditMessageTest.java | 6 +++--- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/config/config.yml b/config/config.yml index 1493a0d7f1..61da6ae989 100644 --- a/config/config.yml +++ b/config/config.yml @@ -84,6 +84,7 @@ config: ###### and here https://tools.ietf.org/html/rfc7239 ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve authc: + kerberos_auth_domain: http_enabled: false transport_enabled: false diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 96553b538b..b0263e06d4 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1352,7 +1352,7 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ) - ); // not filtered here + ); settings.add( Setting.listSetting( ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, @@ -1360,7 +1360,7 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ) - ); + ); // not filtered here settings.add( Setting.listSetting( ConfigConstants.SECURITY_AUDIT_IGNORE_HEADERS, @@ -1368,7 +1368,7 @@ public List<Setting<?>> getSettings() { Function.identity(), Property.NodeScope ) - );// not filtered here + ); settings.add( Setting.boolSetting( ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java index 3ab7e6ed51..3b7fc916ef 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java @@ -76,14 +76,14 @@ public void setUp() { @Test public void testAuthorizationRestHeadersAreFiltered() { - when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false); + when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false); message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter()); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), ImmutableMap.of("test-header", ImmutableList.of("test-4"))); } @Test public void testCustomRestHeadersAreFiltered() { - when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(true); + when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(true); message.addRestHeaders(TEST_REST_HEADERS, true, auditConfig.getFilter()); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), Map.of()); } @@ -98,7 +98,7 @@ public void testRestHeadersNull() { @Test public void testRestHeadersAreNotFiltered() { - when(auditConfig.getFilter().isHeaderDisabled("test-header")).thenReturn(false); + when(auditConfig.getFilter().shouldExcludeHeader("test-header")).thenReturn(false); message.addRestHeaders(TEST_REST_HEADERS, false, null); assertEquals(message.getAsMap().get(AuditMessage.REST_REQUEST_HEADERS), TEST_REST_HEADERS); } From bb7b530b510ff649d9ca988ec61e71bde22f7d35 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Date: Wed, 3 Jan 2024 13:03:01 -0500 Subject: [PATCH 13/14] Apply suggestions from code review Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> --- .../org/opensearch/security/compliance/ComplianceConfig.java | 1 - .../security/auditlog/config/AuditConfigSerializeTest.java | 1 - 2 files changed, 2 deletions(-) diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java index 4e24048bda..edc5248781 100644 --- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java +++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java @@ -235,7 +235,6 @@ public static ComplianceConfig from(Map<String, Object> properties, @JacksonInje final Set<String> ignoredComplianceUsersForRead = ImmutableSet.copyOf( getOrDefault(properties, "read_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS) ); - final boolean logWriteMetadataOnly = getOrDefault(properties, "write_metadata_only", false); final boolean logDiffsForWrite = getOrDefault(properties, "write_log_diffs", false); final List<String> watchedWriteIndicesPatterns = getOrDefault(properties, "write_watched_indices", Collections.emptyList()); diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 9d4ef4e62b..b0b93afc54 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -377,7 +377,6 @@ public void testCustomSettings() throws IOException { private boolean compareJson(final String json1, final String json2) throws JsonProcessingException { ObjectNode objectNode1 = objectMapper.readValue(json1, ObjectNode.class); ObjectNode objectNode2 = objectMapper.readValue(json2, ObjectNode.class); - return objectNode1.equals(objectNode2); } } From 6d630d1d6bd1bb9fb5fab9eb165d94f9e2f503e7 Mon Sep 17 00:00:00 2001 From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Date: Wed, 3 Jan 2024 13:47:57 -0500 Subject: [PATCH 14/14] Update config/config.yml Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> --- config/config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/config.yml b/config/config.yml index 61da6ae989..1493a0d7f1 100644 --- a/config/config.yml +++ b/config/config.yml @@ -84,7 +84,6 @@ config: ###### and here https://tools.ietf.org/html/rfc7239 ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve authc: - kerberos_auth_domain: http_enabled: false transport_enabled: false