cwperks · cwperks · Jul 14, 2023 · Jul 17, 2023 · Jul 18, 2023 · Jul 18, 2023
@@ -35,7 +35,7 @@ runs:
     - name: Build
       uses: gradle/gradle-build-action@v2
       with:
-        arguments: assemble -Dbuild.snapshot=false
+        arguments: assemble
         build-root-directory: ${{ inputs.plugin-branch }}
 
     - id: get-opensearch-version
@@ -46,5 +46,5 @@ runs:
     - name: Copy current distro into the expected folder
       run: |
         mkdir -p ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
-        cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
+        cp ${{ inputs.plugin-branch }}/build/distributions/opensearch-security-${{ steps.get-opensearch-version.outputs.version }}-SNAPSHOT.zip ./bwc-test/src/test/resources/${{ steps.get-opensearch-version.outputs.version }}
       shell: bash
@@ -84,8 +84,8 @@ String baseName = "securityBwcCluster"
 String bwcFilePath = "src/test/resources/"
 String projectVersion = nextVersion
 
-String previousOpenSearch  = extractVersion(previousVersion);
-String nextOpenSearch  = extractVersion(nextVersion);
+String previousOpenSearch  = extractVersion(previousVersion) + "-SNAPSHOT";
+String nextOpenSearch  = extractVersion(nextVersion) + "-SNAPSHOT";
 
 println previousOpenSearch + nextOpenSearch;
 

@@ -0,0 +1,32 @@
+## 2023-07-18 Version 2.9.0.0
+
+Compatible with OpenSearch 2.9.0
+
+### Enhancements
+
+* Use boucycastle PEM reader instead of reg expression ([#2877](https://github.com/opensearch-project/security/pull/2877))
+* Adding field level security test cases for FlatFields ([#2876](https://github.com/opensearch-project/security/pull/2876)) ([#2893](https://github.com/opensearch-project/security/pull/2893))
+* Add password message to /dashboardsinfo endpoint ([#2949](https://github.com/opensearch-project/security/pull/2949)) ([#2955](https://github.com/opensearch-project/security/pull/2955))
+* Add .plugins-ml-connector to system index ([#2947](https://github.com/opensearch-project/security/pull/2947)) ([#2954](https://github.com/opensearch-project/security/pull/2954))
+* Parallel test jobs for CI ([#2861](https://github.com/opensearch-project/security/pull/2861)) ([#2936](https://github.com/opensearch-project/security/pull/2936))
+* Adds a check to skip serialization-deserialization if request is for same node ([#2765](https://github.com/opensearch-project/security/pull/2765)) ([#2973](https://github.com/opensearch-project/security/pull/2973))
+* Add workflow cluster permissions to alerting roles and add .plugins-ml-config in the system index ([#2996](https://github.com/opensearch-project/security/pull/2996))
+
+### Maintenance
+
+* Match version of zstd-jni from core ([#2835](https://github.com/opensearch-project/security/pull/2835))
+* Add Andrey Pleskach (Willyborankin) to Maintainers ([#2843](https://github.com/opensearch-project/security/pull/2843))
+* Updates bwc versions to latest release ([#2849](https://github.com/opensearch-project/security/pull/2849))
+* Add search model group permission to ml_read_access role ([#2855](https://github.com/opensearch-project/security/pull/2855)) ([#2858](https://github.com/opensearch-project/security/pull/2858))
+* Format 2.x ([#2878](https://github.com/opensearch-project/security/pull/2878))
+* Update snappy to 1.1.10.1 and guava to 32.0.1-jre ([#2886](https://github.com/opensearch-project/security/pull/2886)) ([#2889](https://github.com/opensearch-project/security/pull/2889))
+* Resolve ImmutableOpenMap issue from core refactor ([#2908](https://github.com/opensearch-project/security/pull/2908))
+* Misc changes ([#2902](https://github.com/opensearch-project/security/pull/2902)) ([#2904](https://github.com/opensearch-project/security/pull/2904))
+* Bump BouncyCastle from jdk15on to jdk15to18 ([#2901](https://github.com/opensearch-project/security/pull/2901)) ([#2917](https://github.com/opensearch-project/security/pull/2917))
+* Fix the import org.opensearch.core.common.Strings; and import org.opensearch.core.common.logging.LoggerMessageFormat; ([#2953](https://github.com/opensearch-project/security/pull/2953))
+* Remove commons-collections 3.2.2 ([#2924](https://github.com/opensearch-project/security/pull/2924)) ([#2957](https://github.com/opensearch-project/security/pull/2957))
+* Resolve CVE-2023-2976 by forcing use of Guava 32.0.1 ([#2937](https://github.com/opensearch-project/security/pull/2937)) ([#2974](https://github.com/opensearch-project/security/pull/2974))
+* Bump jaxb to 2.3.8 ([#2977](https://github.com/opensearch-project/security/pull/2977)) ([#2979](https://github.com/opensearch-project/security/pull/2979))
+* Update Gradle to 8.2.1 ([#2978](https://github.com/opensearch-project/security/pull/2978)) ([#2981](https://github.com/opensearch-project/security/pull/2981))
+* Changed maven repo location for compatibility check ([#2988](https://github.com/opensearch-project/security/pull/2988))
+* Bump guava to 32.1.1-jre ([#2976](https://github.com/opensearch-project/security/pull/2976)) ([#2990](https://github.com/opensearch-project/security/pull/2990))
@@ -20,7 +20,7 @@ function usage() {
     echo -e "-v OPENSEARCH_VERSION\t, no defaults"
     echo -e "-n SNAPSHOT\t, defaults to false"
     echo -e "-m CLUSTER_NAME\t, defaults to docker-cluster"
-    echo -e "-u COMMON_UTILS_VERSION\t, defaults to 2.2.0.0"
+    echo -e "-u COMMON_UTILS_VERSION\t, defaults to 3.0.0.0-SNAPSHOT"
     echo "--------------------------------------------------------------------------"
 }
 
@@ -101,7 +101,7 @@ then
 fi
 if [ -z "$COMMON_UTILS_VERSION" ]
 then
-  COMMON_UTILS_VERSION="2.2.0.0"
+  COMMON_UTILS_VERSION="3.0.0.0-SNAPSHOT"
 fi
 
 USERNAME=`echo $CREDENTIAL | awk -F ':' '{print $1}'`

@@ -100,12 +100,16 @@
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
 import org.opensearch.core.index.Index;
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.cache.query.QueryCache;
 import org.opensearch.indices.IndicesService;
 import org.opensearch.indices.SystemIndexDescriptor;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.ClusterPlugin;
+import org.opensearch.plugins.ExtensionAwarePlugin;
+import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
@@ -145,6 +149,8 @@
 import org.opensearch.security.http.SecurityHttpServerTransport;
 import org.opensearch.security.http.SecurityNonSslHttpServerTransport;
 import org.opensearch.security.http.XFFResolver;
+import org.opensearch.security.identity.SecuritySubject;
+import org.opensearch.security.identity.SecurityTokenManager;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.privileges.PrivilegesInterceptor;
 import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
@@ -193,7 +199,12 @@
 import org.opensearch.watcher.ResourceWatcherService;
 // CS-ENFORCE-SINGLE
 
-public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin {
+public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
+    implements
+        ClusterPlugin,
+        MapperPlugin,
+        ExtensionAwarePlugin,
+        IdentityPlugin {
 
     private static final String KEYWORD = ".keyword";
     private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace");
@@ -212,6 +223,8 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile ConfigurationRepository cr;
     private volatile AdminDNs adminDns;
     private volatile ClusterService cs;
+    private volatile SecuritySubject subject = new SecuritySubject();
+    private volatile SecurityTokenManager tokenManager;
     private static volatile DiscoveryNode localNode;
     private volatile AuditLog auditLog;
     private volatile BackendRegistry backendRegistry;
@@ -226,6 +239,13 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile Salt salt;
     private volatile OpensearchDynamicSetting<Boolean> transportPassiveAuthSetting;
 
+    public static Setting RESERVED_INDICES_SETTING = Setting.listSetting(
+        "reserved_indices",
+        List.of(),
+        Function.identity(),
+        Property.ExtensionScope
+    );
+
     public static boolean isActionTraceEnabled() {
         return actionTrace.isTraceEnabled();
     }
@@ -990,6 +1010,9 @@ public Collection<Object> createComponents(
 
         cr = ConfigurationRepository.create(settings, this.configPath, threadPool, localClient, clusterService, auditLog);
 
+        subject.setThreadContext(threadPool.getThreadContext());
+        tokenManager = new SecurityTokenManager(cs);
+
         userService = new UserService(cs, cr, settings, localClient);
 
         final XFFResolver xffResolver = new XFFResolver(threadPool);
@@ -1107,6 +1130,13 @@ public Settings additionalSettings() {
         return builder.build();
     }
 
+    @Override
+    public List<Setting<?>> getExtensionSettings() {
+        List<Setting<?>> settings = new ArrayList<Setting<?>>();
+        settings.add(RESERVED_INDICES_SETTING);
+        return settings;
+    }
+
     @Override
     public List<Setting<?>> getSettings() {
         List<Setting<?>> settings = new ArrayList<Setting<?>>();
@@ -1894,6 +1924,16 @@ public static void setLocalNode(DiscoveryNode node) {
         localNode = node;
     }
 
+    @Override
+    public Subject getSubject() {
+        return subject;
+    }
+
+    @Override
+    public TokenManager getTokenManager() {
+        return tokenManager;
+    }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;

@@ -0,0 +1,66 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.authtoken.jwt;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Base64;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+public class EncryptionDecryptionUtil {
+
+    public static String encrypt(final String secret, final String data) {
+        final Cipher cipher = createCipherFromSecret(secret, CipherMode.ENCRYPT);
+        final byte[] cipherText = createCipherText(cipher, data.getBytes(StandardCharsets.UTF_8));
+        return Base64.getEncoder().encodeToString(cipherText);
+    }
+
+    public static String decrypt(final String secret, final String encryptedString) {
+        final Cipher cipher = createCipherFromSecret(secret, CipherMode.DECRYPT);
+        final byte[] cipherText = createCipherText(cipher, Base64.getDecoder().decode(encryptedString));
+        return new String(cipherText, StandardCharsets.UTF_8);
+    }
+
+    private static Cipher createCipherFromSecret(final String secret, final CipherMode mode) {
+        try {
+            final byte[] decodedKey = Base64.getDecoder().decode(secret);
+            final Cipher cipher = Cipher.getInstance("AES");
+            final SecretKey originalKey = new SecretKeySpec(Arrays.copyOf(decodedKey, 16), "AES");
+            cipher.init(mode.opmode, originalKey);
+            return cipher;
+        } catch (final Exception e) {
+            throw new RuntimeException("Error creating cipher from secret in mode " + mode.name());
+        }
+    }
+
+    private static byte[] createCipherText(final Cipher cipher, final byte[] data) {
+        try {
+            return cipher.doFinal(data);
+        } catch (final Exception e) {
+            throw new RuntimeException("The cipher was unable to perform pass over data");
+        }
+    }
+
+    private enum CipherMode {
+        ENCRYPT(Cipher.ENCRYPT_MODE),
+        DECRYPT(Cipher.DECRYPT_MODE);
+
+        private final int opmode;
+
+        private CipherMode(final int opmode) {
+            this.opmode = opmode;
+        }
+    }
+}