From 83bb1e762dd0711b6e20849777fbab33360d0e56 Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Sun, 25 Oct 2020 10:21:16 -0700 Subject: [PATCH 1/6] wip for aes only --- .../transport/TransportIndexMonitorAction.kt | 14 ++++++++++++++ build.gradle | 1 + core/build.gradle | 4 +++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt index 0e4c2795..1f0a569f 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt @@ -93,6 +93,8 @@ class TransportIndexMonitorAction @Inject constructor( @Volatile private var maxActionThrottle = MAX_ACTION_THROTTLE_VALUE.get(settings) @Volatile private var allowList = ALLOW_LIST.get(settings) + var user: User? = null + init { clusterService.clusterSettings.addSettingsUpdateConsumer(ALERTING_MAX_MONITORS) { maxMonitors = it } clusterService.clusterSettings.addSettingsUpdateConsumer(REQUEST_TIMEOUT) { requestTimeout = it } @@ -102,6 +104,12 @@ class TransportIndexMonitorAction @Inject constructor( } override fun doExecute(task: Task, request: IndexMonitorRequest, actionListener: ActionListener) { + + val usrStr = client.threadPool().threadContext.getTransient("_opendistro_security_user_roles_string") + + log.warn("SRIRAM alerting transport: $usrStr") + user = User.parse(usrStr) + if (!isADMonitor(request.monitor)) { checkIndicesAndExecute(client, actionListener, request) } else { @@ -196,6 +204,12 @@ class TransportIndexMonitorAction @Inject constructor( actionListener.onFailure(AlertingException.wrap(ex)) } }) + /*if(user != null) { + request.monitor = request.monitor + .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) + + } + start()*/ } } diff --git a/build.gradle b/build.gradle index 9b2f645b..8142cc0b 100644 --- a/build.gradle +++ b/build.gradle @@ -22,6 +22,7 @@ buildscript { } repositories { + mavenLocal() mavenCentral() maven { url "https://plugins.gradle.org/m2/" } jcenter() diff --git a/core/build.gradle b/core/build.gradle index bea25432..afd3ba44 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -25,9 +25,11 @@ dependencies { compile "com.cronutils:cron-utils:7.0.5" compile "org.elasticsearch.client:elasticsearch-rest-client:${es_version}" compile 'com.google.googlejavaformat:google-java-format:1.3' - compile "com.amazon.opendistroforelasticsearch:common-utils:${opendistroVersion}.0" + // compile "com.amazon.opendistroforelasticsearch:common-utils:${opendistroVersion}.1" testImplementation "org.elasticsearch.test:framework:${es_version}" testImplementation "org.jetbrains.kotlin:kotlin-test:${kotlin_version}" testImplementation "org.jetbrains.kotlin:kotlin-test-junit:${kotlin_version}" + + compile files('/Users/skkosuri/aws-workspace/PluginSecurity/common-utils/build/libs/common-utils-1.11.0.1.jar') } From 4859b587210aecb28c97bdc157fac1832ca8efb5 Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Mon, 26 Oct 2020 22:47:54 -0700 Subject: [PATCH 2/6] wip for aes only --- .../alerting/AlertingPlugin.kt | 24 ++-- .../resthandler/RestSearchMonitorAction.kt | 4 +- .../transport/TransportGetAlertsAction.kt | 41 +++--- .../TransportGetDestinationsAction.kt | 48 +++---- .../TransportIndexDestinationAction.kt | 41 +++--- .../transport/TransportIndexMonitorAction.kt | 117 +++++++----------- .../transport/TransportSearchMonitorAction.kt | 45 ++----- 7 files changed, 109 insertions(+), 211 deletions(-) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingPlugin.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingPlugin.kt index 916afd43..bbca72e6 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingPlugin.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingPlugin.kt @@ -18,14 +18,14 @@ import com.amazon.opendistroforelasticsearch.alerting.action.AcknowledgeAlertAct import com.amazon.opendistroforelasticsearch.alerting.action.DeleteDestinationAction import com.amazon.opendistroforelasticsearch.alerting.action.DeleteEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.action.DeleteEmailGroupAction -import com.amazon.opendistroforelasticsearch.alerting.action.IndexDestinationAction import com.amazon.opendistroforelasticsearch.alerting.action.DeleteMonitorAction import com.amazon.opendistroforelasticsearch.alerting.action.ExecuteMonitorAction -import com.amazon.opendistroforelasticsearch.alerting.action.GetEmailAccountAction -import com.amazon.opendistroforelasticsearch.alerting.action.GetEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.action.GetAlertsAction import com.amazon.opendistroforelasticsearch.alerting.action.GetDestinationsAction +import com.amazon.opendistroforelasticsearch.alerting.action.GetEmailAccountAction +import com.amazon.opendistroforelasticsearch.alerting.action.GetEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.action.GetMonitorAction +import com.amazon.opendistroforelasticsearch.alerting.action.IndexDestinationAction import com.amazon.opendistroforelasticsearch.alerting.action.IndexEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.action.IndexEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.action.IndexMonitorAction @@ -49,10 +49,10 @@ import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestDeleteEmai import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestDeleteEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestDeleteMonitorAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestExecuteMonitorAction -import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetEmailAccountAction -import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetAlertsAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetDestinationsAction +import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetEmailAccountAction +import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestGetMonitorAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestIndexDestinationAction import com.amazon.opendistroforelasticsearch.alerting.resthandler.RestIndexEmailAccountAction @@ -68,25 +68,23 @@ import com.amazon.opendistroforelasticsearch.alerting.transport.TransportAcknowl import com.amazon.opendistroforelasticsearch.alerting.transport.TransportDeleteDestinationAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportDeleteEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportDeleteEmailGroupAction -import com.amazon.opendistroforelasticsearch.alerting.transport.TransportIndexDestinationAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportDeleteMonitorAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportExecuteMonitorAction +import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetAlertsAction +import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetDestinationsAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetEmailGroupAction -import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetAlertsAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetMonitorAction +import com.amazon.opendistroforelasticsearch.alerting.transport.TransportIndexDestinationAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportIndexEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportIndexEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportIndexMonitorAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportSearchEmailAccountAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportSearchEmailGroupAction import com.amazon.opendistroforelasticsearch.alerting.transport.TransportSearchMonitorAction -import com.amazon.opendistroforelasticsearch.commons.rest.SecureRestClientBuilder -import com.amazon.opendistroforelasticsearch.alerting.transport.TransportGetDestinationsAction import org.elasticsearch.action.ActionRequest import org.elasticsearch.action.ActionResponse import org.elasticsearch.client.Client -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver import org.elasticsearch.cluster.node.DiscoveryNodes import org.elasticsearch.cluster.service.ClusterService @@ -145,7 +143,6 @@ internal class AlertingPlugin : PainlessExtension, ActionPlugin, ScriptPlugin, R lateinit var threadPool: ThreadPool lateinit var alertIndices: AlertIndices lateinit var clusterService: ClusterService - lateinit var restClient: RestClient override fun getRestHandlers( settings: Settings, @@ -159,7 +156,7 @@ internal class AlertingPlugin : PainlessExtension, ActionPlugin, ScriptPlugin, R return listOf(RestGetMonitorAction(), RestDeleteMonitorAction(), RestIndexMonitorAction(), - RestSearchMonitorAction(settings, clusterService, restClient), + RestSearchMonitorAction(settings, clusterService), RestExecuteMonitorAction(), RestAcknowledgeAlertAction(), RestScheduledJobStatsHandler("_alerting"), @@ -228,8 +225,7 @@ internal class AlertingPlugin : PainlessExtension, ActionPlugin, ScriptPlugin, R sweeper = JobSweeper(environment.settings(), client, clusterService, threadPool, xContentRegistry, scheduler, ALERTING_JOB_TYPES) this.threadPool = threadPool this.clusterService = clusterService - this.restClient = SecureRestClientBuilder(settings, environment.configFile()).build() - return listOf(sweeper, scheduler, runner, scheduledJobIndices, restClient) + return listOf(sweeper, scheduler, runner, scheduledJobIndices) } override fun getSettings(): List> { diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt index 1d29876c..3fdd8d6d 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt @@ -25,7 +25,6 @@ import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.action.search.SearchRequest import org.elasticsearch.action.search.SearchResponse -import org.elasticsearch.client.RestClient import org.elasticsearch.client.node.NodeClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.bytes.BytesReference @@ -57,8 +56,7 @@ private val log = LogManager.getLogger(RestSearchMonitorAction::class.java) */ class RestSearchMonitorAction( val settings: Settings, - clusterService: ClusterService, - private val restClient: RestClient + clusterService: ClusterService ) : BaseRestHandler() { @Volatile private var filterBy = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt index 92f5accd..87719f46 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt @@ -23,6 +23,7 @@ import com.amazon.opendistroforelasticsearch.alerting.elasticapi.addFilter import com.amazon.opendistroforelasticsearch.alerting.model.Alert import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException +import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder import com.amazon.opendistroforelasticsearch.commons.authuser.User import org.apache.logging.log4j.LogManager @@ -32,9 +33,6 @@ import org.elasticsearch.action.search.SearchResponse import org.elasticsearch.action.support.ActionFilters import org.elasticsearch.action.support.HandledTransportAction import org.elasticsearch.client.Client -import org.elasticsearch.client.Response -import org.elasticsearch.client.ResponseListener -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.inject.Inject import org.elasticsearch.common.settings.Settings @@ -58,7 +56,6 @@ private val log = LogManager.getLogger(TransportGetAlertsAction::class.java) class TransportGetAlertsAction @Inject constructor( transportService: TransportService, val client: Client, - val restClient: RestClient, clusterService: ClusterService, actionFilters: ActionFilters, val settings: Settings, @@ -68,6 +65,7 @@ class TransportGetAlertsAction @Inject constructor( ) { @Volatile private var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) + private var user: User? = null init { clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES) { filterByEnabled = it } @@ -78,6 +76,10 @@ class TransportGetAlertsAction @Inject constructor( getAlertsRequest: GetAlertsRequest, actionListener: ActionListener ) { + val userStr = client.threadPool().threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER_AND_ROLES) + log.debug("User and roles string from thread context: $userStr") + user = User.parse(userStr) + val tableProp = getAlertsRequest.table val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -125,7 +127,7 @@ class TransportGetAlertsAction @Inject constructor( actionListener: ActionListener ) { // auth header is null when: 1/ security is disabled. 2/when user is super-admin. - if (getAlertsRequest.authHeader.isNullOrEmpty()) { + if (user == null) { // auth header is null when: 1/ security is disabled. 2/when user is super-admin. search(searchSourceBuilder, actionListener) } else if (!filterByEnabled) { @@ -136,29 +138,14 @@ class TransportGetAlertsAction @Inject constructor( val authRequest = AuthUserRequestBuilder( getAlertsRequest.authHeader ).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - addFilter(user, searchSourceBuilder, "monitor_user.backend_roles") - log.info("Filtering result by: ${user.backendRoles}") - search(searchSourceBuilder, actionListener) - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - } - override fun onFailure(ex: Exception) { - when (ex.message?.contains("Connection refused")) { - // Connection is refused when security plugin is not present. This case can happen only with integration tests. - true -> { - addFilter(User(), searchSourceBuilder, "monitor_user.backend_roles") - search(searchSourceBuilder, actionListener) - } - false -> actionListener.onFailure(AlertingException.wrap(ex)) - } - } - }) + try { + addFilter(user as User, searchSourceBuilder, "monitor_user.backend_roles") + log.info("Filtering result by: ${user?.backendRoles}") + search(searchSourceBuilder, actionListener) + } catch (ex: IOException) { + actionListener.onFailure(AlertingException.wrap(ex)) + } } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt index 82a370ca..fa77009a 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt @@ -23,7 +23,7 @@ import com.amazon.opendistroforelasticsearch.alerting.elasticapi.addFilter import com.amazon.opendistroforelasticsearch.alerting.model.destination.Destination import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException -import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder +import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User import org.apache.logging.log4j.LogManager import org.elasticsearch.action.ActionListener @@ -32,9 +32,6 @@ import org.elasticsearch.action.search.SearchResponse import org.elasticsearch.action.support.ActionFilters import org.elasticsearch.action.support.HandledTransportAction import org.elasticsearch.client.Client -import org.elasticsearch.client.Response -import org.elasticsearch.client.ResponseListener -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.Strings import org.elasticsearch.common.inject.Inject @@ -61,7 +58,6 @@ private val log = LogManager.getLogger(TransportGetDestinationsAction::class.jav class TransportGetDestinationsAction @Inject constructor( transportService: TransportService, val client: Client, - val restClient: RestClient, clusterService: ClusterService, actionFilters: ActionFilters, val settings: Settings, @@ -71,6 +67,7 @@ class TransportGetDestinationsAction @Inject constructor( ) { @Volatile private var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) + private var user: User? = null init { clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES) { filterByEnabled = it } @@ -81,6 +78,9 @@ class TransportGetDestinationsAction @Inject constructor( getDestinationsRequest: GetDestinationsRequest, actionListener: ActionListener ) { + val userStr = client.threadPool().threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER_AND_ROLES) + log.debug("User and roles string from thread context: $userStr") + user = User.parse(userStr) val tableProp = getDestinationsRequest.table @@ -118,16 +118,15 @@ class TransportGetDestinationsAction @Inject constructor( searchSourceBuilder.query(queryBuilder) client.threadPool().threadContext.stashContext().use { - resolve(getDestinationsRequest, searchSourceBuilder, actionListener) + resolve(searchSourceBuilder, actionListener) } } fun resolve( - getDestinationsRequest: GetDestinationsRequest, searchSourceBuilder: SearchSourceBuilder, actionListener: ActionListener ) { - if (getDestinationsRequest.authHeader.isNullOrEmpty()) { + if (user == null) { // auth header is null when: 1/ security is disabled. 2/when user is super-admin. search(searchSourceBuilder, actionListener) } else if (!filterByEnabled) { @@ -135,32 +134,13 @@ class TransportGetDestinationsAction @Inject constructor( search(searchSourceBuilder, actionListener) } else { // security is enabled and filterby is enabled. - val authRequest = AuthUserRequestBuilder( - getDestinationsRequest.authHeader - ).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - addFilter(user, searchSourceBuilder, "destination.user.backend_roles") - log.info("Filtering result by: ${user.backendRoles}") - search(searchSourceBuilder, actionListener) - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - } - - override fun onFailure(ex: Exception) { - when (ex.message?.contains("Connection refused")) { - // Connection is refused when security plugin is not present. This case can happen only with integration tests. - true -> { - addFilter(User(), searchSourceBuilder, "destination.user.backend_roles") - search(searchSourceBuilder, actionListener) - } - false -> actionListener.onFailure(AlertingException.wrap(ex)) - } - } - }) + try { + addFilter(user as User, searchSourceBuilder, "destination.user.backend_roles") + log.info("Filtering result by: ${user?.backendRoles}") + search(searchSourceBuilder, actionListener) + } catch (ex: IOException) { + actionListener.onFailure(AlertingException.wrap(ex)) + } } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt index e85d5df6..461ac79a 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt @@ -9,8 +9,8 @@ import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.settings.DestinationSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException import com.amazon.opendistroforelasticsearch.alerting.util.IndexUtils +import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User -import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder import org.apache.logging.log4j.LogManager import org.elasticsearch.ElasticsearchStatusException import org.elasticsearch.action.ActionListener @@ -23,9 +23,6 @@ import org.elasticsearch.action.support.ActionFilters import org.elasticsearch.action.support.HandledTransportAction import org.elasticsearch.action.support.master.AcknowledgedResponse import org.elasticsearch.client.Client -import org.elasticsearch.client.Response -import org.elasticsearch.client.ResponseListener -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.inject.Inject import org.elasticsearch.common.settings.Settings @@ -42,7 +39,6 @@ private val log = LogManager.getLogger(TransportIndexDestinationAction::class.ja class TransportIndexDestinationAction @Inject constructor( transportService: TransportService, val client: Client, - val restClient: RestClient, actionFilters: ActionFilters, val scheduledJobIndices: ScheduledJobIndices, val clusterService: ClusterService, @@ -53,6 +49,7 @@ class TransportIndexDestinationAction @Inject constructor( @Volatile private var indexTimeout = AlertingSettings.INDEX_TIMEOUT.get(settings) @Volatile private var allowList = DestinationSettings.ALLOW_LIST.get(settings) + private var user: User? = null init { clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.INDEX_TIMEOUT) { indexTimeout = it } @@ -60,40 +57,36 @@ class TransportIndexDestinationAction @Inject constructor( } override fun doExecute(task: Task, request: IndexDestinationRequest, actionListener: ActionListener) { + val userStr = client.threadPool().threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER_AND_ROLES) + log.debug("User and roles string from thread context: $userStr") + user = User.parse(userStr) + client.threadPool().threadContext.stashContext().use { - IndexDestinationHandler(client, actionListener, request).resolveUserAndStart() + IndexDestinationHandler(client, actionListener, request, user).resolveUserAndStart() } } inner class IndexDestinationHandler( private val client: Client, private val actionListener: ActionListener, - private val request: IndexDestinationRequest + private val request: IndexDestinationRequest, + private val user: User? ) { fun resolveUserAndStart() { - if (request.authHeader.isNullOrEmpty()) { + if (user == null) { // Security is disabled, add empty user to destination. user is null for older versions. request.destination = request.destination .copy(user = User("", listOf(), listOf(), listOf())) start() } else { - val authRequest = AuthUserRequestBuilder(request.authHeader).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - request.destination = request.destination - .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) - start() - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - } - override fun onFailure(ex: Exception) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - }) + try { + request.destination = request.destination + .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) + start() + } catch (ex: IOException) { + actionListener.onFailure(AlertingException.wrap(ex)) + } } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt index 1f0a569f..708c48c2 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt @@ -33,8 +33,8 @@ import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException import com.amazon.opendistroforelasticsearch.alerting.util.IndexUtils import com.amazon.opendistroforelasticsearch.alerting.util.addUserBackendRolesFilter import com.amazon.opendistroforelasticsearch.alerting.util.isADMonitor +import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User -import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder import org.apache.logging.log4j.LogManager import org.elasticsearch.ElasticsearchSecurityException import org.elasticsearch.ElasticsearchStatusException @@ -50,9 +50,6 @@ import org.elasticsearch.action.support.ActionFilters import org.elasticsearch.action.support.HandledTransportAction import org.elasticsearch.action.support.master.AcknowledgedResponse import org.elasticsearch.client.Client -import org.elasticsearch.client.Response -import org.elasticsearch.client.ResponseListener -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.inject.Inject import org.elasticsearch.common.settings.Settings @@ -77,7 +74,6 @@ private val log = LogManager.getLogger(TransportIndexMonitorAction::class.java) class TransportIndexMonitorAction @Inject constructor( transportService: TransportService, val client: Client, - val restClient: RestClient, actionFilters: ActionFilters, val scheduledJobIndices: ScheduledJobIndices, val clusterService: ClusterService, @@ -92,7 +88,6 @@ class TransportIndexMonitorAction @Inject constructor( @Volatile private var indexTimeout = INDEX_TIMEOUT.get(settings) @Volatile private var maxActionThrottle = MAX_ACTION_THROTTLE_VALUE.get(settings) @Volatile private var allowList = ALLOW_LIST.get(settings) - var user: User? = null init { @@ -105,16 +100,15 @@ class TransportIndexMonitorAction @Inject constructor( override fun doExecute(task: Task, request: IndexMonitorRequest, actionListener: ActionListener) { - val usrStr = client.threadPool().threadContext.getTransient("_opendistro_security_user_roles_string") - - log.warn("SRIRAM alerting transport: $usrStr") - user = User.parse(usrStr) + val userStr = client.threadPool().threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER_AND_ROLES) + log.debug("User and roles string from thread context: $userStr") + user = User.parse(userStr) if (!isADMonitor(request.monitor)) { - checkIndicesAndExecute(client, actionListener, request) + checkIndicesAndExecute(client, actionListener, request, user) } else { // check if user has access to any anomaly detector for AD monitor - checkAnomalyDetectorAndExecute(client, actionListener, request) + checkAnomalyDetectorAndExecute(client, actionListener, request, user) } } @@ -125,7 +119,8 @@ class TransportIndexMonitorAction @Inject constructor( fun checkIndicesAndExecute( client: Client, actionListener: ActionListener, - request: IndexMonitorRequest + request: IndexMonitorRequest, + user: User? ) { val indices = mutableListOf() val searchInputs = request.monitor.inputs.filter { it.name() == SearchInput.SEARCH_FIELD } @@ -139,7 +134,7 @@ class TransportIndexMonitorAction @Inject constructor( override fun onResponse(searchResponse: SearchResponse) { // User has read access to configured indices in the monitor, now create monitor with out user context. client.threadPool().threadContext.stashContext().use { - IndexMonitorHandler(client, actionListener, request).resolveUserAndStart() + IndexMonitorHandler(client, actionListener, request, user).resolveUserAndStart() } } @@ -167,94 +162,66 @@ class TransportIndexMonitorAction @Inject constructor( fun checkAnomalyDetectorAndExecute( client: Client, actionListener: ActionListener, - request: IndexMonitorRequest + request: IndexMonitorRequest, + user: User? ) { client.threadPool().threadContext.stashContext().use { - IndexMonitorHandler(client, actionListener, request).resolveUserAndStartForAD() + IndexMonitorHandler(client, actionListener, request, user).resolveUserAndStartForAD() } } inner class IndexMonitorHandler( private val client: Client, private val actionListener: ActionListener, - private val request: IndexMonitorRequest + private val request: IndexMonitorRequest, + private val user: User? ) { fun resolveUserAndStart() { - if (request.authHeader.isNullOrEmpty()) { + if (user == null) { // Security is disabled, add empty user to Monitor. user is null for older versions. request.monitor = request.monitor .copy(user = User("", listOf(), listOf(), listOf())) start() } else { - val authRequest = AuthUserRequestBuilder(request.authHeader).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - request.monitor = request.monitor - .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) - start() - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - } - - override fun onFailure(ex: Exception) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - }) - /*if(user != null) { - request.monitor = request.monitor - .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) - - } - start()*/ + request.monitor = request.monitor + .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) + start() } } fun resolveUserAndStartForAD() { - if (request.authHeader.isNullOrEmpty()) { + if (user == null) { // Security is disabled, add empty user to Monitor. user is null for older versions. request.monitor = request.monitor .copy(user = User("", listOf(), listOf(), listOf())) start() } else { - val authRequest = AuthUserRequestBuilder(request.authHeader).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - request.monitor = request.monitor - .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) - val searchSourceBuilder = SearchSourceBuilder().size(0) - addUserBackendRolesFilter(user, searchSourceBuilder) - val searchRequest = SearchRequest().indices(".opendistro-anomaly-detectors").source(searchSourceBuilder) - client.search(searchRequest, object : ActionListener { - override fun onResponse(response: SearchResponse?) { - val totalHits = response?.hits?.totalHits?.value - if (totalHits != null && totalHits > 0L) { - start() - } else { - actionListener.onFailure(AlertingException.wrap( - ElasticsearchStatusException("User has no available detectors", RestStatus.NOT_FOUND) - )) - } - } - - override fun onFailure(t: Exception) { - actionListener.onFailure(AlertingException.wrap(t)) - } - }) - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) + try { + request.monitor = request.monitor + .copy(user = User(user.name, user.backendRoles, user.roles, user.customAttNames)) + val searchSourceBuilder = SearchSourceBuilder().size(0) + addUserBackendRolesFilter(user, searchSourceBuilder) + val searchRequest = SearchRequest().indices(".opendistro-anomaly-detectors").source(searchSourceBuilder) + client.search(searchRequest, object : ActionListener { + override fun onResponse(response: SearchResponse?) { + val totalHits = response?.hits?.totalHits?.value + if (totalHits != null && totalHits > 0L) { + start() + } else { + actionListener.onFailure(AlertingException.wrap( + ElasticsearchStatusException("User has no available detectors", RestStatus.NOT_FOUND) + )) + } } - } - override fun onFailure(ex: Exception) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - }) + override fun onFailure(t: Exception) { + actionListener.onFailure(AlertingException.wrap(t)) + } + }) + } catch (ex: IOException) { + actionListener.onFailure(AlertingException.wrap(ex)) + } } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt index 0870a00a..28ffbe49 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt @@ -20,7 +20,7 @@ import com.amazon.opendistroforelasticsearch.alerting.action.SearchMonitorReques import com.amazon.opendistroforelasticsearch.alerting.elasticapi.addFilter import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException -import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder +import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User import org.apache.logging.log4j.LogManager import org.elasticsearch.action.ActionListener @@ -29,15 +29,11 @@ import org.elasticsearch.action.search.SearchResponse import org.elasticsearch.action.support.ActionFilters import org.elasticsearch.action.support.HandledTransportAction import org.elasticsearch.client.Client -import org.elasticsearch.client.Response -import org.elasticsearch.client.ResponseListener -import org.elasticsearch.client.RestClient import org.elasticsearch.cluster.service.ClusterService import org.elasticsearch.common.inject.Inject import org.elasticsearch.common.settings.Settings import org.elasticsearch.tasks.Task import org.elasticsearch.transport.TransportService -import java.io.IOException private val log = LogManager.getLogger(TransportSearchMonitorAction::class.java) @@ -45,59 +41,40 @@ class TransportSearchMonitorAction @Inject constructor( transportService: TransportService, val settings: Settings, val client: Client, - val restClient: RestClient, clusterService: ClusterService, actionFilters: ActionFilters ) : HandledTransportAction( SearchMonitorAction.NAME, transportService, actionFilters, ::SearchMonitorRequest ) { @Volatile private var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) + private var user: User? = null init { clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES) { filterByEnabled = it } } override fun doExecute(task: Task, searchMonitorRequest: SearchMonitorRequest, actionListener: ActionListener) { + val userStr = client.threadPool().threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER_AND_ROLES) + log.debug("User and roles string from thread context: $userStr") + user = User.parse(userStr) + client.threadPool().threadContext.stashContext().use { resolve(searchMonitorRequest, actionListener) } } fun resolve(searchMonitorRequest: SearchMonitorRequest, actionListener: ActionListener) { - if (searchMonitorRequest.authHeader.isNullOrEmpty()) { - // auth header is null when: 1/ security is disabled. 2/when user is super-admin. + if (user == null) { + // user header is null when: 1/ security is disabled. 2/when user is super-admin. search(searchMonitorRequest.searchRequest, actionListener) } else if (!filterByEnabled) { // security is enabled and filterby is disabled. search(searchMonitorRequest.searchRequest, actionListener) } else { // security is enabled and filterby is enabled. - val authRequest = AuthUserRequestBuilder( - searchMonitorRequest.authHeader - ).build() - restClient.performRequestAsync(authRequest, object : ResponseListener { - override fun onSuccess(response: Response) { - try { - val user = User(response) - addFilter(user, searchMonitorRequest.searchRequest.source(), "monitor.user.backend_roles") - log.info("Filtering result by: ${user.backendRoles}") - search(searchMonitorRequest.searchRequest, actionListener) - } catch (ex: IOException) { - actionListener.onFailure(AlertingException.wrap(ex)) - } - } - - override fun onFailure(ex: Exception) { - when (ex.message?.contains("Connection refused")) { - // Connection is refused when security plugin is not present. This case can happen only with integration tests. - true -> { - addFilter(User(), searchMonitorRequest.searchRequest.source(), "monitor.user.backend_roles") - search(searchMonitorRequest.searchRequest, actionListener) - } - false -> actionListener.onFailure(AlertingException.wrap(ex)) - } - } - }) + addFilter(user as User, searchMonitorRequest.searchRequest.source(), "monitor.user.backend_roles") + log.info("Filtering result by: ${user?.backendRoles}") + search(searchMonitorRequest.searchRequest, actionListener) } } From c06ee2af262e900fd5bedc3777c63b6a50a0a508 Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Mon, 26 Oct 2020 23:50:08 -0700 Subject: [PATCH 3/6] Resolve user, backendroles, roles from threadcontext instead of /authinfo rest call --- .../alerting/action/GetAlertsRequest.kt | 9 ++------- .../alerting/action/GetDestinationsRequest.kt | 9 ++------- .../alerting/action/IndexDestinationRequest.kt | 5 ----- .../alerting/action/IndexMonitorRequest.kt | 5 ----- .../alerting/action/SearchMonitorRequest.kt | 9 ++------- .../alerting/resthandler/RestGetAlertsAction.kt | 3 +-- .../resthandler/RestGetDestinationsAction.kt | 4 +--- .../resthandler/RestIndexDestinationAction.kt | 3 +-- .../alerting/resthandler/RestIndexMonitorAction.kt | 3 +-- .../alerting/resthandler/RestSearchMonitorAction.kt | 3 +-- .../alerting/transport/TransportGetAlertsAction.kt | 12 +++--------- .../transport/TransportGetDestinationsAction.kt | 2 +- .../alerting/AlertingRestTestCase.kt | 7 ------- .../alerting/action/GetAlertsRequestTests.kt | 7 +++---- .../alerting/action/GetDestinationsRequestTests.kt | 9 ++++----- .../alerting/action/IndexDestinationRequestTests.kt | 2 -- .../alerting/action/IndexMonitorRequestTests.kt | 2 -- .../alerting/action/SearchMonitorRequestTests.kt | 3 +-- 18 files changed, 23 insertions(+), 74 deletions(-) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequest.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequest.kt index 0f9e6013..ff897ff0 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequest.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequest.kt @@ -27,20 +27,17 @@ class GetAlertsRequest : ActionRequest { val severityLevel: String val alertState: String val monitorId: String? - val authHeader: String? constructor( table: Table, severityLevel: String, alertState: String, - monitorId: String?, - authHeader: String? + monitorId: String? ) : super() { this.table = table this.severityLevel = severityLevel this.alertState = alertState this.monitorId = monitorId - this.authHeader = authHeader } @Throws(IOException::class) @@ -48,8 +45,7 @@ class GetAlertsRequest : ActionRequest { table = Table.readFrom(sin), severityLevel = sin.readString(), alertState = sin.readString(), - monitorId = sin.readOptionalString(), - authHeader = sin.readOptionalString() + monitorId = sin.readOptionalString() ) override fun validate(): ActionRequestValidationException? { @@ -62,6 +58,5 @@ class GetAlertsRequest : ActionRequest { out.writeString(severityLevel) out.writeString(alertState) out.writeOptionalString(monitorId) - out.writeOptionalString(authHeader) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequest.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequest.kt index 071e90c6..f14ae628 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequest.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequest.kt @@ -29,22 +29,19 @@ class GetDestinationsRequest : ActionRequest { val srcContext: FetchSourceContext? val table: Table val destinationType: String - val authHeader: String? constructor( destinationId: String?, version: Long, srcContext: FetchSourceContext?, table: Table, - destinationType: String, - authHeader: String? + destinationType: String ) : super() { this.destinationId = destinationId this.version = version this.srcContext = srcContext this.table = table this.destinationType = destinationType - this.authHeader = authHeader } @Throws(IOException::class) @@ -55,8 +52,7 @@ class GetDestinationsRequest : ActionRequest { FetchSourceContext(sin) } else null, table = Table.readFrom(sin), - destinationType = sin.readString(), - authHeader = sin.readOptionalString() + destinationType = sin.readString() ) override fun validate(): ActionRequestValidationException? { @@ -71,6 +67,5 @@ class GetDestinationsRequest : ActionRequest { srcContext?.writeTo(out) table.writeTo(out) out.writeString(destinationType) - out.writeOptionalString(authHeader) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequest.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequest.kt index e71b691a..1680db46 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequest.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequest.kt @@ -30,7 +30,6 @@ class IndexDestinationRequest : ActionRequest { val primaryTerm: Long val refreshPolicy: WriteRequest.RefreshPolicy val method: RestRequest.Method - val authHeader: String? var destination: Destination constructor( @@ -39,7 +38,6 @@ class IndexDestinationRequest : ActionRequest { primaryTerm: Long, refreshPolicy: WriteRequest.RefreshPolicy, method: RestRequest.Method, - authHeader: String?, destination: Destination ): super() { this.destinationId = destinationId @@ -47,7 +45,6 @@ class IndexDestinationRequest : ActionRequest { this.primaryTerm = primaryTerm this.refreshPolicy = refreshPolicy this.method = method - this.authHeader = authHeader this.destination = destination } @@ -58,7 +55,6 @@ class IndexDestinationRequest : ActionRequest { this.primaryTerm = sin.readLong() this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(sin) this.method = sin.readEnum(RestRequest.Method::class.java) - this.authHeader = sin.readOptionalString() this.destination = Destination.readFrom(sin) } @@ -73,7 +69,6 @@ class IndexDestinationRequest : ActionRequest { out.writeLong(primaryTerm) refreshPolicy.writeTo(out) out.writeEnum(method) - out.writeOptionalString(authHeader) destination.writeTo(out) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequest.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequest.kt index d7c80ed8..e167f52b 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequest.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequest.kt @@ -30,7 +30,6 @@ class IndexMonitorRequest : ActionRequest { val primaryTerm: Long val refreshPolicy: WriteRequest.RefreshPolicy val method: RestRequest.Method - val authHeader: String? var monitor: Monitor constructor( @@ -39,7 +38,6 @@ class IndexMonitorRequest : ActionRequest { primaryTerm: Long, refreshPolicy: WriteRequest.RefreshPolicy, method: RestRequest.Method, - authHeader: String?, monitor: Monitor ): super() { this.monitorId = monitorId @@ -47,7 +45,6 @@ class IndexMonitorRequest : ActionRequest { this.primaryTerm = primaryTerm this.refreshPolicy = refreshPolicy this.method = method - this.authHeader = authHeader this.monitor = monitor } @@ -58,7 +55,6 @@ class IndexMonitorRequest : ActionRequest { primaryTerm = sin.readLong(), refreshPolicy = WriteRequest.RefreshPolicy.readFrom(sin), method = sin.readEnum(RestRequest.Method::class.java), - authHeader = sin.readOptionalString(), monitor = Monitor.readFrom(sin) as Monitor ) @@ -73,7 +69,6 @@ class IndexMonitorRequest : ActionRequest { out.writeLong(primaryTerm) refreshPolicy.writeTo(out) out.writeEnum(method) - out.writeOptionalString(authHeader) monitor.writeTo(out) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequest.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequest.kt index 1b5b4839..70b2c2b9 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequest.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequest.kt @@ -25,20 +25,16 @@ import java.io.IOException class SearchMonitorRequest : ActionRequest { val searchRequest: SearchRequest - val authHeader: String? constructor( - searchRequest: SearchRequest, - authHeader: String? + searchRequest: SearchRequest ): super() { this.searchRequest = searchRequest - this.authHeader = authHeader } @Throws(IOException::class) constructor(sin: StreamInput): this( - searchRequest = SearchRequest(sin), - authHeader = sin.readOptionalString() + searchRequest = SearchRequest(sin) ) override fun validate(): ActionRequestValidationException? { @@ -48,6 +44,5 @@ class SearchMonitorRequest : ActionRequest { @Throws(IOException::class) override fun writeTo(out: StreamOutput) { searchRequest.writeTo(out) - out.writeOptionalString(authHeader) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt index d40d9c71..3a220f0c 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt @@ -58,7 +58,6 @@ class RestGetAlertsAction : BaseRestHandler() { val severityLevel = request.param("severityLevel", "ALL") val alertState = request.param("alertState", "ALL") val monitorId: String? = request.param("monitorId") - val auth = request.header(ConfigConstants.AUTHORIZATION) val table = Table( sortOrder, sortString, @@ -68,7 +67,7 @@ class RestGetAlertsAction : BaseRestHandler() { searchString ) - val getAlertsRequest = GetAlertsRequest(table, severityLevel, alertState, monitorId, auth) + val getAlertsRequest = GetAlertsRequest(table, severityLevel, alertState, monitorId) return RestChannelConsumer { channel -> client.execute(GetAlertsAction.INSTANCE, getAlertsRequest, RestToXContentListener(channel)) } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt index f6275b12..f007bb6e 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt @@ -67,7 +67,6 @@ class RestGetDestinationsAction : BaseRestHandler() { val startIndex = request.paramAsInt("startIndex", 0) val searchString = request.param("searchString", "") val destinationType = request.param("destinationType", "ALL") - val auth = request.header(ConfigConstants.AUTHORIZATION) val table = Table( sortOrder, @@ -83,8 +82,7 @@ class RestGetDestinationsAction : BaseRestHandler() { RestActions.parseVersion(request), srcContext, table, - destinationType, - auth + destinationType ) return RestChannelConsumer { channel -> client.execute(GetDestinationsAction.INSTANCE, getDestinationsRequest, RestToXContentListener(channel)) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt index 59c6fc08..058b7c15 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt @@ -80,8 +80,7 @@ class RestIndexDestinationAction : BaseRestHandler() { } else { WriteRequest.RefreshPolicy.IMMEDIATE } - val auth = request.header(ConfigConstants.AUTHORIZATION) - val indexDestinationRequest = IndexDestinationRequest(id, seqNo, primaryTerm, refreshPolicy, request.method(), auth, destination) + val indexDestinationRequest = IndexDestinationRequest(id, seqNo, primaryTerm, refreshPolicy, request.method(), destination) return RestChannelConsumer { channel -> client.execute(IndexDestinationAction.INSTANCE, indexDestinationRequest, indexDestinationResponse(channel, request.method())) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt index a18b4e55..bc2371e2 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt @@ -82,8 +82,7 @@ class RestIndexMonitorAction : BaseRestHandler() { } else { WriteRequest.RefreshPolicy.IMMEDIATE } - val auth = request.header(ConfigConstants.AUTHORIZATION) - val indexMonitorRequest = IndexMonitorRequest(id, seqNo, primaryTerm, refreshPolicy, request.method(), auth, monitor) + val indexMonitorRequest = IndexMonitorRequest(id, seqNo, primaryTerm, refreshPolicy, request.method(), monitor) return RestChannelConsumer { channel -> client.execute(IndexMonitorAction.INSTANCE, indexMonitorRequest, indexMonitorResponse(channel, request.method())) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt index 3fdd8d6d..0f2f2e6a 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt @@ -82,7 +82,6 @@ class RestSearchMonitorAction( log.debug("${request.method()} ${AlertingPlugin.MONITOR_BASE_URI}/_search") val index = request.param("index", SCHEDULED_JOBS_INDEX) - val auth = request.header(ConfigConstants.AUTHORIZATION) val searchSourceBuilder = SearchSourceBuilder() searchSourceBuilder.parseXContent(request.contentOrSourceParamParser()) searchSourceBuilder.fetchSource(context(request)) @@ -96,7 +95,7 @@ class RestSearchMonitorAction( .source(searchSourceBuilder) .indices(index) - val searchMonitorRequest = SearchMonitorRequest(searchRequest, auth) + val searchMonitorRequest = SearchMonitorRequest(searchRequest) return RestChannelConsumer { channel -> client.execute(SearchMonitorAction.INSTANCE, searchMonitorRequest, searchMonitorResponse(channel)) } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt index 87719f46..ed53d07d 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt @@ -24,7 +24,6 @@ import com.amazon.opendistroforelasticsearch.alerting.model.Alert import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException import com.amazon.opendistroforelasticsearch.commons.ConfigConstants -import com.amazon.opendistroforelasticsearch.commons.authuser.AuthUserRequestBuilder import com.amazon.opendistroforelasticsearch.commons.authuser.User import org.apache.logging.log4j.LogManager import org.elasticsearch.action.ActionListener @@ -117,28 +116,23 @@ class TransportGetAlertsAction @Inject constructor( .from(tableProp.startIndex) client.threadPool().threadContext.stashContext().use { - resolve(getAlertsRequest, searchSourceBuilder, actionListener) + resolve(searchSourceBuilder, actionListener) } } fun resolve( - getAlertsRequest: GetAlertsRequest, searchSourceBuilder: SearchSourceBuilder, actionListener: ActionListener ) { - // auth header is null when: 1/ security is disabled. 2/when user is super-admin. + // user is null when: 1/ security is disabled. 2/when user is super-admin. if (user == null) { - // auth header is null when: 1/ security is disabled. 2/when user is super-admin. + // user is null when: 1/ security is disabled. 2/when user is super-admin. search(searchSourceBuilder, actionListener) } else if (!filterByEnabled) { // security is enabled and filterby is disabled. search(searchSourceBuilder, actionListener) } else { // security is enabled and filterby is enabled. - val authRequest = AuthUserRequestBuilder( - getAlertsRequest.authHeader - ).build() - try { addFilter(user as User, searchSourceBuilder, "monitor_user.backend_roles") log.info("Filtering result by: ${user?.backendRoles}") diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt index fa77009a..24d992b7 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt @@ -127,7 +127,7 @@ class TransportGetDestinationsAction @Inject constructor( actionListener: ActionListener ) { if (user == null) { - // auth header is null when: 1/ security is disabled. 2/when user is super-admin. + // user is null when: 1/ security is disabled. 2/when user is super-admin. search(searchSourceBuilder, actionListener) } else if (!filterByEnabled) { // security is enabled and filterby is disabled. diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt index 1f3a099d..3c6fe9b3 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt @@ -638,13 +638,6 @@ abstract class AlertingRestTestCase : ODFERestTestCase() { assertEquals(updateResponse.statusLine.toString(), 200, updateResponse.statusLine.statusCode) } - fun getHeader(): BasicHeader { - return when (isHttps()) { - false -> BasicHeader("dummy", ESRestTestCase.randomAlphaOfLength(20)) - true -> BasicHeader(ConfigConstants.AUTHORIZATION, ESRestTestCase.randomAlphaOfLength(20)) - } - } - fun removeEmailFromAllowList() { val allowedDestinations = DestinationType.values().toList() .filter { destinationType -> destinationType != DestinationType.EMAIL } diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt index 30db33ca..d0a46741 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt @@ -27,7 +27,7 @@ class GetAlertsRequestTests : ESTestCase() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetAlertsRequest(table, "1", "active", null, null) + val req = GetAlertsRequest(table, "1", "active", null) assertNotNull(req) val out = BytesStreamOutput() @@ -44,7 +44,7 @@ class GetAlertsRequestTests : ESTestCase() { fun `test get alerts request with filter`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetAlertsRequest(table, "1", "active", null, ESRestTestCase.randomAlphaOfLength(20)) + val req = GetAlertsRequest(table, "1", "active", null) assertNotNull(req) val out = BytesStreamOutput() @@ -56,13 +56,12 @@ class GetAlertsRequestTests : ESTestCase() { assertEquals("active", newReq.alertState) assertNull(newReq.monitorId) assertEquals(table, newReq.table) - assertNotNull(newReq.authHeader) } fun `test validate returns null`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetAlertsRequest(table, "1", "active", null, null) + val req = GetAlertsRequest(table, "1", "active", null) assertNotNull(req) assertNull(req.validate()) } diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt index 5d5e34ca..39032e77 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt @@ -27,7 +27,7 @@ class GetDestinationsRequestTests : ESTestCase() { fun `test get destination request`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetDestinationsRequest("1234", 1L, FetchSourceContext.FETCH_SOURCE, table, "slack", null) + val req = GetDestinationsRequest("1234", 1L, FetchSourceContext.FETCH_SOURCE, table, "slack") assertNotNull(req) val out = BytesStreamOutput() @@ -44,7 +44,7 @@ class GetDestinationsRequestTests : ESTestCase() { fun `test get destination request without src context`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetDestinationsRequest("1234", 1L, null, table, "slack", null) + val req = GetDestinationsRequest("1234", 1L, null, table, "slack") assertNotNull(req) val out = BytesStreamOutput() @@ -61,7 +61,7 @@ class GetDestinationsRequestTests : ESTestCase() { fun `test get destination request without destinationId`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetDestinationsRequest(null, 1L, FetchSourceContext.FETCH_SOURCE, table, "slack", null) + val req = GetDestinationsRequest(null, 1L, FetchSourceContext.FETCH_SOURCE, table, "slack") assertNotNull(req) val out = BytesStreamOutput() @@ -78,7 +78,7 @@ class GetDestinationsRequestTests : ESTestCase() { fun `test get destination request with filter`() { val table = Table("asc", "sortString", null, 1, 0, "") - val req = GetDestinationsRequest(null, 1L, FetchSourceContext.FETCH_SOURCE, table, "slack", ESRestTestCase.randomAlphaOfLength(20)) + val req = GetDestinationsRequest(null, 1L, FetchSourceContext.FETCH_SOURCE, table, "slack") assertNotNull(req) val out = BytesStreamOutput() @@ -90,6 +90,5 @@ class GetDestinationsRequestTests : ESTestCase() { assertEquals(FetchSourceContext.FETCH_SOURCE, newReq.srcContext) assertEquals(table, newReq.table) assertEquals("slack", newReq.destinationType) - assertNotNull(newReq.authHeader) } } diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt index 6d7c4873..eb97b2fc 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt @@ -37,7 +37,6 @@ class IndexDestinationRequestTests : ESTestCase() { 1L, WriteRequest.RefreshPolicy.IMMEDIATE, RestRequest.Method.POST, - ESRestTestCase.randomAlphaOfLength(20), Destination( "1234", 0L, @@ -77,7 +76,6 @@ class IndexDestinationRequestTests : ESTestCase() { 1L, WriteRequest.RefreshPolicy.IMMEDIATE, RestRequest.Method.PUT, - ESRestTestCase.randomAlphaOfLength(20), Destination( "1234", 0L, diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt index 33e0768b..4c4a202b 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt @@ -30,7 +30,6 @@ class IndexMonitorRequestTests : ESTestCase() { fun `test index monitor post request`() { val req = IndexMonitorRequest("1234", 1L, 2L, WriteRequest.RefreshPolicy.IMMEDIATE, RestRequest.Method.POST, - ESRestTestCase.randomAlphaOfLength(20), randomMonitor().copy(inputs = listOf(SearchInput(emptyList(), SearchSourceBuilder())))) assertNotNull(req) @@ -48,7 +47,6 @@ class IndexMonitorRequestTests : ESTestCase() { fun `test index monitor put request`() { val req = IndexMonitorRequest("1234", 1L, 2L, WriteRequest.RefreshPolicy.IMMEDIATE, RestRequest.Method.PUT, - ESRestTestCase.randomAlphaOfLength(20), randomMonitor().copy(inputs = listOf(SearchInput(emptyList(), SearchSourceBuilder())))) assertNotNull(req) diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequestTests.kt index 7a67ef22..97b22bc5 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/SearchMonitorRequestTests.kt @@ -29,7 +29,7 @@ class SearchMonitorRequestTests : ESTestCase() { fun `test search monitors request`() { val searchSourceBuilder = SearchSourceBuilder().from(0).size(100).timeout(TimeValue(60, TimeUnit.SECONDS)) val searchRequest = SearchRequest().indices(ESRestTestCase.randomAlphaOfLength(10)).source(searchSourceBuilder) - val searchMonitorRequest = SearchMonitorRequest(searchRequest, ESRestTestCase.randomAlphaOfLength(20)) + val searchMonitorRequest = SearchMonitorRequest(searchRequest) assertNotNull(searchMonitorRequest) val out = BytesStreamOutput() @@ -37,7 +37,6 @@ class SearchMonitorRequestTests : ESTestCase() { val sin = StreamInput.wrap(out.bytes().toBytesRef().bytes) val newReq = SearchMonitorRequest(sin) - assertNotNull(newReq.authHeader) assertNotNull(newReq.searchRequest) assertEquals(1, newReq.searchRequest.indices().size) } From 97d96e34ebf8b2890a028b7451812c621d44192b Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Mon, 26 Oct 2020 23:58:50 -0700 Subject: [PATCH 4/6] remove unwanted entry --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index f46c626e..3cc84c78 100644 --- a/build.gradle +++ b/build.gradle @@ -22,7 +22,6 @@ buildscript { } repositories { - mavenLocal() mavenCentral() maven { url "https://plugins.gradle.org/m2/" } jcenter() From 0b8dbdc0135a1f80244cd21b9b7a2ec4fe06b59d Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Tue, 27 Oct 2020 15:06:03 -0700 Subject: [PATCH 5/6] move to 1.11.0.1 commons and ktlint --- .../alerting/resthandler/RestGetAlertsAction.kt | 1 - .../alerting/resthandler/RestGetDestinationsAction.kt | 1 - .../alerting/resthandler/RestIndexDestinationAction.kt | 1 - .../alerting/resthandler/RestIndexMonitorAction.kt | 1 - .../alerting/resthandler/RestSearchMonitorAction.kt | 1 - .../alerting/AlertingRestTestCase.kt | 2 -- .../alerting/action/GetAlertsRequestTests.kt | 1 - .../alerting/action/GetDestinationsRequestTests.kt | 1 - .../alerting/action/IndexDestinationRequestTests.kt | 1 - .../alerting/action/IndexMonitorRequestTests.kt | 1 - core/build.gradle | 4 +--- 11 files changed, 1 insertion(+), 14 deletions(-) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt index 3a220f0c..db42ed9a 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetAlertsAction.kt @@ -19,7 +19,6 @@ import com.amazon.opendistroforelasticsearch.alerting.AlertingPlugin import com.amazon.opendistroforelasticsearch.alerting.action.GetAlertsAction import com.amazon.opendistroforelasticsearch.alerting.action.GetAlertsRequest import com.amazon.opendistroforelasticsearch.alerting.model.Table -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.client.node.NodeClient import org.elasticsearch.rest.BaseRestHandler diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt index f007bb6e..b37e885b 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestGetDestinationsAction.kt @@ -20,7 +20,6 @@ import com.amazon.opendistroforelasticsearch.alerting.action.GetDestinationsActi import com.amazon.opendistroforelasticsearch.alerting.action.GetDestinationsRequest import com.amazon.opendistroforelasticsearch.alerting.model.Table import com.amazon.opendistroforelasticsearch.alerting.util.context -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.client.node.NodeClient import org.elasticsearch.rest.BaseRestHandler diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt index 058b7c15..3691f395 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexDestinationAction.kt @@ -23,7 +23,6 @@ import com.amazon.opendistroforelasticsearch.alerting.model.destination.Destinat import com.amazon.opendistroforelasticsearch.alerting.util.IF_PRIMARY_TERM import com.amazon.opendistroforelasticsearch.alerting.util.IF_SEQ_NO import com.amazon.opendistroforelasticsearch.alerting.util.REFRESH -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.action.support.WriteRequest import org.elasticsearch.client.node.NodeClient diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt index bc2371e2..0b9dbd83 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestIndexMonitorAction.kt @@ -22,7 +22,6 @@ import com.amazon.opendistroforelasticsearch.alerting.model.Monitor import com.amazon.opendistroforelasticsearch.alerting.util.IF_PRIMARY_TERM import com.amazon.opendistroforelasticsearch.alerting.util.IF_SEQ_NO import com.amazon.opendistroforelasticsearch.alerting.util.REFRESH -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.action.support.WriteRequest import org.elasticsearch.client.node.NodeClient diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt index 0f2f2e6a..4baa9b1b 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/RestSearchMonitorAction.kt @@ -21,7 +21,6 @@ import com.amazon.opendistroforelasticsearch.alerting.core.model.ScheduledJob import com.amazon.opendistroforelasticsearch.alerting.core.model.ScheduledJob.Companion.SCHEDULED_JOBS_INDEX import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.util.context -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.logging.log4j.LogManager import org.elasticsearch.action.search.SearchRequest import org.elasticsearch.action.search.SearchResponse diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt index 3c6fe9b3..937f4ad3 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/AlertingRestTestCase.kt @@ -30,7 +30,6 @@ import com.amazon.opendistroforelasticsearch.alerting.model.destination.email.Em import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.settings.DestinationSettings import com.amazon.opendistroforelasticsearch.alerting.util.DestinationType -import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import org.apache.http.HttpEntity import org.apache.http.HttpHeaders import org.apache.http.entity.ContentType @@ -55,7 +54,6 @@ import org.elasticsearch.common.xcontent.json.JsonXContent import org.elasticsearch.common.xcontent.json.JsonXContent.jsonXContent import org.elasticsearch.rest.RestStatus import org.elasticsearch.search.SearchModule -import org.elasticsearch.test.rest.ESRestTestCase import org.junit.AfterClass import org.junit.rules.DisableOnDebug import java.net.URLEncoder diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt index d0a46741..323f3a5c 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetAlertsRequestTests.kt @@ -19,7 +19,6 @@ import com.amazon.opendistroforelasticsearch.alerting.model.Table import org.elasticsearch.common.io.stream.BytesStreamOutput import org.elasticsearch.common.io.stream.StreamInput import org.elasticsearch.test.ESTestCase -import org.elasticsearch.test.rest.ESRestTestCase class GetAlertsRequestTests : ESTestCase() { diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt index 39032e77..9c7c71af 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/GetDestinationsRequestTests.kt @@ -20,7 +20,6 @@ import org.elasticsearch.common.io.stream.BytesStreamOutput import org.elasticsearch.common.io.stream.StreamInput import org.elasticsearch.search.fetch.subphase.FetchSourceContext import org.elasticsearch.test.ESTestCase -import org.elasticsearch.test.rest.ESRestTestCase class GetDestinationsRequestTests : ESTestCase() { diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt index eb97b2fc..15e1fa46 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexDestinationRequestTests.kt @@ -24,7 +24,6 @@ import org.elasticsearch.common.io.stream.BytesStreamOutput import org.elasticsearch.common.io.stream.StreamInput import org.elasticsearch.rest.RestRequest import org.elasticsearch.test.ESTestCase -import org.elasticsearch.test.rest.ESRestTestCase import java.time.Instant class IndexDestinationRequestTests : ESTestCase() { diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt index 4c4a202b..490d79d4 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/action/IndexMonitorRequestTests.kt @@ -23,7 +23,6 @@ import org.elasticsearch.common.io.stream.StreamInput import org.elasticsearch.rest.RestRequest import org.elasticsearch.search.builder.SearchSourceBuilder import org.elasticsearch.test.ESTestCase -import org.elasticsearch.test.rest.ESRestTestCase class IndexMonitorRequestTests : ESTestCase() { diff --git a/core/build.gradle b/core/build.gradle index afd3ba44..f28c6359 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -25,11 +25,9 @@ dependencies { compile "com.cronutils:cron-utils:7.0.5" compile "org.elasticsearch.client:elasticsearch-rest-client:${es_version}" compile 'com.google.googlejavaformat:google-java-format:1.3' - // compile "com.amazon.opendistroforelasticsearch:common-utils:${opendistroVersion}.1" + compile "com.amazon.opendistroforelasticsearch:common-utils:${opendistroVersion}.1" testImplementation "org.elasticsearch.test:framework:${es_version}" testImplementation "org.jetbrains.kotlin:kotlin-test:${kotlin_version}" testImplementation "org.jetbrains.kotlin:kotlin-test-junit:${kotlin_version}" - - compile files('/Users/skkosuri/aws-workspace/PluginSecurity/common-utils/build/libs/common-utils-1.11.0.1.jar') } From 7de8426f025280d8e6b38e5f4cf8669addcd1cef Mon Sep 17 00:00:00 2001 From: skkosuri-amzn Date: Wed, 28 Oct 2020 09:45:56 -0700 Subject: [PATCH 6/6] Fix filter by user.backendroles and integ tests for it --- .../transport/TransportGetAlertsAction.kt | 2 +- .../TransportGetDestinationsAction.kt | 2 +- .../TransportIndexDestinationAction.kt | 7 ++ .../transport/TransportIndexMonitorAction.kt | 9 ++ .../transport/TransportSearchMonitorAction.kt | 2 +- .../alerting/util/AlertingUtils.kt | 36 ++++++ .../resthandler/SecureDestinationRestApiIT.kt | 85 +++++++++++--- .../resthandler/SecureMonitorRestApiIT.kt | 105 +++++++++--------- 8 files changed, 173 insertions(+), 75 deletions(-) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt index ed53d07d..02242833 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetAlertsAction.kt @@ -134,8 +134,8 @@ class TransportGetAlertsAction @Inject constructor( } else { // security is enabled and filterby is enabled. try { - addFilter(user as User, searchSourceBuilder, "monitor_user.backend_roles") log.info("Filtering result by: ${user?.backendRoles}") + addFilter(user as User, searchSourceBuilder, "monitor_user.backend_roles.keyword") search(searchSourceBuilder, actionListener) } catch (ex: IOException) { actionListener.onFailure(AlertingException.wrap(ex)) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt index 24d992b7..f042a160 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportGetDestinationsAction.kt @@ -135,8 +135,8 @@ class TransportGetDestinationsAction @Inject constructor( } else { // security is enabled and filterby is enabled. try { - addFilter(user as User, searchSourceBuilder, "destination.user.backend_roles") log.info("Filtering result by: ${user?.backendRoles}") + addFilter(user as User, searchSourceBuilder, "destination.user.backend_roles.keyword") search(searchSourceBuilder, actionListener) } catch (ex: IOException) { actionListener.onFailure(AlertingException.wrap(ex)) diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt index 461ac79a..03add5bf 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexDestinationAction.kt @@ -9,6 +9,7 @@ import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.settings.DestinationSettings import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException import com.amazon.opendistroforelasticsearch.alerting.util.IndexUtils +import com.amazon.opendistroforelasticsearch.alerting.util.checkFilterByUserBackendRoles import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User import org.apache.logging.log4j.LogManager @@ -49,11 +50,13 @@ class TransportIndexDestinationAction @Inject constructor( @Volatile private var indexTimeout = AlertingSettings.INDEX_TIMEOUT.get(settings) @Volatile private var allowList = DestinationSettings.ALLOW_LIST.get(settings) + @Volatile private var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) private var user: User? = null init { clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.INDEX_TIMEOUT) { indexTimeout = it } clusterService.clusterSettings.addSettingsUpdateConsumer(DestinationSettings.ALLOW_LIST) { allowList = it } + clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES) { filterByEnabled = it } } override fun doExecute(task: Task, request: IndexDestinationRequest, actionListener: ActionListener) { @@ -61,6 +64,10 @@ class TransportIndexDestinationAction @Inject constructor( log.debug("User and roles string from thread context: $userStr") user = User.parse(userStr) + if (!checkFilterByUserBackendRoles(filterByEnabled, user, actionListener)) { + return + } + client.threadPool().threadContext.stashContext().use { IndexDestinationHandler(client, actionListener, request, user).resolveUserAndStart() } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt index 708c48c2..2d749cb8 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportIndexMonitorAction.kt @@ -24,7 +24,9 @@ import com.amazon.opendistroforelasticsearch.alerting.core.model.ScheduledJob.Co import com.amazon.opendistroforelasticsearch.alerting.core.model.ScheduledJob.Companion.SCHEDULED_JOB_TYPE import com.amazon.opendistroforelasticsearch.alerting.core.model.SearchInput import com.amazon.opendistroforelasticsearch.alerting.model.Monitor +import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings.Companion.ALERTING_MAX_MONITORS +import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings.Companion.FILTER_BY_BACKEND_ROLES import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings.Companion.INDEX_TIMEOUT import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings.Companion.MAX_ACTION_THROTTLE_VALUE import com.amazon.opendistroforelasticsearch.alerting.settings.AlertingSettings.Companion.REQUEST_TIMEOUT @@ -32,6 +34,7 @@ import com.amazon.opendistroforelasticsearch.alerting.settings.DestinationSettin import com.amazon.opendistroforelasticsearch.alerting.util.AlertingException import com.amazon.opendistroforelasticsearch.alerting.util.IndexUtils import com.amazon.opendistroforelasticsearch.alerting.util.addUserBackendRolesFilter +import com.amazon.opendistroforelasticsearch.alerting.util.checkFilterByUserBackendRoles import com.amazon.opendistroforelasticsearch.alerting.util.isADMonitor import com.amazon.opendistroforelasticsearch.commons.ConfigConstants import com.amazon.opendistroforelasticsearch.commons.authuser.User @@ -88,6 +91,7 @@ class TransportIndexMonitorAction @Inject constructor( @Volatile private var indexTimeout = INDEX_TIMEOUT.get(settings) @Volatile private var maxActionThrottle = MAX_ACTION_THROTTLE_VALUE.get(settings) @Volatile private var allowList = ALLOW_LIST.get(settings) + @Volatile private var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings) var user: User? = null init { @@ -96,6 +100,7 @@ class TransportIndexMonitorAction @Inject constructor( clusterService.clusterSettings.addSettingsUpdateConsumer(INDEX_TIMEOUT) { indexTimeout = it } clusterService.clusterSettings.addSettingsUpdateConsumer(MAX_ACTION_THROTTLE_VALUE) { maxActionThrottle = it } clusterService.clusterSettings.addSettingsUpdateConsumer(ALLOW_LIST) { allowList = it } + clusterService.clusterSettings.addSettingsUpdateConsumer(FILTER_BY_BACKEND_ROLES) { filterByEnabled = it } } override fun doExecute(task: Task, request: IndexMonitorRequest, actionListener: ActionListener) { @@ -104,6 +109,10 @@ class TransportIndexMonitorAction @Inject constructor( log.debug("User and roles string from thread context: $userStr") user = User.parse(userStr) + if (!checkFilterByUserBackendRoles(filterByEnabled, user, actionListener)) { + return + } + if (!isADMonitor(request.monitor)) { checkIndicesAndExecute(client, actionListener, request, user) } else { diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt index 28ffbe49..511e6351 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/transport/TransportSearchMonitorAction.kt @@ -72,8 +72,8 @@ class TransportSearchMonitorAction @Inject constructor( search(searchMonitorRequest.searchRequest, actionListener) } else { // security is enabled and filterby is enabled. - addFilter(user as User, searchMonitorRequest.searchRequest.source(), "monitor.user.backend_roles") log.info("Filtering result by: ${user?.backendRoles}") + addFilter(user as User, searchMonitorRequest.searchRequest.source(), "monitor.user.backend_roles.keyword") search(searchMonitorRequest.searchRequest, actionListener) } } diff --git a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/util/AlertingUtils.kt b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/util/AlertingUtils.kt index 2c7e898b..9236747f 100644 --- a/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/util/AlertingUtils.kt +++ b/alerting/src/main/kotlin/com/amazon/opendistroforelasticsearch/alerting/util/AlertingUtils.kt @@ -17,6 +17,10 @@ package com.amazon.opendistroforelasticsearch.alerting.util import com.amazon.opendistroforelasticsearch.alerting.model.destination.Destination import com.amazon.opendistroforelasticsearch.alerting.settings.DestinationSettings +import com.amazon.opendistroforelasticsearch.commons.authuser.User +import org.elasticsearch.ElasticsearchStatusException +import org.elasticsearch.action.ActionListener +import org.elasticsearch.rest.RestStatus /** * RFC 5322 compliant pattern matching: https://www.ietf.org/rfc/rfc5322.txt @@ -36,3 +40,35 @@ fun isValidEmail(email: String): Boolean { /** Allowed Destinations are ones that are specified in the [DestinationSettings.ALLOW_LIST] setting. */ fun Destination.isAllowed(allowList: List): Boolean = allowList.contains(this.type.value) + +/** + 1. If filterBy is enabled + a) Don't allow to create monitor/ destination (throw error) if the logged-on user has no backend roles configured. + 2. If filterBy is enabled & monitors are created when filterBy is disabled: + a) If backend_roles are saved with config, results will get filtered and data is shown + b) If backend_roles are not saved with monitor config, results will get filtered and no monitors + will be displayed. + c) Users can edit and save the monitors to associate their backend_roles. + 3. If filterBy is enabled & monitors are created by older version: + a) No User details are present on monitor. + b) No monitors will be displayed. + c) Users can edit and save the monitors to associate their backend_roles. + */ +fun checkFilterByUserBackendRoles(filterByEnabled: Boolean, user: User?, actionListener: ActionListener): Boolean { + if (filterByEnabled) { + if (user == null) { + actionListener.onFailure(AlertingException.wrap( + ElasticsearchStatusException( + "Filter by user backend roles is not enabled with security disabled.", RestStatus.FORBIDDEN + ) + )) + return false + } else if (user.backendRoles.isNullOrEmpty()) { + actionListener.onFailure(AlertingException.wrap( + ElasticsearchStatusException("User doesn't have backend roles configured. Contact administrator.", RestStatus.FORBIDDEN) + )) + return false + } + } + return true +} diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureDestinationRestApiIT.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureDestinationRestApiIT.kt index 81008d88..7f3d7875 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureDestinationRestApiIT.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureDestinationRestApiIT.kt @@ -16,10 +16,15 @@ package com.amazon.opendistroforelasticsearch.alerting.resthandler import com.amazon.opendistroforelasticsearch.alerting.AlertingRestTestCase +import com.amazon.opendistroforelasticsearch.alerting.DESTINATION_BASE_URI +import com.amazon.opendistroforelasticsearch.alerting.makeRequest +import com.amazon.opendistroforelasticsearch.alerting.model.destination.Chime import com.amazon.opendistroforelasticsearch.alerting.model.destination.Destination import com.amazon.opendistroforelasticsearch.alerting.model.destination.Slack import com.amazon.opendistroforelasticsearch.alerting.randomUser import com.amazon.opendistroforelasticsearch.alerting.util.DestinationType +import org.elasticsearch.client.ResponseException +import org.elasticsearch.rest.RestStatus import org.elasticsearch.test.junit.annotations.TestLogging import java.time.Instant @@ -27,6 +32,60 @@ import java.time.Instant @Suppress("UNCHECKED_CAST") class SecureDestinationRestApiIT : AlertingRestTestCase() { + fun `test create destination with disable filter by`() { + disableFilterBy() + + val chime = Chime("http://abc.com") + val destination = Destination( + type = DestinationType.CHIME, + name = "test", + user = randomUser(), + lastUpdateTime = Instant.now(), + chime = chime, + slack = null, + customWebhook = null, + email = null) + val createdDestination = createDestination(destination = destination) + assertEquals("Incorrect destination name", createdDestination.name, "test") + assertEquals("Incorrect destination type", createdDestination.type, DestinationType.CHIME) + } + + fun `test create destination with enable filter by`() { + enableFilterBy() + val chime = Chime("http://abc.com") + val destination = Destination( + type = DestinationType.CHIME, + name = "test", + user = randomUser(), + lastUpdateTime = Instant.now(), + chime = chime, + slack = null, + customWebhook = null, + email = null) + + if (isHttps()) { + // when security is enabled. No errors, must succeed. + val response = client().makeRequest( + "POST", + "$DESTINATION_BASE_URI?refresh=true", + emptyMap(), + destination.toHttpEntity()) + assertEquals("Create monitor failed", RestStatus.CREATED, response.restStatus()) + } else { + // when security is disable. Must return Forbidden. + try { + client().makeRequest( + "POST", + "$DESTINATION_BASE_URI?refresh=true", + emptyMap(), + destination.toHttpEntity()) + fail("Expected 403 FORBIDDEN response") + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) + } + } + } + fun `test get destinations with a destination type and disable filter by`() { disableFilterBy() val slack = Slack("url") @@ -48,16 +107,17 @@ class SecureDestinationRestApiIT : AlertingRestTestCase() { inputMap["destinationType"] = "slack" // 2. get destinations as admin user - /*val adminResponse = getDestinations(client(), inputMap, getHeader()) - assertEquals(1, adminResponse.size)*/ - - // 3. get destinations as kirk user, super-admin can read all. - val kirkResponse = getDestinations(adminClient(), inputMap) - assertEquals(1, kirkResponse.size) + val adminResponse = getDestinations(client(), inputMap) + assertEquals(1, adminResponse.size) } fun `test get destinations with a destination type and filter by`() { enableFilterBy() + if (!isHttps()) { + // if security is disabled and filter by is enabled, we can't create monitor + // refer: `test create destination with enable filter by` + return + } val slack = Slack("url") val destination = Destination( type = DestinationType.SLACK, @@ -77,16 +137,7 @@ class SecureDestinationRestApiIT : AlertingRestTestCase() { inputMap["destinationType"] = "slack" // 2. get destinations as admin user - /*val adminResponse = getDestinations(client(), inputMap, getHeader()) - val expected = when (isHttps()) { - true -> 1 // when test is run with security - get the correct filtered results. - false -> 1 // when test is run without security and filterby is enabled - filtering - // does not work without security, so filtering is ignored and gets a result - } - assertEquals(expected, adminResponse.size)*/ - - // 3. get destinations as kirk user, super-admin can read all. - val kirkResponse = getDestinations(adminClient(), inputMap) - assertEquals(1, kirkResponse.size) + val adminResponse = getDestinations(client(), inputMap) + assertEquals(1, adminResponse.size) } } diff --git a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureMonitorRestApiIT.kt b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureMonitorRestApiIT.kt index 5867c277..3e8f865c 100644 --- a/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureMonitorRestApiIT.kt +++ b/alerting/src/test/kotlin/com/amazon/opendistroforelasticsearch/alerting/resthandler/SecureMonitorRestApiIT.kt @@ -5,8 +5,10 @@ import com.amazon.opendistroforelasticsearch.alerting.AlertingRestTestCase import com.amazon.opendistroforelasticsearch.alerting.makeRequest import com.amazon.opendistroforelasticsearch.alerting.model.Alert import com.amazon.opendistroforelasticsearch.alerting.randomAlert +import com.amazon.opendistroforelasticsearch.alerting.randomMonitor import org.apache.http.entity.ContentType import org.apache.http.nio.entity.NStringEntity +import org.elasticsearch.client.ResponseException import org.elasticsearch.common.xcontent.XContentType import org.elasticsearch.index.query.QueryBuilders import org.elasticsearch.rest.RestStatus @@ -21,74 +23,75 @@ import org.elasticsearch.test.junit.annotations.TestLogging @Suppress("UNCHECKED_CAST") class SecureMonitorRestApiIT : AlertingRestTestCase() { - fun `test query monitors with disable filter by`() { + fun `test create monitor with disable filter by`() { disableFilterBy() + val monitor = randomMonitor() + val createResponse = client().makeRequest("POST", ALERTING_BASE_URI, emptyMap(), monitor.toHttpEntity()) + assertEquals("Create monitor failed", RestStatus.CREATED, createResponse.restStatus()) + } + fun `test create monitor with enable filter by`() { + enableFilterBy() + val monitor = randomMonitor() + + if (isHttps()) { + // when security is enabled. No errors, must succeed. + val createResponse = client().makeRequest("POST", ALERTING_BASE_URI, emptyMap(), monitor.toHttpEntity()) + assertEquals("Create monitor failed", RestStatus.CREATED, createResponse.restStatus()) + } else { + // when security is disable. Must return Forbidden. + try { + client().makeRequest("POST", ALERTING_BASE_URI, emptyMap(), monitor.toHttpEntity()) + fail("Expected 403 FORBIDDEN response") + } catch (e: ResponseException) { + assertEquals("Unexpected status", RestStatus.FORBIDDEN, e.response.restStatus()) + } + } + } + + fun `test query monitors with disable filter by`() { + disableFilterBy() // creates monitor as "admin" user. val monitor = createRandomMonitor(true) val search = SearchSourceBuilder().query(QueryBuilders.termQuery("_id", monitor.id)).toString() // search as "admin" - must get 1 docs - /*val adminSearchResponse = client().makeRequest("POST", + val adminSearchResponse = client().makeRequest("POST", "$ALERTING_BASE_URI/_search", emptyMap(), - NStringEntity(search, ContentType.APPLICATION_JSON), - getHeader()) + NStringEntity(search, ContentType.APPLICATION_JSON)) assertEquals("Search monitor failed", RestStatus.OK, adminSearchResponse.restStatus()) val adminHits = createParser(XContentType.JSON.xContent(), adminSearchResponse.entity.content).map()["hits"]!! as Map> val adminDocsFound = adminHits["total"]?.get("value") - assertEquals("Monitor not found during search", 1, adminDocsFound)*/ - - // search as "kirk" - super-admin can read all. - val kirkSearchResponse = adminClient().makeRequest("POST", - "$ALERTING_BASE_URI/_search", - emptyMap(), - NStringEntity(search, ContentType.APPLICATION_JSON)) - assertEquals("Search monitor failed", RestStatus.OK, kirkSearchResponse.restStatus()) - val kirkHits = createParser(XContentType.JSON.xContent(), - kirkSearchResponse.entity.content).map()["hits"]!! as Map> - val kirkDocsFound = kirkHits["total"]?.get("value") - - assertEquals("Monitor not found during search", 1, kirkDocsFound) + assertEquals("Monitor not found during search", 1, adminDocsFound) } - fun `test query monitors with filter by`() { + fun `test query monitors with enable filter by`() { enableFilterBy() + if (!isHttps()) { + // if security is disabled and filter by is enabled, we can't create monitor + // refer: `test create monitor with enable filter by` + return + } + // creates monitor as "admin" user. val monitor = createRandomMonitor(true) val search = SearchSourceBuilder().query(QueryBuilders.termQuery("_id", monitor.id)).toString() // search as "admin" - must get 1 docs - /*val adminSearchResponse = client().makeRequest("POST", "$ALERTING_BASE_URI/_search", + val adminSearchResponse = client().makeRequest("POST", "$ALERTING_BASE_URI/_search", emptyMap(), - NStringEntity(search, ContentType.APPLICATION_JSON), - getHeader() + NStringEntity(search, ContentType.APPLICATION_JSON) ) assertEquals("Search monitor failed", RestStatus.OK, adminSearchResponse.restStatus()) val adminHits = createParser(XContentType.JSON.xContent(), adminSearchResponse.entity.content).map()["hits"]!! as Map> val adminDocsFound = adminHits["total"]?.get("value") - val expected = when (isHttps()) { - true -> 1 // when test is run with security - get the correct filtered results. - false -> 1 // when test is run without security and filterby is enabled - filtering - // does not work without security, so filtering is ignored and gets a result - } - assertEquals("Monitor not found during search", expected, adminDocsFound)*/ - - // search as "kirk" - super-admin can read all. - val kirkSearchResponse = adminClient().makeRequest("POST", "$ALERTING_BASE_URI/_search", - emptyMap(), - NStringEntity(search, ContentType.APPLICATION_JSON)) - assertEquals("Search monitor failed", RestStatus.OK, kirkSearchResponse.restStatus()) - val kirkHits = createParser(XContentType.JSON.xContent(), - kirkSearchResponse.entity.content).map()["hits"]!! as Map> - val kirkDocsFound = kirkHits["total"]?.get("value") - - assertEquals("Monitor not found during search", 1, kirkDocsFound) + assertEquals("Monitor not found during search", 1, adminDocsFound) } fun `test get all alerts in all states with disabled filter by`() { @@ -105,15 +108,16 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { inputMap["missing"] = "_last" // search as "admin" - must get 4 docs - /*val adminResponseMap = getAlerts(client(), inputMap, getHeader()).asMap() - assertEquals(4, adminResponseMap["totalAlerts"])*/ - - // search as "kirk" - super-admin can read all. - val kirkResponseMap = getAlerts(adminClient(), inputMap).asMap() - assertEquals(4, kirkResponseMap["totalAlerts"]) + val adminResponseMap = getAlerts(client(), inputMap).asMap() + assertEquals(4, adminResponseMap["totalAlerts"]) } fun `test get all alerts in all states with filter by`() { + if (!isHttps()) { + // if security is disabled and filter by is enabled, we can't create monitor + // refer: `test create monitor with enable filter by` + return + } enableFilterBy() putAlertMappings() val monitor = createRandomMonitor(refresh = true) @@ -127,16 +131,7 @@ class SecureMonitorRestApiIT : AlertingRestTestCase() { inputMap["missing"] = "_last" // search as "admin" - must get 4 docs - /*val adminResponseMap = getAlerts(client(), inputMap, getHeader()).asMap() - val expected = when (isHttps()) { - true -> 4 // when test is run with security - get the correct filtered results. - false -> 4 // when test is run without security and filterby is enabled - filtering - // does not work without security, so filtering is ignored and gets a result - } - assertEquals(expected, adminResponseMap["totalAlerts"])*/ - - // search as "kirk" - super-admin can read all. - val kirkResponseMap = getAlerts(adminClient(), inputMap).asMap() - assertEquals(4, kirkResponseMap["totalAlerts"]) + val adminResponseMap = getAlerts(client(), inputMap).asMap() + assertEquals(4, adminResponseMap["totalAlerts"]) } }