From 814e0b9dd35579baf2fcec9e8f2f94801dd92d6d Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Tue, 19 Dec 2023 16:35:33 -0500 Subject: [PATCH] Revert "[2.x] Extracts demo configuration setup into a java tool, adds support for Bundled JDK for this tool and updates DEVELOPER_GUIDE.md (#3845)" This reverts commit ea9546e56b70a9ad3b5f8c758d339654fd2a392a. --- .../action.yml | 11 +- .github/workflows/plugin_install.yml | 5 +- DEVELOPER_GUIDE.md | 53 +- README.md | 4 + build.gradle | 4 - scripts/integtest.sh | 105 ++++ .../security/support/ConfigConstants.java | 3 - .../democonfig/CertificateGenerator.java | 55 -- .../tools/democonfig/Certificates.java | 212 ------- .../democonfig/ExecutionEnvironment.java | 20 - .../security/tools/democonfig/Installer.java | 447 --------------- .../SecuritySettingsConfigurer.java | 364 ------------- .../sanity/tests/InvalidAdminPasswordIT.java | 50 -- .../sanity/tests/SingleClusterSanityIT.java | 11 - .../democonfig/CertificateGeneratorTests.java | 178 ------ .../tools/democonfig/InstallerTests.java | 515 ------------------ .../SecuritySettingsConfigurerTests.java | 308 ----------- .../democonfig/util/DemoConfigHelperUtil.java | 54 -- .../util/NoExitSecurityManager.java | 29 - tools/install_demo_configuration.bat | 421 +++++++++++++- tools/install_demo_configuration.sh | 493 +++++++++++++++-- 21 files changed, 988 insertions(+), 2354 deletions(-) create mode 100755 scripts/integtest.sh delete mode 100644 src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java delete mode 100644 src/main/java/org/opensearch/security/tools/democonfig/Certificates.java delete mode 100644 src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java delete mode 100644 src/main/java/org/opensearch/security/tools/democonfig/Installer.java delete mode 100644 src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java delete mode 100644 src/test/java/org/opensearch/security/sanity/tests/InvalidAdminPasswordIT.java delete mode 100644 src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java delete mode 100644 src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java delete mode 100644 src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java delete mode 100644 src/test/java/org/opensearch/security/tools/democonfig/util/DemoConfigHelperUtil.java delete mode 100644 src/test/java/org/opensearch/security/tools/democonfig/util/NoExitSecurityManager.java diff --git a/.github/actions/start-opensearch-with-one-plugin/action.yml b/.github/actions/start-opensearch-with-one-plugin/action.yml index 9a04276a1f..3218088b77 100644 --- a/.github/actions/start-opensearch-with-one-plugin/action.yml +++ b/.github/actions/start-opensearch-with-one-plugin/action.yml @@ -76,22 +76,23 @@ runs: 'y' | .\opensearch-${{ inputs.opensearch-version }}-SNAPSHOT\bin\opensearch-plugin.bat install file:$(pwd)\${{ inputs.plugin-name }}.zip shell: pwsh + - name: Write password to initialAdminPassword location + run: + echo ${{ inputs.admin-password }} >> ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/initialAdminPassword.txt + shell: bash + # Run any configuration scripts - name: Run Setup Script for Linux if: ${{ runner.os == 'Linux' && inputs.setup-script-name != '' }} run: | echo "running linux setup" - export OPENSEARCH_INITIAL_ADMIN_PASSWORD=${{ inputs.admin-password }} chmod +x ./${{ inputs.setup-script-name }}.sh ./${{ inputs.setup-script-name }}.sh shell: bash - name: Run Setup Script for Windows if: ${{ runner.os == 'Windows' && inputs.setup-script-name != '' }} - run: | - echo "running windows setup" - $env:OPENSEARCH_INITIAL_ADMIN_PASSWORD="${{ inputs.admin-password }}" - .\${{ inputs.setup-script-name }}.bat + run: .\${{ inputs.setup-script-name }}.bat shell: pwsh # Run OpenSearch diff --git a/.github/workflows/plugin_install.yml b/.github/workflows/plugin_install.yml index 4c9de9cfca..8323620ef9 100644 --- a/.github/workflows/plugin_install.yml +++ b/.github/workflows/plugin_install.yml @@ -39,15 +39,14 @@ jobs: run: | cat > setup.sh <<'EOF' chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh - /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh -t" + /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/plugins/${{ env.PLUGIN_NAME }}/tools/install_demo_configuration.sh" EOF - name: Create Setup Script if: ${{ runner.os == 'Windows' }} run: | New-Item .\setup.bat -type file - Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y -t" - Get-Content .\setup.bat + Set-Content .\setup.bat -Value "powershell.exe .\opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT\plugins\${{ env.PLUGIN_NAME }}\tools\install_demo_configuration.bat -i -c -y" - name: Run Opensearch with A Single Plugin uses: ./.github/actions/start-opensearch-with-one-plugin diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index 472f3f06a9..a758f1934a 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -1,6 +1,5 @@ # Developer Guide - -So you want to contribute code to OpenSearch Security? Excellent! We're glad you're here. Here's what you need to do. +So you want to contribute code to this project? Excellent! We're glad you're here. Here's what you need to do. - [Developer Guide](#developer-guide) - [Prerequisites](#prerequisites) @@ -18,13 +17,14 @@ So you want to contribute code to OpenSearch Security? Excellent! We're glad you > Please make sure to follow the OpenSearch [Install Prerequisites](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#install-prerequisites) before starting for the first time. -OpenSearch Security runs as a plugin of OpenSearch. You can [download a minimal release of OpenSearch](https://opensearch.org/downloads.html#minimal) and then install the Security plugin there. However, we will compile OpenSearch Security using source code so that we are pulling in changes from the latest commit. +This project runs as a plugin of OpenSearch. You can [download a minimal release of OpenSearch](https://opensearch.org/downloads.html#minimal) and then install this plugin there. However, we will compile it using source code so that we are pulling in changes from the latest commit. ### Native platforms +Not all platforms natively support OpenSearch, to check distribution avaliability please check these [issues](https://github.com/opensearch-project/opensearch-build/labels/distributions). -Not all platforms natively support OpenSearch, to view distribution availability please check these [issues](https://github.com/opensearch-project/opensearch-build/issues?q=label%3Adistributions). +On MacOS / PC the OpenSearch distribution can be run with docker. This distribution contains the released version of OpenSearch including the security plugin. For development we do not recommend using this docker image. -On MacOS / PC the OpenSearch distribution can be run with Docker. This distribution contains the released version of OpenSearch including the security plugin. If you wish to use the Docker image for development, you will need to follow the steps found on the [Developing with Docker](DEVELOPING_WITH_DOCKER.md) guide. +To get started, follow the [getting started section](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#getting-started) of OpenSearch's developer guide. This will get OpenSearch up and running built from source code. You can skip the `./gradlew check` step to save some time. Reach to the point where you can run a successful `curl localhost:9200` call. Great! now kill the server with `Ctrl+C`. To get started, follow the [getting started section](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#getting-started) of OpenSearch's developer guide. This will get OpenSearch up and running built from source code. You can skip the `./gradlew check` step to save some time. You should follow the steps until you reach the point where you can run a successful `curl localhost:9200` call. Great! now kill the server with `Ctrl+C`. @@ -43,28 +43,20 @@ cd $OPENSEARCH_HOME ./bin/opensearch ``` -The `curl localhost:9200` call should succeed again. Kill the server with `Ctrl+c`. We are now ready to install the security plugin. - +The `curl localhost:9200` call should succeed again. Kill the server with `Ctrl+c`. We are ready to install the security plugin. >Worth noting:\ -> The version of OpenSearch and the security plugin must match as there is an explicit version check at startup. This can be a bit confusing as, for example, at the time of writing this guide, the `main` branch of this security plugin builds version `3.0.0.0-SNAPSHOT` compatible with OpenSearch `3.0.0`. Check the expected compatible version in `build.gradle` file [here](https://github.com/opensearch-project/security/blob/main/build.gradle) and make sure you get the correct branch from OpenSearch when building that project. -> -> The line to look for: `opensearch_version = System.getProperty("opensearch.version", "x")` -> -> Alternatively, you can find the compatible version of OpenSearch by running in project root folder -> ``` -> ./gradlew properties -q | grep -E '^version:' | awk '{print $2}' -> ``` +> The version of OpenSearch and the security plugin must match as there is an explicit version check at startup. This can be a bit confusing as, for example, at the time of writing this guide, the `main` branch of this security plugin builds version `1.3.0.0-SNAPSHOT` compatible with OpenSearch `1.3.0-SNAPSHOT` that gets built from branch `1.x`. Check the expected compatible version [here](https://github.com/opensearch-project/security/blob/main/plugin-descriptor.properties#L27) and make sure you get the correct branch from OpenSearch when building that project. ## Building -First create a fork of this repo and clone it locally. You should then change to the directory containing the clone and run this to build the project: +First create a fork of this repo and clone it locally. Changing to directory containing this clone and run this to build the project: ```bash ./gradlew clean assemble ``` -To install the built plugin into the OpenSearch server run: +Install the built plugin into the OpenSearch server: ```bash export OPENSEARCH_SECURITY_HOME=$OPENSEARCH_HOME/plugins/opensearch-security @@ -162,20 +154,9 @@ extension_hw_greet: - "hw-user" ``` -### Setting up password for demo admin user - -This step is a pre-requisite to installing demo configuration. You can pass the demo `admin` user password by exporting `OPENSEARCH_INITIAL_ADMIN_PASSWORD` variable with a password. -```shell -export OPENSEARCH_INITIAL_ADMIN_PASSWORD= -``` - -**_Note:_** If no password is supplied, the installation will fail. The password supplied will also be tested for its strength and will be blocked if it is too simple. There is an option to skip this password validation by passing the `-t` option to the installation script. However, this should only be used for test environments. - - -### Executing the demo installation script - To install the demo certificates and default configuration, answer `y` to the first two questions and `n` to the last one. The log should look like below: + ```bash ./tools/install_demo_configuration.sh OpenSearch Security Demo Installer @@ -204,17 +185,17 @@ Detected OpenSearch Security Version: * "/Users/XXXXX/Test/opensearch-*/plugins/opensearch-security/tools/securityadmin.sh" -cd "/Users/XXXXX/Test/opensearch-*/config/opensearch-security/" -icl -key "/Users/XXXXX/Test/opensearch-*/config/kirk-key.pem" -cert "/Users/XXXXX/Test/opensearch-*/config/kirk.pem" -cacert "/Users/XXXXX/Test/opensearch-*/config/root-ca.pem" -nhnv ### or run ./securityadmin_demo.sh ### To use the Security Plugin ConfigurationGUI -### To access your secured cluster open https://: and log in with admin/. +### To access your secured cluster open https://: and log in with admin/admin. ### (Ignore the SSL certificate warning because we installed self-signed demo certificates) ``` Now if we start our server again and try the original `curl localhost:9200`, it will fail. -Try this command instead: `curl -XGET https://localhost:9200 -u 'admin:' --insecure`. It should succeed. +Try this one instead: `curl -XGET https://localhost:9200 -u 'admin:admin' --insecure`. It should succeed. You can also make this call to return the authenticated user details: ```bash -curl -XGET https://localhost:9200/_plugins/_security/authinfo -u 'admin:' --insecure +curl -XGET https://localhost:9200/_plugins/_security/authinfo -u 'admin:admin' --insecure { "user": "User [name=admin, backend_roles=[admin], requestedTenant=null]", @@ -246,7 +227,7 @@ Launch IntelliJ IDEA, choose **Project from Existing Sources**, and select direc ## Running tests -Locally these can be run with `./gradlew test` with detailed results being available at `${project-root}/build/reports/tests/test/index.html`. You can also run tests through an IDEs JUnit test runner. +Locally these can be run with `./gradlew test` with detailed results being avaliable at `${project-root}/build/reports/tests/test/index.html`, or run through an IDEs JUnit test runner. Tests are automatically run on all pull requests for all supported versions of the JDK. These must pass for change(s) to be merged. Detailed logs of these test results are available by going to the GitHub Actions workflow summary view and downloading the workflow run of the tests. If you see multiple tests listed with different JDK versions, you can download the version with whichever JDK you are interested in. After extracting the test file on your local machine, integration tests results can be found at `./tests/tests/index.html`. @@ -270,12 +251,10 @@ public void testMethod() { Tests in the integrationTest package can be run with `./gradlew integrationTest`. ### Bulk test runs - -To collect reliability data on test runs, there is a manual GitHub action workflow called `Bulk Integration Test`. The workflow is started for a branch on this project or in a fork by going to [GitHub action workflows](https://github.com/opensearch-project/security/actions/workflows/integration-tests.yml) and selecting `Run Workflow`. +To collect reliability data on test runs there is a manual GitHub action workflow called `Bulk Integration Test`. The workflow is started for a branch on this project or in a fork by going to [GitHub action workflows](https://github.com/opensearch-project/security/actions/workflows/integration-tests.yml) and selecting `Run Workflow`. ### Checkstyle Violations - -Checkstyle enforces several rules within this codebase. Sometimes it will be necessary for exceptions to be made when dealing with components that are set for deprecation. This can happen when the new version of a deprecation-path component is unavailable. There are two formats of suppression that can be used when dealing with violations of this nature, one for disabling a single rule, or another for disabling all rules. It is best to only disable specific rules when possible. +Checkstyle enforced several rules within this codebase. Sometimes exceptions will be necessary for components that are set for deprecation but the new version is unavailable. There are two formats of suppression that can be used when dealing with violations of this nature, one for disabling a single rule, or another for disabling all rules - its best to be as specific as possible. *Execute Checkstyle* ``` diff --git a/README.md b/README.md index a12d2f49f4..c1c2e684f0 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,10 @@ Run tests against local cluster: ```bash ./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dsecurity=true -Dhttps=true -Duser=admin -Dpassword=admin -Dcommon_utils.version="2.2.0.0" ``` +OR +```bash +./scripts/integtest.sh +``` Note: To run against a remote cluster replace cluster-name and `localhost:9200` with the IPAddress:Port of that cluster. Build artifacts (zip, deb, rpm): diff --git a/build.gradle b/build.gradle index 26112f4aca..ba2d51adde 100644 --- a/build.gradle +++ b/build.gradle @@ -254,8 +254,6 @@ test { jvmArgs += "-Xmx3072m" if (JavaVersion.current() > JavaVersion.VERSION_1_8) { jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED" - // this is needed to reflect access system env map. - jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED" } retry { failOnPassedAfterRetry = false @@ -303,8 +301,6 @@ def setCommonTestConfig(Test task) { task.jvmArgs += "-Xmx3072m" if (JavaVersion.current() > JavaVersion.VERSION_1_8) { task.jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED" - // this is needed to reflect access system env map. - task.jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED" } task.retry { failOnPassedAfterRetry = false diff --git a/scripts/integtest.sh b/scripts/integtest.sh new file mode 100755 index 0000000000..98ee40fbd6 --- /dev/null +++ b/scripts/integtest.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +set -e + +function usage() { + echo "" + echo "This script is used to run integration tests for plugin installed on a remote OpenSearch/Dashboards cluster." + echo "--------------------------------------------------------------------------" + echo "Usage: $0 [args]" + echo "" + echo "Required arguments:" + echo "None" + echo "" + echo "Optional arguments:" + echo -e "-b BIND_ADDRESS\t, defaults to localhost | 127.0.0.1, can be changed to any IP or domain name for the cluster location." + echo -e "-p BIND_PORT\t, defaults to 9200, can be changed to any port for the cluster location." + echo -e "-s SECURITY_ENABLED\t(true | false), defaults to true. Specify the OpenSearch/Dashboards have security enabled or not." + echo -e "-c CREDENTIAL\t(usename:password), no defaults, effective when SECURITY_ENABLED=true." + echo -e "-h\tPrint this message." + echo -e "-v OPENSEARCH_VERSION\t, no defaults" + echo -e "-n SNAPSHOT\t, defaults to false" + echo -e "-m CLUSTER_NAME\t, defaults to docker-cluster" + echo "--------------------------------------------------------------------------" +} + +while getopts ":h:b:p:s:c:v:n:t:m:u:" arg; do + case $arg in + h) + usage + exit 1 + ;; + b) + BIND_ADDRESS=$OPTARG + ;; + p) + BIND_PORT=$OPTARG + ;; + t) + TRANSPORT_PORT=$OPTARG + ;; + s) + SECURITY_ENABLED=$OPTARG + ;; + c) + CREDENTIAL=$OPTARG + ;; + m) + CLUSTER_NAME=$OPTARG + ;; + v) + # Do nothing as we're not consuming this param. + ;; + n) + # Do nothing as we're not consuming this param. + ;; + u) + COMMON_UTILS_VERSION=$OPTARG + ;; + :) + echo "-${OPTARG} requires an argument" + usage + exit 1 + ;; + ?) + echo "Invalid option: -${OPTARG}" + exit 1 + ;; + esac +done + + +if [ -z "$BIND_ADDRESS" ] +then + BIND_ADDRESS="localhost" +fi + +if [ -z "$BIND_PORT" ] +then + BIND_PORT="9200" +fi + +if [ -z "$SECURITY_ENABLED" ] +then + SECURITY_ENABLED="true" +fi + +if [ -z "$CREDENTIAL" ] +then + CREDENTIAL="admin:admin" +fi + +if [ -z "$CREDENTIAL" ] +then + CREDENTIAL="admin:admin" +fi + +if [ -z "$CLUSTER_NAME" ] +then + CLUSTER_NAME="docker-cluster" +fi + +USERNAME=`echo $CREDENTIAL | awk -F ':' '{print $1}'` +PASSWORD=`echo $CREDENTIAL | awk -F ':' '{print $2}'` + +./gradlew integTestRemote -Dtests.rest.cluster="$BIND_ADDRESS:$BIND_PORT" -Dtests.cluster="$BIND_ADDRESS:$BIND_PORT" -Dsecurity_enabled=$SECURITY_ENABLED -Dtests.clustername=$CLUSTER_NAME -Dhttps=true -Duser=$USERNAME -Dpassword=$PASSWORD diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index 6e0abab9f0..02ef9f7c9a 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -332,9 +332,6 @@ public enum RolesMappingResolution { public static final boolean EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT = false; // CS-ENFORCE-SINGLE - // Variable for initial admin password support - public static final String OPENSEARCH_INITIAL_ADMIN_PASSWORD = "OPENSEARCH_INITIAL_ADMIN_PASSWORD"; - public static Set getSettingAsSet( final Settings settings, final String key, diff --git a/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java b/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java deleted file mode 100644 index 077bf4610f..0000000000 --- a/src/main/java/org/opensearch/security/tools/democonfig/CertificateGenerator.java +++ /dev/null @@ -1,55 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.nio.charset.StandardCharsets; - -/** - * This class creates demo certificate files - */ -public class CertificateGenerator { - - private final Installer installer; - - public CertificateGenerator(Installer installer) { - this.installer = installer; - } - - /** - * Creates demo super-admin, node and root certificates by iterating through Certificates enum - */ - public void createDemoCertificates() { - for (Certificates cert : Certificates.values()) { - String filePath = this.installer.OPENSEARCH_CONF_DIR + File.separator + cert.getFileName(); - writeCertificateToFile(filePath, cert.getContent()); - } - } - - /** - * Helper method to write the certificates to their own file - * @param filePath the file which needs to be written - * @param content the content which needs to be written to this file - */ - static void writeCertificateToFile(String filePath, String content) { - try { - FileWriter fileWriter = new FileWriter(filePath, StandardCharsets.UTF_8); - fileWriter.write(content); - fileWriter.close(); - } catch (IOException e) { - System.err.println("Error writing certificate file: " + filePath); - System.exit(-1); - } - } -} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java b/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java deleted file mode 100644 index 8e2af4dac7..0000000000 --- a/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java +++ /dev/null @@ -1,212 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -import java.util.List; -import java.util.function.Supplier; - -/** - * Enum for demo certificates - */ -public enum Certificates { - ADMIN_CERT( - "kirk.pem", - () -> getCertContent( - List.of( - "-----BEGIN CERTIFICATE-----", - "MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL", - "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt", - "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl", - "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v", - "dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT", - "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs", - "aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC", - "ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs", - "paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+", - "O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx", - "vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6", - "cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0", - "bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw", - "DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME", - "gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy", - "LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh", - "bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB", - "MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G", - "xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG", - "9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m", - "y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p", - "fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d", - "1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec", - "h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp", - "RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==", - "-----END CERTIFICATE-----" - ) - ) - ), - ADMIN_CERT_KEY( - "kirk-key.pem", - () -> getCertContent( - List.of( - "-----BEGIN PRIVATE KEY-----", - "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp", - "gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky", - "AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo", - "7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB", - "GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+", - "b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu", - "y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4", - "ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0", - "TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j", - "xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ", - "OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo", - "1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs", - "9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs", - "/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3", - "qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG", - "/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv", - "M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0", - "0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ", - "K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5", - "9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF", - "RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp", - "nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5", - "3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h", - "mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw", - "F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs", - "/AHmo368d4PSNRMMzLHw8Q==", - "-----END PRIVATE KEY-----" - ) - ) - ), - NODE_CERT( - "esnode.pem", - () -> getCertContent( - List.of( - "-----BEGIN CERTIFICATE-----", - "MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL", - "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt", - "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl", - "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v", - "dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT", - "AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl", - "MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA", - "A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud", - "yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0", - "HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr", - "XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n", - "dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD", - "ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R", - "BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA", - "AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF", - "BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo", - "wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ", - "KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR", - "MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27", - "zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N", - "1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy", - "vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L", - "zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo=", - "-----END CERTIFICATE-----" - ) - ) - ), - NODE_KEY( - "esnode-key.pem", - () -> getCertContent( - List.of( - "-----BEGIN PRIVATE KEY-----", - "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv", - "bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0", - "o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50", - "1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1", - "MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b", - "6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa", - "vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo", - "FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ", - "5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O", - "zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ", - "xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow", - "dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn", - "7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U", - "hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej", - "VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B", - "Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c", - "uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy", - "hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv", - "hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/", - "A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh", - "KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX", - "GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f", - "5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud", - "tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71", - "+x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT", - "bg/ch9Rhxbq22yrVgWHh6epp", - "-----END PRIVATE KEY-----" - ) - ) - ), - ROOT_CA( - "root-ca.pem", - () -> getCertContent( - List.of( - "-----BEGIN CERTIFICATE-----", - "MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL", - "BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt", - "cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl", - "IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v", - "dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm", - "iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ", - "RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290", - "IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG", - "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU", - "j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4", - "U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg", - "vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA", - "WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969", - "VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW", - "MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU", - "F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4", - "uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ", - "k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD", - "VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg", - "Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN", - "AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f", - "qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i", - "jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD", - "jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae", - "dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du", - "8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=", - "-----END CERTIFICATE-----" - ) - ) - ); - - private final String fileName; - private final Supplier contentSupplier; - - Certificates(String fileName, Supplier contentSupplier) { - this.fileName = fileName; - this.contentSupplier = contentSupplier; - } - - public String getFileName() { - return fileName; - } - - public String getContent() { - return contentSupplier.get(); - } - - private static String getCertContent(List certLines) { - return String.join(System.lineSeparator(), certLines); - } -} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java b/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java deleted file mode 100644 index e9a8273c5f..0000000000 --- a/src/main/java/org/opensearch/security/tools/democonfig/ExecutionEnvironment.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -/** - * The environment in which the demo config installation script is being executed - */ -public enum ExecutionEnvironment { - DEMO, // default value - TEST // to be used only for tests -} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java b/src/main/java/org/opensearch/security/tools/democonfig/Installer.java deleted file mode 100644 index 61acd7e4c9..0000000000 --- a/src/main/java/org/opensearch/security/tools/democonfig/Installer.java +++ /dev/null @@ -1,447 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileReader; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.nio.file.attribute.PosixFilePermission; -import java.util.HashSet; -import java.util.Scanner; -import java.util.Set; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.CommandLineParser; -import org.apache.commons.cli.DefaultParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; - -/** - * This class installs demo configuration for security plugin - */ -public class Installer { - - // Singleton Pattern - private static Installer instance; - - private static SecuritySettingsConfigurer securitySettingsConfigurer; - - private static CertificateGenerator certificateGenerator; - - boolean assumeyes = false; - boolean initsecurity = false; - boolean cluster_mode = false; - int skip_updates = -1; - String SCRIPT_DIR; - String BASE_DIR; - String OPENSEARCH_CONF_FILE; - String OPENSEARCH_BIN_DIR; - String OPENSEARCH_PLUGINS_DIR; - String OPENSEARCH_LIB_PATH; - String OPENSEARCH_INSTALL_TYPE; - String OPENSEARCH_CONF_DIR; - String OPENSEARCH_VERSION; - String SECURITY_VERSION; - - ExecutionEnvironment environment = ExecutionEnvironment.DEMO; - - String OS; - - final String FILE_EXTENSION; - - static File RPM_DEB_OPENSEARCH_HOME = new File("/usr/share/opensearch"); - - private final Options options; - - // To print help information for this script - private final HelpFormatter formatter = new HelpFormatter(); - - /** - * We do not want this class to be instantiated more than once, - * as we are following Singleton Factory pattern - */ - private Installer() { - this.OS = System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch"); - FILE_EXTENSION = OS.toLowerCase().contains("win") ? ".bat" : ".sh"; - options = new Options(); - } - - /** - * Returns a singleton instance of this class - * @return an existing instance OR a new instance if there was no existing instance - */ - public static Installer getInstance() { - if (instance == null) { - instance = new Installer(); - securitySettingsConfigurer = new SecuritySettingsConfigurer(instance); - certificateGenerator = new CertificateGenerator(instance); - } - return instance; - } - - /** - * Installs the demo security configuration - * @param options the options passed to the script - */ - public void installDemoConfiguration(String[] options) { - readOptions(options); - printScriptHeaders(); - gatherUserInputs(); - initializeVariables(); - printVariables(); - securitySettingsConfigurer.configureSecuritySettings(); - certificateGenerator.createDemoCertificates(); - finishScriptExecution(); - } - - public static void main(String[] options) { - Installer installer = Installer.getInstance(); - installer.buildOptions(); - installer.installDemoConfiguration(options); - } - - /** - * Builds options supported by this tool - */ - void buildOptions() { - options.addOption("h", "show-help", false, "Shows help for this tool."); - options.addOption("y", "answer-yes-to-all-prompts", false, "Confirm all installation dialogues automatically."); - options.addOption( - "i", - "initialize-security", - false, - "Initialize Security plugin with default configuration (default is to ask if -y is not given)." - ); - options.addOption( - "c", - "enable-cluster-mode", - false, - "Enable cluster mode by binding to all network interfaces (default is to ask if -y is not given)." - ); - options.addOption( - "s", - "skip-updates-when-already-configured", - false, - "Skip updates if config is already applied to opensearch.yml." - ); - options.addOption( - "t", - "test-execution-environment", - false, - "Set the execution environment to `test` to skip password validation. Should be used only for testing. (default is set to `demo`)" - ); - } - - /** - * Prints headers that indicate the start of script execution - */ - static void printScriptHeaders() { - System.out.println("### OpenSearch Security Demo Installer"); - System.out.println("### ** Warning: Do not use on production or public reachable systems **"); - } - - /** - * Reads the options passed to the script - * @param args an array of strings containing options passed to the script - */ - void readOptions(String[] args) { - // set script execution dir - SCRIPT_DIR = args[0]; - - CommandLineParser parser = new DefaultParser(); - try { - CommandLine line = parser.parse(options, args); - - if (line.hasOption("h")) { - showHelp(); - return; - } - assumeyes = line.hasOption("y"); - initsecurity = line.hasOption("i"); - cluster_mode = line.hasOption("c"); - skip_updates = line.hasOption("s") ? 0 : -1; - environment = line.hasOption("t") ? ExecutionEnvironment.TEST : environment; - - } catch (ParseException exp) { - System.out.println("ERR: Parsing failed. Reason: " + exp.getMessage()); - System.exit(-1); - } - } - - /** - * Prints the help menu when -h option is passed - */ - void showHelp() { - formatter.printHelp("install_demo_configuration" + FILE_EXTENSION, options, true); - System.exit(0); - } - - /** - * Prompt the user and collect user inputs - * Input collection will be skipped if -y option was passed - */ - void gatherUserInputs() { - if (!assumeyes) { - try (Scanner scanner = new Scanner(System.in, StandardCharsets.UTF_8)) { - - if (!confirmAction(scanner, "Install demo certificates?")) { - System.exit(0); - } - - if (!initsecurity) { - initsecurity = confirmAction(scanner, "Initialize Security Modules?"); - } - - if (!cluster_mode) { - System.out.println("Cluster mode requires additional setup of:"); - System.out.println(" - Virtual memory (vm.max_map_count)" + System.lineSeparator()); - cluster_mode = confirmAction(scanner, "Enable cluster mode?"); - } - } - } else { - initsecurity = true; - cluster_mode = true; - } - } - - /** - * Helper method to scan user inputs. - * @param scanner object to be used for scanning user input - * @param message prompt question - * @return true or false based on user input - */ - boolean confirmAction(Scanner scanner, String message) { - System.out.print(message + " [y/N] "); - String response = scanner.nextLine(); - return response.equalsIgnoreCase("yes") || response.equalsIgnoreCase("y"); - } - - /** - * Initialize all class level variables required - */ - void initializeVariables() { - setBaseDir(); - setOpenSearchVariables(); - setSecurityVariables(); - } - - /** - * Sets the base directory to be used by the script - */ - void setBaseDir() { - File baseDirFile = new File(SCRIPT_DIR).getParentFile().getParentFile().getParentFile(); - BASE_DIR = baseDirFile != null ? baseDirFile.getAbsolutePath() : null; - - if (BASE_DIR == null || !new File(BASE_DIR).isDirectory()) { - System.out.println("DEBUG: basedir does not exist"); - System.exit(-1); - } - - BASE_DIR += File.separator; - } - - /** - * Sets the variables for items at OpenSearch level - */ - void setOpenSearchVariables() { - OPENSEARCH_CONF_FILE = BASE_DIR + "config" + File.separator + "opensearch.yml"; - OPENSEARCH_BIN_DIR = BASE_DIR + "bin" + File.separator; - OPENSEARCH_PLUGINS_DIR = BASE_DIR + "plugins" + File.separator; - OPENSEARCH_LIB_PATH = BASE_DIR + "lib" + File.separator; - OPENSEARCH_INSTALL_TYPE = determineInstallType(); - - Set errorMessages = validatePaths(); - - if (!errorMessages.isEmpty()) { - errorMessages.forEach(System.out::println); - System.exit(-1); - } - - OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_FILE).getParent(); - OPENSEARCH_CONF_DIR = new File(OPENSEARCH_CONF_DIR).getAbsolutePath() + File.separator; - } - - /** - * Helper method - * Returns a set of error messages for the paths that didn't contain files/directories - * @return a set containing error messages if any, empty otherwise - */ - private Set validatePaths() { - Set errorMessages = new HashSet<>(); - if (!(new File(OPENSEARCH_CONF_FILE).exists())) { - errorMessages.add("Unable to determine OpenSearch config file. Quit."); - } - - if (!(new File(OPENSEARCH_BIN_DIR).exists())) { - errorMessages.add("Unable to determine OpenSearch bin directory. Quit."); - } - - if (!(new File(OPENSEARCH_PLUGINS_DIR).exists())) { - errorMessages.add("Unable to determine OpenSearch plugins directory. Quit."); - } - - if (!(new File(OPENSEARCH_LIB_PATH).exists())) { - errorMessages.add("Unable to determine OpenSearch lib directory. Quit."); - } - return errorMessages; - } - - /** - * Returns the installation type based on the underlying operating system - * @return will be one of `.zip`, `.tar.gz` or `rpm/deb` - */ - String determineInstallType() { - // windows (.bat execution) - if (OS.toLowerCase().contains("win")) { - return ".zip"; - } - - // other OS (.sh execution) - if (RPM_DEB_OPENSEARCH_HOME.exists() && RPM_DEB_OPENSEARCH_HOME.equals(new File(BASE_DIR))) { - OPENSEARCH_CONF_FILE = RPM_DEB_OPENSEARCH_HOME.getAbsolutePath() + "/config/opensearch.yml"; - if (!new File(OPENSEARCH_CONF_FILE).exists()) { - OPENSEARCH_CONF_FILE = "/etc/opensearch/opensearch.yml"; - } - return "rpm/deb"; - } - return ".tar.gz"; - } - - /** - * Sets the path variables for items at OpenSearch security plugin level - */ - void setSecurityVariables() { - if (!(new File(OPENSEARCH_PLUGINS_DIR + "opensearch-security").exists())) { - System.out.println("OpenSearch Security plugin not installed. Quit."); - System.exit(-1); - } - - // Extract OpenSearch version and Security version - File[] opensearchLibFiles = new File(OPENSEARCH_LIB_PATH).listFiles( - pathname -> pathname.getName().matches("opensearch-core-(.*).jar") - ); - - if (opensearchLibFiles != null && opensearchLibFiles.length > 0) { - OPENSEARCH_VERSION = opensearchLibFiles[0].getName().replaceAll("opensearch-core-(.*).jar", "$1"); - } - - File[] securityFiles = new File(OPENSEARCH_PLUGINS_DIR + "opensearch-security").listFiles( - pathname -> pathname.getName().startsWith("opensearch-security-") && pathname.getName().endsWith(".jar") - ); - - if (securityFiles != null && securityFiles.length > 0) { - SECURITY_VERSION = securityFiles[0].getName().replaceAll("opensearch-security-(.*).jar", "$1"); - } - } - - /** - * Prints the initialized variables - */ - void printVariables() { - System.out.println("OpenSearch install type: " + OPENSEARCH_INSTALL_TYPE + " on " + OS); - System.out.println("OpenSearch config dir: " + OPENSEARCH_CONF_DIR); - System.out.println("OpenSearch config file: " + OPENSEARCH_CONF_FILE); - System.out.println("OpenSearch bin dir: " + OPENSEARCH_BIN_DIR); - System.out.println("OpenSearch plugins dir: " + OPENSEARCH_PLUGINS_DIR); - System.out.println("OpenSearch lib dir: " + OPENSEARCH_LIB_PATH); - System.out.println("Detected OpenSearch Version: " + OPENSEARCH_VERSION); - System.out.println("Detected OpenSearch Security Version: " + SECURITY_VERSION); - } - - /** - * Prints end of script execution message and creates security admin demo file. - */ - void finishScriptExecution() { - System.out.println("### Success"); - System.out.println("### Execute this script now on all your nodes and then start all nodes"); - - try { - String securityAdminScriptPath = OPENSEARCH_PLUGINS_DIR - + "opensearch-security" - + File.separator - + "tools" - + File.separator - + "securityadmin" - + FILE_EXTENSION; - String securityAdminDemoScriptPath = OPENSEARCH_CONF_DIR + "securityadmin_demo" + FILE_EXTENSION; - - securitySettingsConfigurer.createSecurityAdminDemoScript(securityAdminScriptPath, securityAdminDemoScriptPath); - - // Make securityadmin_demo script executable - // not needed for windows - if (!OS.toLowerCase().contains("win")) { - Path file = Paths.get(securityAdminDemoScriptPath); - Set perms = new HashSet<>(); - // Add the execute permission for owner, group, and others - perms.add(PosixFilePermission.OWNER_READ); - perms.add(PosixFilePermission.OWNER_EXECUTE); - perms.add(PosixFilePermission.GROUP_EXECUTE); - perms.add(PosixFilePermission.OTHERS_EXECUTE); - Files.setPosixFilePermissions(file, perms); - } - - // Read the last line of the security-admin script - String lastLine = ""; - try (BufferedReader reader = new BufferedReader(new FileReader(securityAdminDemoScriptPath, StandardCharsets.UTF_8))) { - String currentLine; - while ((currentLine = reader.readLine()) != null) { - lastLine = currentLine; - } - } - - if (!initsecurity) { - System.out.println("### After the whole cluster is up execute: "); - System.out.println(lastLine); - System.out.println("### or run ." + File.separator + "securityadmin_demo" + FILE_EXTENSION); - System.out.println("### After that you can also use the Security Plugin ConfigurationGUI"); - } else { - System.out.println("### OpenSearch Security will be automatically initialized."); - System.out.println("### If you like to change the runtime configuration "); - System.out.println( - "### change the files in .." - + File.separator - + ".." - + File.separator - + ".." - + File.separator - + "config" - + File.separator - + "opensearch-security and execute: " - ); - System.out.println(lastLine); - System.out.println("### or run ." + File.separator + "securityadmin_demo" + FILE_EXTENSION); - System.out.println("### To use the Security Plugin ConfigurationGUI"); - } - - System.out.println( - "### To access your secured cluster open https://: and log in with admin/." - ); - System.out.println("### (Ignore the SSL certificate warning because we installed self-signed demo certificates)"); - - } catch (Exception e) { - System.out.println(e.getMessage()); - } - } - - /** - * FOR TESTS ONLY - * resets the installer state to allow testing with fresh instance for the next test. - */ - static void resetInstance() { - instance = null; - } -} diff --git a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java b/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java deleted file mode 100644 index b3644e6c4d..0000000000 --- a/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java +++ /dev/null @@ -1,364 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileReader; -import java.io.FileWriter; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; - -import com.fasterxml.jackson.databind.JsonNode; - -import org.opensearch.common.settings.Settings; -import org.opensearch.core.common.Strings; -import org.opensearch.security.DefaultObjectMapper; -import org.opensearch.security.dlic.rest.validation.PasswordValidator; -import org.opensearch.security.dlic.rest.validation.RequestContentValidator; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.tools.Hasher; - -import org.yaml.snakeyaml.DumperOptions; -import org.yaml.snakeyaml.Yaml; - -import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH; -import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX; - -/** - * This class updates the security related configuration, as needed. - */ -public class SecuritySettingsConfigurer { - - static final List REST_ENABLED_ROLES = List.of("all_access", "security_rest_api_access"); - static final List SYSTEM_INDICES = List.of( - ".plugins-ml-config", - ".plugins-ml-connector", - ".plugins-ml-model-group", - ".plugins-ml-model", - ".plugins-ml-task", - ".plugins-ml-conversation-meta", - ".plugins-ml-conversation-interactions", - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opensearch-notifications-*", - ".opensearch-notebooks", - ".opensearch-observability", - ".ql-datasources", - ".opendistro-asynchronous-search-response*", - ".replication-metadata-store", - ".opensearch-knn-models", - ".geospatial-ip2geo-data*" - ); - static String ADMIN_PASSWORD = ""; - static String ADMIN_USERNAME = "admin"; - - private final Installer installer; - - public SecuritySettingsConfigurer(Installer installer) { - this.installer = installer; - } - - /** - * Configures security related changes to the opensearch configuration - * 1. Checks if plugins is already configuration. If yes, exit - * 2. Sets the custom admin password (Generates one if none is provided) - * 3. Write the security config to opensearch.yml - */ - public void configureSecuritySettings() { - checkIfSecurityPluginIsAlreadyConfigured(); - updateAdminPassword(); - writeSecurityConfigToOpenSearchYML(); - } - - /** - * Checks if security plugin is already configured. If so, the script execution will exit. - */ - void checkIfSecurityPluginIsAlreadyConfigured() { - // Check if the configuration file contains the 'plugins.security' string - if (installer.OPENSEARCH_CONF_FILE != null && new File(installer.OPENSEARCH_CONF_FILE).exists()) { - try (BufferedReader br = new BufferedReader(new FileReader(installer.OPENSEARCH_CONF_FILE, StandardCharsets.UTF_8))) { - String line; - while ((line = br.readLine()) != null) { - if (line.toLowerCase().contains("plugins.security")) { - System.out.println(installer.OPENSEARCH_CONF_FILE + " seems to be already configured for Security. Quit."); - System.exit(installer.skip_updates); - } - } - } catch (IOException e) { - System.err.println("Error reading configuration file."); - System.exit(-1); - } - } else { - System.err.println("OpenSearch configuration file does not exist. Quit."); - System.exit(-1); - } - } - - /** - * Replaces the admin password in internal_users.yml with the custom or generated password - */ - void updateAdminPassword() { - String INTERNAL_USERS_FILE_PATH = installer.OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator + "internal_users.yml"; - boolean shouldValidatePassword = installer.environment.equals(ExecutionEnvironment.DEMO); - try { - final PasswordValidator passwordValidator = PasswordValidator.of( - Settings.builder() - .put(SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") - .put(SECURITY_RESTAPI_PASSWORD_MIN_LENGTH, 8) - .build() - ); - - // Read custom password from environment variable - String initialAdminPassword = System.getenv().get(ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD); - if (!Strings.isNullOrEmpty(initialAdminPassword)) { - ADMIN_PASSWORD = initialAdminPassword; - } - - // If script execution environment is set to demo, validate custom password, else if set to test, skip validation - if (shouldValidatePassword - && !ADMIN_PASSWORD.isEmpty() - && passwordValidator.validate(ADMIN_USERNAME, ADMIN_PASSWORD) != RequestContentValidator.ValidationError.NONE) { - System.out.println("Password " + ADMIN_PASSWORD + " is weak. Please re-try with a stronger password."); - System.exit(-1); - } - - // if ADMIN_PASSWORD is still an empty string, it implies no custom password was provided. We exit the setup. - if (Strings.isNullOrEmpty(ADMIN_PASSWORD)) { - System.out.println("No custom admin password found. Please provide a password."); - System.exit(-1); - } - - // Print an update to the logs - System.out.println("Admin password set successfully."); - - writePasswordToInternalUsersFile(ADMIN_PASSWORD, INTERNAL_USERS_FILE_PATH); - - } catch (IOException e) { - System.out.println("Exception updating the admin password : " + e.getMessage()); - System.exit(-1); - } - } - - /** - * Generate password hash and update it in the internal_users.yml file - * @param adminPassword the password to be hashed and updated - * @param internalUsersFile the file path string to internal_users.yml file - * @throws IOException while reading, writing to files - */ - void writePasswordToInternalUsersFile(String adminPassword, String internalUsersFile) throws IOException { - String hashedAdminPassword = Hasher.hash(adminPassword.toCharArray()); - - if (hashedAdminPassword.isEmpty()) { - System.out.println("Hash the admin password failure, see console for details"); - System.exit(-1); - } - - Path tempFilePath = Paths.get(internalUsersFile + ".tmp"); - Path internalUsersPath = Paths.get(internalUsersFile); - - try ( - BufferedReader reader = new BufferedReader(new FileReader(internalUsersFile, StandardCharsets.UTF_8)); - BufferedWriter writer = new BufferedWriter(new FileWriter(tempFilePath.toFile(), StandardCharsets.UTF_8)) - ) { - String line; - while ((line = reader.readLine()) != null) { - if (line.matches(" *hash: *\"\\$2a\\$12\\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"")) { - line = line.replace( - "\"$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG\"", - "\"" + hashedAdminPassword + "\"" - ); - } - writer.write(line + System.lineSeparator()); - } - } catch (IOException e) { - throw new IOException("Unable to update the internal users file with the hashed password."); - } - Files.move(tempFilePath, internalUsersPath, java.nio.file.StandardCopyOption.REPLACE_EXISTING); - } - - /** - * Update opensearch.yml with security configuration information - */ - void writeSecurityConfigToOpenSearchYML() { - String configHeader = System.lineSeparator() - + System.lineSeparator() - + "######## Start OpenSearch Security Demo Configuration ########" - + System.lineSeparator() - + "# WARNING: revise all the lines below before you go into production" - + System.lineSeparator(); - String configFooter = "######## End OpenSearch Security Demo Configuration ########" + System.lineSeparator(); - - Map securityConfigAsMap = buildSecurityConfigMap(); - - try (FileWriter writer = new FileWriter(installer.OPENSEARCH_CONF_FILE, StandardCharsets.UTF_8, true)) { - writer.write(configHeader); - Yaml yaml = new Yaml(); - DumperOptions options = new DumperOptions(); - options.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK); - String yamlString = yaml.dump(securityConfigAsMap); - writer.write(yamlString); - writer.write(configFooter); - } catch (IOException e) { - System.err.println("Exception writing security configuration to opensearch.yml : " + e.getMessage()); - System.exit(-1); - } - } - - /** - * Helper method to build security configuration to append to opensearch.yml - * @return the configuration map to be written to opensearch.yml - */ - Map buildSecurityConfigMap() { - Map configMap = new LinkedHashMap<>(); - - configMap.put("plugins.security.ssl.transport.pemcert_filepath", Certificates.NODE_CERT.getFileName()); - configMap.put("plugins.security.ssl.transport.pemkey_filepath", Certificates.NODE_KEY.getFileName()); - configMap.put("plugins.security.ssl.transport.pemtrustedcas_filepath", Certificates.ROOT_CA.getFileName()); - configMap.put("plugins.security.ssl.transport.enforce_hostname_verification", false); - configMap.put("plugins.security.ssl.http.enabled", true); - configMap.put("plugins.security.ssl.http.pemcert_filepath", Certificates.NODE_CERT.getFileName()); - configMap.put("plugins.security.ssl.http.pemkey_filepath", Certificates.NODE_KEY.getFileName()); - configMap.put("plugins.security.ssl.http.pemtrustedcas_filepath", Certificates.ROOT_CA.getFileName()); - configMap.put("plugins.security.allow_unsafe_democertificates", true); - - if (installer.initsecurity) { - configMap.put("plugins.security.allow_default_init_securityindex", true); - } - - configMap.put("plugins.security.authcz.admin_dn", List.of("CN=kirk,OU=client,O=client,L=test,C=de")); - - configMap.put("plugins.security.audit.type", "internal_opensearch"); - configMap.put("plugins.security.enable_snapshot_restore_privilege", true); - configMap.put("plugins.security.check_snapshot_restore_write_privileges", true); - configMap.put("plugins.security.restapi.roles_enabled", REST_ENABLED_ROLES); - - configMap.put("plugins.security.system_indices.enabled", true); - configMap.put("plugins.security.system_indices.indices", SYSTEM_INDICES); - - if (!isNetworkHostAlreadyPresent(installer.OPENSEARCH_CONF_FILE)) { - if (installer.cluster_mode) { - configMap.put("network.host", "0.0.0.0"); - configMap.put("node.name", "smoketestnode"); - configMap.put("cluster.initial_cluster_manager_nodes", "smoketestnode"); - } - } - - if (!isNodeMaxLocalStorageNodesAlreadyPresent(installer.OPENSEARCH_CONF_FILE)) { - configMap.put("node.max_local_storage_nodes", 3); - } - - return configMap; - } - - /** - * Helper method to check if network.host config is present - * @param filePath path to opensearch.yml - * @return true is present, false otherwise - */ - static boolean isNetworkHostAlreadyPresent(String filePath) { - try { - String searchString = "network.host"; - return isKeyPresentInYMLFile(filePath, searchString); - } catch (IOException e) { - return false; - } - } - - /** - * Helper method to check if node.max_local_storage_nodes config is present - * @param filePath path to opensearch.yml - * @return true if present, false otherwise - */ - static boolean isNodeMaxLocalStorageNodesAlreadyPresent(String filePath) { - try { - String searchString = "node.max_local_storage_nodes"; - return isKeyPresentInYMLFile(filePath, searchString); - } catch (IOException e) { - return false; - } - } - - /** - * Checks if the given key is present in the yml file - * @param filePath path to yml file in which given key should be searched - * @param key the key to be searched for - * @return true if the key is present, false otherwise - * @throws IOException if there was exception reading the file - */ - static boolean isKeyPresentInYMLFile(String filePath, String key) throws IOException { - JsonNode node; - try { - node = DefaultObjectMapper.YAML_MAPPER.readTree(new File(filePath)); - } catch (IOException e) { - throw new RuntimeException(e); - } - - return node.has(key); - } - - /** - * Helper method to create security_admin_demo.(sh|bat) - * @param securityAdminScriptPath path to original script - * @param securityAdminDemoScriptPath path to security admin demo script - * @throws IOException if there was error reading/writing the file - */ - void createSecurityAdminDemoScript(String securityAdminScriptPath, String securityAdminDemoScriptPath) throws IOException { - String[] securityAdminCommands = getSecurityAdminCommands(securityAdminScriptPath); - - // Write securityadmin_demo script - FileWriter writer = new FileWriter(securityAdminDemoScriptPath, StandardCharsets.UTF_8); - for (String command : securityAdminCommands) { - writer.write(command + System.lineSeparator()); - } - writer.close(); - } - - /** - * Return the command to be added to securityadmin_demo script - * @param securityAdminScriptPath the path to securityadmin.(sh|bat) - * @return the command string - */ - String[] getSecurityAdminCommands(String securityAdminScriptPath) { - String securityAdminExecutionPath = securityAdminScriptPath - + "\" -cd \"" - + installer.OPENSEARCH_CONF_DIR - + "opensearch-security\" -icl -key \"" - + installer.OPENSEARCH_CONF_DIR - + Certificates.ADMIN_CERT_KEY.getFileName() - + "\" -cert \"" - + installer.OPENSEARCH_CONF_DIR - + Certificates.ADMIN_CERT.getFileName() - + "\" -cacert \"" - + installer.OPENSEARCH_CONF_DIR - + Certificates.ROOT_CA.getFileName() - + "\" -nhnv"; - - if (installer.OS.toLowerCase().contains("win")) { - return new String[] { "@echo off", "call \"" + securityAdminExecutionPath }; - } - - return new String[] { "#!/bin/bash", "sudo" + " \"" + securityAdminExecutionPath }; - } -} diff --git a/src/test/java/org/opensearch/security/sanity/tests/InvalidAdminPasswordIT.java b/src/test/java/org/opensearch/security/sanity/tests/InvalidAdminPasswordIT.java deleted file mode 100644 index 60d2eee138..0000000000 --- a/src/test/java/org/opensearch/security/sanity/tests/InvalidAdminPasswordIT.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.sanity.tests; - -import org.hamcrest.MatcherAssert; -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.Test; - -import org.opensearch.client.Request; -import org.opensearch.client.Response; -import org.opensearch.client.ResponseException; - -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.is; - -public class InvalidAdminPasswordIT extends SecurityRestTestCase { - - static String currentPasswordVariable = System.getProperty("password"); - - @BeforeClass - public static void setUpAdminAsPasswordVariable() { - System.setProperty("password", "admin"); - } - - @AfterClass - public static void restorePasswordProperty() { - System.setProperty("password", currentPasswordVariable); - } - - @Test - public void testAdminCredentials_adminAsPassword_shouldFail() throws Exception { - try { - client().performRequest(new Request("GET", "")); - } catch (ResponseException e) { - Response res = e.getResponse(); - MatcherAssert.assertThat(res.getStatusLine().getStatusCode(), is(equalTo(401))); - MatcherAssert.assertThat(res.getStatusLine().getReasonPhrase(), is(equalTo("Unauthorized"))); - } - } -} diff --git a/src/test/java/org/opensearch/security/sanity/tests/SingleClusterSanityIT.java b/src/test/java/org/opensearch/security/sanity/tests/SingleClusterSanityIT.java index 97937a2c52..8987744d58 100644 --- a/src/test/java/org/opensearch/security/sanity/tests/SingleClusterSanityIT.java +++ b/src/test/java/org/opensearch/security/sanity/tests/SingleClusterSanityIT.java @@ -19,11 +19,7 @@ import org.hamcrest.MatcherAssert; import org.junit.Test; -import org.opensearch.client.Request; -import org.opensearch.client.Response; - import static org.hamcrest.Matchers.anEmptyMap; -import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.not; @@ -38,13 +34,6 @@ public void testSecurityPluginInstallation() throws Exception { verifyPluginInstallationOnAllNodes(); } - @Test - public void testAdminCredentials_validAdminPassword_shouldSucceed() throws Exception { - Response response = client().performRequest(new Request("GET", "")); - MatcherAssert.assertThat(response.getStatusLine().getStatusCode(), is(equalTo(200))); - MatcherAssert.assertThat(response.getStatusLine().getReasonPhrase(), is(equalTo("OK"))); - } - private void verifyPluginInstallationOnAllNodes() throws Exception { Map> nodesInCluster = (Map>) getAsMapByAdmin("_nodes").get("nodes"); diff --git a/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java b/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java deleted file mode 100644 index 58cf6d1368..0000000000 --- a/src/test/java/org/opensearch/security/tools/democonfig/CertificateGeneratorTests.java +++ /dev/null @@ -1,178 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileReader; -import java.security.KeyFactory; -import java.security.PrivateKey; -import java.security.cert.Certificate; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.security.spec.PKCS8EncodedKeySpec; -import java.time.Instant; -import java.time.LocalDate; -import java.time.Period; -import java.util.Base64; -import java.util.Date; -import java.util.TimeZone; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import org.opensearch.security.tools.democonfig.util.NoExitSecurityManager; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.greaterThanOrEqualTo; -import static org.hamcrest.Matchers.is; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createDirectory; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.deleteDirectoryRecursive; -import static org.junit.Assert.fail; - -public class CertificateGeneratorTests { - - private static Installer installer; - - @Before - public void setUp() { - installer = Installer.getInstance(); - installer.buildOptions(); - installer.OPENSEARCH_CONF_DIR = System.getProperty("user.dir") + File.separator + "test-conf"; - createDirectory(installer.OPENSEARCH_CONF_DIR); - } - - @After - public void tearDown() { - deleteDirectoryRecursive(installer.OPENSEARCH_CONF_DIR); - Installer.resetInstance(); - } - - @Test - public void testCreateDemoCertificates() throws Exception { - CertificateGenerator certificateGenerator = new CertificateGenerator(installer); - Certificates[] certificatesArray = Certificates.values(); - - certificateGenerator.createDemoCertificates(); - - // root-ca.pem, esnode.pem, esnode-key.pem, kirk.pem, kirk-key.pem - int expectedNumberOfCertificateFiles = 5; - - int certsFound = 0; - - for (Certificates cert : certificatesArray) { - String certFilePath = installer.OPENSEARCH_CONF_DIR + File.separator + cert.getFileName(); - File certFile = new File(certFilePath); - assertThat(certFile.exists(), is(equalTo(true))); - assertThat(certFile.canRead(), is(equalTo(true))); - - if (certFilePath.endsWith("-key.pem")) { - checkPrivateKeyValidity(certFilePath); - } else { - checkCertificateValidity(certFilePath); - } - - // increment a count since a valid certificate was found - certsFound++; - } - - assertThat(certsFound, equalTo(expectedNumberOfCertificateFiles)); - } - - @Test - public void testCreateDemoCertificates_invalidPath() { - installer.OPENSEARCH_CONF_DIR = "invalidPath"; - CertificateGenerator certificateGenerator = new CertificateGenerator(installer); - try { - System.setSecurityManager(new NoExitSecurityManager()); - certificateGenerator.createDemoCertificates(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - } - - private static void checkCertificateValidity(String certPath) throws Exception { - try (FileInputStream certInputStream = new FileInputStream(certPath)) { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - Certificate certificate = cf.generateCertificate(certInputStream); - - if (certificate instanceof X509Certificate) { - X509Certificate x509Certificate = (X509Certificate) certificate; - Date expiryDate = x509Certificate.getNotAfter(); - Instant expiry = expiryDate.toInstant(); - - Period duration = getPeriodBetween(x509Certificate.getNotBefore().toInstant(), expiry); - if (certPath.endsWith("-ca.pem")) { - // root-ca.pem is already expired as the validity is only 30 days from generation - // so we just check interval to be of 30 days - assertThat(duration.getDays(), equalTo(30)); - return; - } - - // we check that cert is valid for total of ~10 yrs - // we don't check days as leaps years may cause flaky-ness - assertThat(duration.getYears(), equalTo(9)); - assertThat(duration.getMonths(), equalTo(11)); - - x509Certificate.checkValidity(); - verifyExpiryAtLeastAYearFromNow(expiry); - - assertThat(x509Certificate.getSigAlgName(), is(equalTo("SHA256withRSA"))); - } - } - } - - private static void verifyExpiryAtLeastAYearFromNow(Instant expiry) { - Period gap = getPeriodBetween(Instant.now(), expiry); - assertThat(gap.getYears(), greaterThanOrEqualTo(1)); - } - - private static Period getPeriodBetween(Instant start, Instant end) { - LocalDate startDate = LocalDate.ofInstant(start, TimeZone.getTimeZone("EDT").toZoneId()); - LocalDate endDate = LocalDate.ofInstant(end, TimeZone.getTimeZone("EDT").toZoneId()); - - return Period.between(startDate, endDate); - } - - private void checkPrivateKeyValidity(String keyPath) { - try { - String pemContent = readPEMFile(keyPath); - - String base64Data = pemContent.replaceAll("-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----", "").replaceAll("\\s", ""); - - byte[] keyBytes = Base64.getDecoder().decode(base64Data); - KeyFactory kf = KeyFactory.getInstance("RSA"); - PrivateKey key = kf.generatePrivate(new PKCS8EncodedKeySpec(keyBytes)); - assertThat(key.getFormat(), is(equalTo("PKCS#8"))); - assertThat(key.getAlgorithm(), is(equalTo("RSA"))); - assertThat(key.isDestroyed(), is(equalTo(false))); - } catch (Exception e) { - fail("Error checking key validity: " + e.getMessage()); - } - } - - private static String readPEMFile(String pemFilePath) throws Exception { - StringBuilder pemContent = new StringBuilder(); - try (BufferedReader reader = new BufferedReader(new FileReader(pemFilePath))) { - String line; - while ((line = reader.readLine()) != null) { - pemContent.append(line).append("\n"); - } - } - return pemContent.toString(); - } -} diff --git a/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java deleted file mode 100644 index 06c6edf734..0000000000 --- a/src/test/java/org/opensearch/security/tools/democonfig/InstallerTests.java +++ /dev/null @@ -1,515 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -// CS-SUPPRESS-SINGLE: RegexpSingleline extension key-word is used in file ext variable -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.io.PrintStream; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.nio.file.attribute.PosixFilePermission; -import java.util.HashSet; -import java.util.Set; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import org.opensearch.security.tools.democonfig.util.NoExitSecurityManager; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.containsString; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.is; -import static org.hamcrest.Matchers.not; -import static org.opensearch.security.tools.democonfig.Installer.RPM_DEB_OPENSEARCH_HOME; -import static org.opensearch.security.tools.democonfig.Installer.printScriptHeaders; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createDirectory; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createFile; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.deleteDirectoryRecursive; -import static org.junit.Assert.assertThrows; -import static org.junit.Assert.fail; - -public class InstallerTests { - private final ByteArrayOutputStream outContent = new ByteArrayOutputStream(); - private final PrintStream originalOut = System.out; - private final InputStream originalIn = System.in; - - private static Installer installer; - - @Before - public void setUpStreams() { - System.setOut(new PrintStream(outContent)); - installer = Installer.getInstance(); - installer.buildOptions(); - } - - @After - public void restoreStreams() { - System.setOut(originalOut); - System.setIn(originalIn); - Installer.resetInstance(); - } - - @Test - public void testPrintScriptHeaders() { - printScriptHeaders(); - - String expectedOutput = "### OpenSearch Security Demo Installer" - + System.lineSeparator() - + "### ** Warning: Do not use on production or public reachable systems **" - + System.lineSeparator(); - assertThat(outContent.toString(), equalTo(expectedOutput)); - } - - @Test - public void testReadOptions_withoutHelpOption() { - // All options except Help `-h` - String[] validOptions = { "/scriptDir", "-y", "-i", "-c", "-s", "-t" }; - installer.readOptions(validOptions); - - assertThat(installer.SCRIPT_DIR, equalTo("/scriptDir")); - assertThat(installer.assumeyes, is(true)); - assertThat(installer.initsecurity, is(true)); - assertThat(installer.cluster_mode, is(true)); - assertThat(installer.skip_updates, equalTo(0)); - assertThat(installer.environment, equalTo(ExecutionEnvironment.TEST)); - } - - @Test - public void testReadOptions_help() { - try { - System.setSecurityManager(new NoExitSecurityManager()); - String[] helpOption = { "/scriptDir", "-h" }; - installer.readOptions(helpOption); - } catch (SecurityException e) { - // if help text printed correctly then exit code 0 is expected - assertThat(e.getMessage(), equalTo("System.exit(0) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - - verifyStdOutContainsString("usage: install_demo_configuration" + installer.FILE_EXTENSION + " [-c] [-h] [-i] [-s] [-t] [-y]"); - } - - @Test - public void testGatherUserInputs_withoutAssumeYes() { - // -i & -c option is not passed - String[] validOptions = { "/scriptDir" }; - installer.readOptions(validOptions); - assertThat(installer.assumeyes, is(false)); - assertThat(installer.initsecurity, is(false)); - assertThat(installer.cluster_mode, is(false)); - - // set initsecurity and cluster_mode to no - readInputStream("y" + System.lineSeparator() + "n" + System.lineSeparator() + "n" + System.lineSeparator()); // pass all 3 inputs as - // y - installer.gatherUserInputs(); - - verifyStdOutContainsString("Install demo certificates?"); - verifyStdOutContainsString("Initialize Security Modules?"); - verifyStdOutContainsString("Cluster mode requires additional setup of:"); - verifyStdOutContainsString(" - Virtual memory (vm.max_map_count)" + System.lineSeparator()); - verifyStdOutContainsString("Enable cluster mode?"); - - assertThat(installer.initsecurity, is(false)); - assertThat(installer.cluster_mode, is(false)); - - outContent.reset(); - - // set initsecurity and cluster_mode to no - readInputStream("y" + System.lineSeparator() + "y" + System.lineSeparator() + "y" + System.lineSeparator()); // pass all 3 inputs as - // y - installer.gatherUserInputs(); - - verifyStdOutContainsString("Install demo certificates?"); - verifyStdOutContainsString("Initialize Security Modules?"); - verifyStdOutContainsString("Cluster mode requires additional setup of:"); - verifyStdOutContainsString(" - Virtual memory (vm.max_map_count)" + System.lineSeparator()); - verifyStdOutContainsString("Enable cluster mode?"); - - assertThat(installer.initsecurity, is(true)); - assertThat(installer.cluster_mode, is(true)); - - outContent.reset(); - - // no to demo certificates - try { - System.setSecurityManager(new NoExitSecurityManager()); - - readInputStream("n" + System.lineSeparator() + "n" + System.lineSeparator() + "n" + System.lineSeparator()); - installer.gatherUserInputs(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(0) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - verifyStdOutContainsString("Install demo certificates?"); - verifyStdOutDoesNotContainString("Initialize Security Modules?"); - verifyStdOutDoesNotContainString("Cluster mode requires additional setup of:"); - verifyStdOutDoesNotContainString(" - Virtual memory (vm.max_map_count)" + System.lineSeparator()); - verifyStdOutDoesNotContainString("Enable cluster mode?"); - - outContent.reset(); - - // pass initsecurity and cluster_mode options - String[] validOptionsIC = { "/scriptDir", "-i", "-c" }; - installer.readOptions(validOptionsIC); - assertThat(installer.assumeyes, is(false)); - assertThat(installer.initsecurity, is(true)); - assertThat(installer.cluster_mode, is(true)); - - readInputStream("y" + System.lineSeparator() + "y" + System.lineSeparator() + "y" + System.lineSeparator()); // pass all 3 inputs as - // y - installer.gatherUserInputs(); - - verifyStdOutContainsString("Install demo certificates?"); - verifyStdOutDoesNotContainString("Initialize Security Modules?"); - verifyStdOutDoesNotContainString("Enable cluster mode?"); - - assertThat(installer.initsecurity, is(true)); - assertThat(installer.cluster_mode, is(true)); - } - - @Test - public void testGatherInputs_withAssumeYes() { - String[] validOptionsYes = { "/scriptDir", "-y" }; - installer.readOptions(validOptionsYes); - assertThat(installer.assumeyes, is(true)); - - installer.gatherUserInputs(); - - assertThat(installer.initsecurity, is(true)); - assertThat(installer.cluster_mode, is(true)); - } - - @Test - public void testInitializeVariables_setBaseDir_invalidPath() { - String[] invalidScriptDirPath = { "/scriptDir", "-y" }; - installer.readOptions(invalidScriptDirPath); - - assertThrows("Expected NullPointerException to be thrown", NullPointerException.class, installer::initializeVariables); - - String[] invalidScriptDirPath2 = { "/opensearch/plugins/opensearch-security/tools", "-y" }; - installer.readOptions(invalidScriptDirPath2); - - try { - System.setSecurityManager(new NoExitSecurityManager()); - installer.initializeVariables(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - - verifyStdOutContainsString("DEBUG: basedir does not exist"); - } - - @Test - public void testSetBaseDir_valid() { - String currentDir = System.getProperty("user.dir"); - - String[] validBaseDir = { currentDir, "-y" }; - installer.readOptions(validBaseDir); - - installer.setBaseDir(); - - String expectedBaseDirValue = new File(currentDir).getParentFile().getParentFile().getParentFile().getAbsolutePath() - + File.separator; - assertThat(installer.BASE_DIR, equalTo(expectedBaseDirValue)); - } - - @Test - public void testSetOpenSearchVariables_invalidPath() { - String currentDir = System.getProperty("user.dir"); - - String[] validBaseDir = { currentDir, "-y" }; - installer.readOptions(validBaseDir); - - try { - System.setSecurityManager(new NoExitSecurityManager()); - installer.setBaseDir(); - installer.setOpenSearchVariables(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - - } - verifyStdOutContainsString("Unable to determine OpenSearch config file. Quit."); - verifyStdOutContainsString("Unable to determine OpenSearch bin directory. Quit."); - verifyStdOutContainsString("Unable to determine OpenSearch plugins directory. Quit."); - verifyStdOutContainsString("Unable to determine OpenSearch lib directory. Quit."); - - String expectedBaseDirValue = new File(currentDir).getParentFile().getParentFile().getParentFile().getAbsolutePath() - + File.separator; - String expectedOpensearchConfFilePath = expectedBaseDirValue + "config" + File.separator + "opensearch.yml"; - String expectedOpensearchBinDirPath = expectedBaseDirValue + "bin" + File.separator; - String expectedOpensearchPluginDirPath = expectedBaseDirValue + "plugins" + File.separator; - String expectedOpensearchLibDirPath = expectedBaseDirValue + "lib" + File.separator; - String expectedOpensearchInstallType = installer.determineInstallType(); - - assertThat(installer.OPENSEARCH_CONF_FILE, equalTo(expectedOpensearchConfFilePath)); - assertThat(installer.OPENSEARCH_BIN_DIR, equalTo(expectedOpensearchBinDirPath)); - assertThat(installer.OPENSEARCH_PLUGINS_DIR, equalTo(expectedOpensearchPluginDirPath)); - assertThat(installer.OPENSEARCH_LIB_PATH, equalTo(expectedOpensearchLibDirPath)); - assertThat(installer.OPENSEARCH_INSTALL_TYPE, equalTo(expectedOpensearchInstallType)); - - } - - @Test - public void testDetermineInstallType_windows() { - installer.OS = "Windows"; - - String installType = installer.determineInstallType(); - - assertThat(installType, equalTo(".zip")); - } - - @Test - public void testDetermineInstallType_rpm_deb() { - installer.OS = "Linux"; - String dir = System.getProperty("user.dir"); - installer.BASE_DIR = dir; - RPM_DEB_OPENSEARCH_HOME = new File(dir); - - String installType = installer.determineInstallType(); - - assertThat(installType, equalTo("rpm/deb")); - } - - @Test - public void testDetermineInstallType_default() { - installer.OS = "Anything else"; - installer.BASE_DIR = "/random-dir"; - String installType = installer.determineInstallType(); - - assertThat(installType, equalTo(".tar.gz")); - } - - @Test - public void testSetSecurityVariables() { - setUpSecurityDirectories(); - installer.setSecurityVariables(); - - assertThat(installer.OPENSEARCH_VERSION, is(equalTo("osVersion"))); - assertThat(installer.SECURITY_VERSION, is(equalTo("version"))); - tearDownSecurityDirectories(); - } - - @Test - public void testSetSecurityVariables_noSecurityPlugin() { - try { - System.setSecurityManager(new NoExitSecurityManager()); - - installer.setSecurityVariables(); - fail("Expected System.exit(-1) to be called"); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - } - - @Test - public void testPrintVariables() { - installer.OPENSEARCH_INSTALL_TYPE = "installType"; - installer.OS = "OS"; - installer.OPENSEARCH_CONF_DIR = "confDir"; - installer.OPENSEARCH_CONF_FILE = "confFile"; - installer.OPENSEARCH_BIN_DIR = "/bin"; - installer.OPENSEARCH_PLUGINS_DIR = "/plugins"; - installer.OPENSEARCH_LIB_PATH = "/lib"; - installer.OPENSEARCH_VERSION = "osVersion"; - installer.SECURITY_VERSION = "version"; - - installer.printVariables(); - - String expectedOutput = "OpenSearch install type: installType on OS" - + System.lineSeparator() - + "OpenSearch config dir: confDir" - + System.lineSeparator() - + "OpenSearch config file: confFile" - + System.lineSeparator() - + "OpenSearch bin dir: /bin" - + System.lineSeparator() - + "OpenSearch plugins dir: /plugins" - + System.lineSeparator() - + "OpenSearch lib dir: /lib" - + System.lineSeparator() - + "Detected OpenSearch Version: osVersion" - + System.lineSeparator() - + "Detected OpenSearch Security Version: version" - + System.lineSeparator(); - - assertThat(outContent.toString(), equalTo(expectedOutput)); - } - - @Test - public void testFinishScriptExecution() { - setUpSecurityDirectories(); - SecuritySettingsConfigurer.ADMIN_PASSWORD = "ble"; - - installer.finishScriptExecution(); - - String securityAdminScriptPath = installer.OPENSEARCH_PLUGINS_DIR - + "opensearch-security" - + File.separator - + "tools" - + File.separator - + "securityadmin" - + installer.FILE_EXTENSION; - String securityAdminDemoScriptPath = installer.OPENSEARCH_CONF_DIR + "securityadmin_demo" + installer.FILE_EXTENSION; - setWritePermissions(securityAdminDemoScriptPath); - - SecuritySettingsConfigurer securitySettingsConfigurer = new SecuritySettingsConfigurer(installer); - String lastLine = securitySettingsConfigurer.getSecurityAdminCommands(securityAdminScriptPath)[1]; - - String expectedOutput = "### Success" - + System.lineSeparator() - + "### Execute this script now on all your nodes and then start all nodes" - + System.lineSeparator() - + "### After the whole cluster is up execute: " - + System.lineSeparator() - + lastLine - + System.lineSeparator() - + "### or run ." - + File.separator - + "securityadmin_demo" - + installer.FILE_EXTENSION - + System.lineSeparator() - + "### After that you can also use the Security Plugin ConfigurationGUI" - + System.lineSeparator() - + "### To access your secured cluster open https://: and log in with admin/." - + System.lineSeparator() - + "### (Ignore the SSL certificate warning because we installed self-signed demo certificates)" - + System.lineSeparator(); - - assertThat(outContent.toString(), equalTo(expectedOutput)); - - tearDownSecurityDirectories(); - } - - @Test - public void testFinishScriptExecution_withInitSecurityEnabled() { - setUpSecurityDirectories(); - installer.initsecurity = true; - SecuritySettingsConfigurer.ADMIN_PASSWORD = "ble"; - - installer.finishScriptExecution(); - - String securityAdminScriptPath = installer.OPENSEARCH_PLUGINS_DIR - + "opensearch-security" - + File.separator - + "tools" - + File.separator - + "securityadmin" - + installer.FILE_EXTENSION; - String securityAdminDemoScriptPath = installer.OPENSEARCH_CONF_DIR + "securityadmin_demo" + installer.FILE_EXTENSION; - setWritePermissions(securityAdminDemoScriptPath); - - SecuritySettingsConfigurer securitySettingsConfigurer = new SecuritySettingsConfigurer(installer); - String lastLine = securitySettingsConfigurer.getSecurityAdminCommands(securityAdminScriptPath)[1]; - - String expectedOutput = "### Success" - + System.lineSeparator() - + "### Execute this script now on all your nodes and then start all nodes" - + System.lineSeparator() - + "### OpenSearch Security will be automatically initialized." - + System.lineSeparator() - + "### If you like to change the runtime configuration " - + System.lineSeparator() - + "### change the files in .." - + File.separator - + ".." - + File.separator - + ".." - + File.separator - + "config" - + File.separator - + "opensearch-security and execute: " - + System.lineSeparator() - + lastLine - + System.lineSeparator() - + "### or run ." - + File.separator - + "securityadmin_demo" - + installer.FILE_EXTENSION - + System.lineSeparator() - + "### To use the Security Plugin ConfigurationGUI" - + System.lineSeparator() - + "### To access your secured cluster open https://: and log in with admin/." - + System.lineSeparator() - + "### (Ignore the SSL certificate warning because we installed self-signed demo certificates)" - + System.lineSeparator(); - - assertThat(outContent.toString(), equalTo(expectedOutput)); - - tearDownSecurityDirectories(); - } - - private void readInputStream(String input) { - System.setIn(new ByteArrayInputStream(input.getBytes())); - } - - public void setUpSecurityDirectories() { - String currentDir = System.getProperty("user.dir"); - - String[] validBaseDir = { currentDir, "-y" }; - installer.readOptions(validBaseDir); - installer.setBaseDir(); - installer.OPENSEARCH_PLUGINS_DIR = installer.BASE_DIR + "plugins" + File.separator; - installer.OPENSEARCH_LIB_PATH = installer.BASE_DIR + "lib" + File.separator; - installer.OPENSEARCH_CONF_DIR = installer.BASE_DIR + "test-conf" + File.separator; - - createDirectory(installer.OPENSEARCH_PLUGINS_DIR); - createDirectory(installer.OPENSEARCH_LIB_PATH); - createDirectory(installer.OPENSEARCH_CONF_DIR); - createDirectory(installer.OPENSEARCH_PLUGINS_DIR + "opensearch-security"); - createFile(installer.OPENSEARCH_LIB_PATH + "opensearch-core-osVersion.jar"); - createFile(installer.OPENSEARCH_PLUGINS_DIR + "opensearch-security" + File.separator + "opensearch-security-version.jar"); - createFile(installer.OPENSEARCH_CONF_DIR + File.separator + "securityadmin_demo.sh"); - } - - public void tearDownSecurityDirectories() { - // Clean up testing directories or files - deleteDirectoryRecursive(installer.OPENSEARCH_PLUGINS_DIR); - deleteDirectoryRecursive(installer.OPENSEARCH_LIB_PATH); - deleteDirectoryRecursive(installer.OPENSEARCH_CONF_DIR); - } - - static void setWritePermissions(String filePath) { - if (!installer.OS.toLowerCase().contains("win")) { - Path file = Paths.get(filePath); - Set perms = new HashSet<>(); - perms.add(PosixFilePermission.OWNER_WRITE); - try { - Files.setPosixFilePermissions(file, perms); - } catch (IOException e) { - throw new RuntimeException(e); - } - } - } - - private void verifyStdOutContainsString(String s) { - assertThat(outContent.toString(), containsString(s)); - } - - private void verifyStdOutDoesNotContainString(String s) { - assertThat(outContent.toString(), not(containsString(s))); - } -} diff --git a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java b/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java deleted file mode 100644 index 948a66996c..0000000000 --- a/src/test/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurerTests.java +++ /dev/null @@ -1,308 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig; - -// CS-SUPPRESS-SINGLE: RegexpSingleline extension key-word is used in file ext variable -import java.io.BufferedReader; -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.io.InputStream; -import java.io.PrintStream; -import java.lang.reflect.Field; -import java.nio.charset.StandardCharsets; -import java.util.Collections; -import java.util.List; -import java.util.Map; - -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; - -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.tools.democonfig.util.NoExitSecurityManager; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.containsString; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.is; -import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.REST_ENABLED_ROLES; -import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.SYSTEM_INDICES; -import static org.opensearch.security.tools.democonfig.SecuritySettingsConfigurer.isKeyPresentInYMLFile; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createDirectory; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.createFile; -import static org.opensearch.security.tools.democonfig.util.DemoConfigHelperUtil.deleteDirectoryRecursive; -import static org.junit.Assert.fail; - -@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class) -public class SecuritySettingsConfigurerTests { - - private final ByteArrayOutputStream outContent = new ByteArrayOutputStream(); - private final PrintStream originalOut = System.out; - private final PrintStream originalErr = System.err; - private final InputStream originalIn = System.in; - - private final String adminPasswordKey = ConfigConstants.OPENSEARCH_INITIAL_ADMIN_PASSWORD; - - private static SecuritySettingsConfigurer securitySettingsConfigurer; - - private static Installer installer; - - @Before - public void setUp() { - System.setOut(new PrintStream(outContent)); - System.setErr(new PrintStream(outContent)); - installer = Installer.getInstance(); - installer.buildOptions(); - securitySettingsConfigurer = new SecuritySettingsConfigurer(installer); - setUpConf(); - } - - @After - public void tearDown() throws NoSuchFieldException, IllegalAccessException { - outContent.reset(); - System.setOut(originalOut); - System.setErr(originalErr); - System.setIn(originalIn); - deleteDirectoryRecursive(installer.OPENSEARCH_CONF_DIR); - unsetEnvVariables(); - Installer.resetInstance(); - } - - @Test - public void testUpdateAdminPasswordWithCustomPassword() throws NoSuchFieldException, IllegalAccessException { - String customPassword = "myStrongPassword123"; - setEnv(adminPasswordKey, customPassword); - - securitySettingsConfigurer.updateAdminPassword(); - - assertThat(customPassword, is(equalTo(SecuritySettingsConfigurer.ADMIN_PASSWORD))); - - verifyStdOutContainsString("Admin password set successfully."); - } - - @Test - public void testUpdateAdminPassword_noPasswordSupplied() { - SecuritySettingsConfigurer.ADMIN_PASSWORD = ""; // to ensure 0 flaky-ness - try { - System.setSecurityManager(new NoExitSecurityManager()); - securitySettingsConfigurer.updateAdminPassword(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - - verifyStdOutContainsString("No custom admin password found. Please provide a password."); - } - - @Test - public void testUpdateAdminPasswordWithWeakPassword() throws NoSuchFieldException, IllegalAccessException { - - setEnv(adminPasswordKey, "weakpassword"); - try { - System.setSecurityManager(new NoExitSecurityManager()); - securitySettingsConfigurer.updateAdminPassword(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - - verifyStdOutContainsString("Password weakpassword is weak. Please re-try with a stronger password."); - } - - @Test - public void testUpdateAdminPasswordWithWeakPassword_skipPasswordValidation() throws NoSuchFieldException, IllegalAccessException { - setEnv(adminPasswordKey, "weakpassword"); - installer.environment = ExecutionEnvironment.TEST; - securitySettingsConfigurer.updateAdminPassword(); - - assertThat("weakpassword", is(equalTo(SecuritySettingsConfigurer.ADMIN_PASSWORD))); - - verifyStdOutContainsString("Admin password set successfully."); - } - - @Test - public void testSecurityPluginAlreadyConfigured() { - securitySettingsConfigurer.writeSecurityConfigToOpenSearchYML(); - String expectedMessage = installer.OPENSEARCH_CONF_FILE + " seems to be already configured for Security. Quit."; - try { - System.setSecurityManager(new NoExitSecurityManager()); - securitySettingsConfigurer.checkIfSecurityPluginIsAlreadyConfigured(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - verifyStdOutContainsString(expectedMessage); - } - - @Test - public void testSecurityPluginNotConfigured() { - try { - securitySettingsConfigurer.checkIfSecurityPluginIsAlreadyConfigured(); - } catch (Exception e) { - fail("Expected checkIfSecurityPluginIsAlreadyConfigured to succeed without any errors."); - } - } - - @Test - public void testConfigFileDoesNotExist() { - installer.OPENSEARCH_CONF_FILE = "path/to/nonexistentfile"; - String expectedMessage = "OpenSearch configuration file does not exist. Quit."; - try { - System.setSecurityManager(new NoExitSecurityManager()); - securitySettingsConfigurer.checkIfSecurityPluginIsAlreadyConfigured(); - } catch (SecurityException e) { - assertThat(e.getMessage(), equalTo("System.exit(-1) blocked to allow print statement testing.")); - } finally { - System.setSecurityManager(null); - } - - verifyStdOutContainsString(expectedMessage); - - // reset the file pointer - installer.OPENSEARCH_CONF_FILE = installer.OPENSEARCH_CONF_DIR + "opensearch.yml"; - } - - @Test - public void testBuildSecurityConfigMap() { - Map actual = securitySettingsConfigurer.buildSecurityConfigMap(); - - assertThat(actual.size(), is(17)); - assertThat(actual.get("plugins.security.ssl.transport.pemcert_filepath"), is(equalTo(Certificates.NODE_CERT.getFileName()))); - assertThat(actual.get("plugins.security.ssl.transport.pemkey_filepath"), is(equalTo(Certificates.NODE_KEY.getFileName()))); - assertThat(actual.get("plugins.security.ssl.transport.pemtrustedcas_filepath"), is(equalTo(Certificates.ROOT_CA.getFileName()))); - assertThat(actual.get("plugins.security.ssl.transport.enforce_hostname_verification"), is(equalTo(false))); - assertThat(actual.get("plugins.security.ssl.http.enabled"), is(equalTo(true))); - assertThat(actual.get("plugins.security.ssl.http.pemcert_filepath"), is(equalTo(Certificates.NODE_CERT.getFileName()))); - assertThat(actual.get("plugins.security.ssl.http.pemkey_filepath"), is(equalTo(Certificates.NODE_KEY.getFileName()))); - assertThat(actual.get("plugins.security.ssl.http.pemtrustedcas_filepath"), is(equalTo(Certificates.ROOT_CA.getFileName()))); - assertThat(actual.get("plugins.security.allow_unsafe_democertificates"), is(equalTo(true))); - assertThat(actual.get("plugins.security.authcz.admin_dn"), is(equalTo(List.of("CN=kirk,OU=client,O=client,L=test,C=de")))); - assertThat(actual.get("plugins.security.audit.type"), is(equalTo("internal_opensearch"))); - assertThat(actual.get("plugins.security.enable_snapshot_restore_privilege"), is(equalTo(true))); - assertThat(actual.get("plugins.security.check_snapshot_restore_write_privileges"), is(equalTo(true))); - assertThat(actual.get("plugins.security.restapi.roles_enabled"), is(equalTo(REST_ENABLED_ROLES))); - assertThat(actual.get("plugins.security.system_indices.enabled"), is(equalTo(true))); - assertThat(actual.get("plugins.security.system_indices.indices"), is(equalTo(SYSTEM_INDICES))); - assertThat(actual.get("node.max_local_storage_nodes"), is(equalTo(3))); - - installer.initsecurity = true; - actual = securitySettingsConfigurer.buildSecurityConfigMap(); - assertThat(actual.get("plugins.security.allow_default_init_securityindex"), is(equalTo(true))); - - installer.cluster_mode = true; - actual = securitySettingsConfigurer.buildSecurityConfigMap(); - assertThat(actual.get("network.host"), is(equalTo("0.0.0.0"))); - assertThat(actual.get("node.name"), is(equalTo("smoketestnode"))); - assertThat(actual.get("cluster.initial_cluster_manager_nodes"), is(equalTo("smoketestnode"))); - } - - @Test - public void testIsStringAlreadyPresentInFile_isNotPresent() throws IOException { - String str1 = "network.host"; - String str2 = "some.random.config"; - - installer.initsecurity = true; - securitySettingsConfigurer.writeSecurityConfigToOpenSearchYML(); - - assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, str1), is(equalTo(false))); - assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, str2), is(equalTo(false))); - } - - @Test - public void testIsStringAlreadyPresentInFile_isPresent() throws IOException { - String str1 = "network.host"; - String str2 = "some.random.config"; - - installer.initsecurity = true; - installer.cluster_mode = true; - securitySettingsConfigurer.writeSecurityConfigToOpenSearchYML(); - - assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, str1), is(equalTo(true))); - assertThat(isKeyPresentInYMLFile(installer.OPENSEARCH_CONF_FILE, str2), is(equalTo(false))); - } - - @Test - public void testCreateSecurityAdminDemoScriptAndGetSecurityAdminCommands() throws IOException { - String demoPath = installer.OPENSEARCH_CONF_DIR + "securityadmin_demo" + installer.FILE_EXTENSION; - securitySettingsConfigurer.createSecurityAdminDemoScript("scriptPath", demoPath); - - assertThat(new File(demoPath).exists(), is(equalTo(true))); - - String[] commands = securitySettingsConfigurer.getSecurityAdminCommands("scriptPath"); - - try (BufferedReader reader = new BufferedReader(new FileReader(demoPath, StandardCharsets.UTF_8))) { - assertThat(reader.readLine(), is(commands[0])); - assertThat(reader.readLine(), is(equalTo(commands[1]))); - } - } - - @Test - public void testCreateSecurityAdminDemoScript_invalidPath() { - String demoPath = null; - try { - securitySettingsConfigurer.createSecurityAdminDemoScript("scriptPath", demoPath); - fail("Expected to throw Exception"); - } catch (IOException | NullPointerException e) { - // expected - } - } - - @SuppressWarnings("unchecked") - public static void setEnv(String key, String value) throws NoSuchFieldException, IllegalAccessException { - Class[] classes = Collections.class.getDeclaredClasses(); - Map env = System.getenv(); - for (Class cl : classes) { - if ("java.util.Collections$UnmodifiableMap".equals(cl.getName())) { - Field field = cl.getDeclaredField("m"); - field.setAccessible(true); - Object obj = field.get(env); - Map map = (Map) obj; - map.clear(); - map.put(key, value); - } - } - } - - @SuppressWarnings("unchecked") - public static void unsetEnvVariables() throws NoSuchFieldException, IllegalAccessException { - Class[] classes = Collections.class.getDeclaredClasses(); - Map env = System.getenv(); - for (Class cl : classes) { - if ("java.util.Collections$UnmodifiableMap".equals(cl.getName())) { - Field field = cl.getDeclaredField("m"); - field.setAccessible(true); - Object obj = field.get(env); - Map map = (Map) obj; - map.clear(); - } - } - } - - void setUpConf() { - installer.OPENSEARCH_CONF_DIR = System.getProperty("user.dir") + File.separator + "test-conf" + File.separator; - installer.OPENSEARCH_CONF_FILE = installer.OPENSEARCH_CONF_DIR + "opensearch.yml"; - String securityConfDir = installer.OPENSEARCH_CONF_DIR + "opensearch-security" + File.separator; - createDirectory(securityConfDir); - createFile(securityConfDir + "internal_users.yml"); - createFile(installer.OPENSEARCH_CONF_FILE); - } - - private void verifyStdOutContainsString(String s) { - assertThat(outContent.toString(), containsString(s)); - } -} diff --git a/src/test/java/org/opensearch/security/tools/democonfig/util/DemoConfigHelperUtil.java b/src/test/java/org/opensearch/security/tools/democonfig/util/DemoConfigHelperUtil.java deleted file mode 100644 index 7fd4c3330d..0000000000 --- a/src/test/java/org/opensearch/security/tools/democonfig/util/DemoConfigHelperUtil.java +++ /dev/null @@ -1,54 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig.util; - -import java.io.File; - -public class DemoConfigHelperUtil { - public static void createDirectory(String path) { - File directory = new File(path); - if (!directory.exists() && !directory.mkdirs()) { - throw new RuntimeException("Failed to create directory: " + path); - } - } - - public static void createFile(String path) { - try { - File file = new File(path); - if (!file.exists() && !file.createNewFile()) { - throw new RuntimeException("Failed to create file: " + path); - } - } catch (Exception e) { - // without this the catch, we would need to throw exception, - // which would then require modifying caller method signature - throw new RuntimeException("Failed to create file: " + path, e); - } - } - - public static void deleteDirectoryRecursive(String path) { - File directory = new File(path); - if (directory.exists()) { - File[] files = directory.listFiles(); - if (files != null) { - for (File file : files) { - if (file.isDirectory()) { - deleteDirectoryRecursive(file.getAbsolutePath()); - } else { - file.delete(); - } - } - } - // Delete the empty directory after all its content is deleted - directory.delete(); - } - } -} diff --git a/src/test/java/org/opensearch/security/tools/democonfig/util/NoExitSecurityManager.java b/src/test/java/org/opensearch/security/tools/democonfig/util/NoExitSecurityManager.java deleted file mode 100644 index 0602812f5d..0000000000 --- a/src/test/java/org/opensearch/security/tools/democonfig/util/NoExitSecurityManager.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.tools.democonfig.util; - -/** - * Helper class to allow capturing and testing exit codes and block test execution from exiting mid-way - */ -public class NoExitSecurityManager extends SecurityManager { - @Override - public void checkPermission(java.security.Permission perm) { - // Allow everything except System.exit code 0 & -1 - if (perm instanceof java.lang.RuntimePermission && ("exitVM.0".equals(perm.getName()) || "exitVM.-1".equals(perm.getName()))) { - StringBuilder sb = new StringBuilder(); - sb.append("System.exit("); - sb.append(perm.getName().contains("0") ? 0 : -1); - sb.append(") blocked to allow print statement testing."); - throw new SecurityException(sb.toString()); - } - } -} diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat index 5cf4d715fa..d9d30fea2b 100755 --- a/tools/install_demo_configuration.bat +++ b/tools/install_demo_configuration.bat @@ -1,29 +1,414 @@ @echo off -set DIR=%~dp0 +setlocal enableDelayedExpansion +set "SCRIPT_DIR=%~dp0" -set CUR_DIR=%DIR% +echo ************************************************************************** +echo ** This tool will be deprecated in the next major release of OpenSearch ** +echo ** https://github.com/opensearch-project/security/issues/1755 ** +echo ************************************************************************** -rem set opensearch home for instances when using bundled jdk -if not defined OPENSEARCH_HOME ( - for %%I in ("%DIR%..\..\..") do set "OPENSEARCH_HOME=%%~dpfI" +echo. +echo OpenSearch Security Demo Installer +echo ** Warning: Do not use on production or public reachable systems ** + +echo. + +set "assumeyes=0" +set "initsecurity=0" +set "cluster_mode=0" +set "skip_updates=-1" + +goto :GETOPTS + +:show_help +echo install_demo_configuration.bat [-y] [-i] [-c] +echo -h show help +echo -y confirm all installation dialogues automatically +echo -i initialize Security plugin with default configuration (default is to ask if -y is not given) +echo -c enable cluster mode by binding to all network interfaces (default is to ask if -y is not given) +echo -s skip updates if config is already applied to opensearch.yml +EXIT /B 0 + +:GETOPTS +if /I "%1" == "-h" call :show_help & exit /b 0 +if /I "%1" == "-y" set "assumeyes=1" +if /I "%1" == "-i" set "initsecurity=1" +if /I "%1" == "-c" set "cluster_mode=1" +if /I "%1" == "-s" set "skip_updates=0" +shift +if not "%1" == "" goto :GETOPTS + +if "%1" == "--" shift + +if %assumeyes% == 0 ( + set /p "response=Install demo certificates? [y/N] " + if /I "!response!" neq "Y" exit /b 0 +) + +if %initsecurity% == 0 ( + if %assumeyes% == 0 ( + set /p "response=Initialize Security Modules? [y/N] " + if /I "!response!" == "Y" (set "initsecurity=1") ELSE (set "initsecurity=0") + ) +) + +if %cluster_mode% == 0 ( + if %assumeyes% == 0 ( + echo Cluster mode requires maybe additional setup of: + echo - Virtual memory [vm.max_map_count] + echo. + set /p "response=Enable cluster mode? [y/N] " + if /I "!response!" == "Y" (set "cluster_mode=1") ELSE (set "cluster_mode=0") + ) +) + +set BASE_DIR=%SCRIPT_DIR%\..\..\..\ +if not exist %BASE_DIR% ( + echo "basedir does not exist" + exit /b 1 +) + +set "CUR=%cd%" +cd %BASE_DIR% +set "BASE_DIR=%cd%\" +cd %CUR% +echo Basedir: %BASE_DIR% + +set "OPENSEARCH_CONF_FILE=%BASE_DIR%config\opensearch.yml" +set "INTERNAL_USERS_FILE"=%BASE_DIR%config\opensearch-security\internal_users.yml" +set "OPENSEARCH_CONF_DIR=%BASE_DIR%config\" +set "OPENSEARCH_BIN_DIR=%BASE_DIR%bin\" +set "OPENSEARCH_PLUGINS_DIR=%BASE_DIR%plugins\" +set "OPENSEARCH_MODULES_DIR=%BASE_DIR%modules\" +set "OPENSEARCH_LIB_PATH=%BASE_DIR%lib\" +set "OPENSEARCH_INSTALL_TYPE=.zip" + +if not exist %OPENSEARCH_CONF_FILE% ( + echo Unable to determine OpenSearch config file. Quit. + exit /b 1 +) + +if not exist %OPENSEARCH_BIN_DIR% ( + echo Unable to determine OpenSearch bin directory. Quit. + exit /b 1 +) + +if not exist %OPENSEARCH_PLUGINS_DIR% ( + echo Unable to determine OpenSearch plugins directory. Quit. + exit /b 1 +) + +if not exist %OPENSEARCH_MODULES_DIR% ( + echo Unable to determine OpenSearch modules directory. Quit. + exit /b 1 +) + +if not exist %OPENSEARCH_LIB_PATH% ( + echo Unable to determine OpenSearch lib directory. Quit. + exit /b 1 +) + +if not exist %OPENSEARCH_PLUGINS_DIR%\opensearch-security\ ( + echo OpenSearch Security plugin not installed. Quit. + exit /b 1 ) -cd %CUR_DIR% -if not "%OPENSEARCH_JAVA_HOME%" == "" ( - set "JAVA=%OPENSEARCH_JAVA_HOME%\bin\java.exe" - set JAVA_TYPE=OPENSEARCH_JAVA_HOME -) else if not "%JAVA_HOME%" == "" ( - set "JAVA=%JAVA_HOME%\bin\java.exe" - set JAVA_TYPE=JAVA_HOME +set "OPENSEARCH_VERSION=" +for %%F in ("%OPENSEARCH_LIB_PATH%opensearch-*.jar") do set "OPENSEARCH_VERSION=%%~nxF" & goto :opensearch_version +:opensearch_version +set "OPENSEARCH_JAR_VERSION=" +for /f "tokens=2 delims=[-]" %%a in ("%OPENSEARCH_VERSION%") do set "OPENSEARCH_JAR_VERSION=%%a" + +set "SECURITY_VERSION=" +for %%F in ("%OPENSEARCH_PLUGINS_DIR%\opensearch-security\opensearch-security-*.jar") do set "SECURITY_VERSION=%%~nxF" +set "SECURITY_JAR_VERSION=" +for /f "tokens=3 delims=[-]" %%a in ("%SECURITY_VERSION%") do set "SECURITY_JAR_VERSION=%%a" + +for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set "OS=%%j.%%k") else (set v="%%i.%%j")) +echo OpenSearch install type: %OPENSEARCH_INSTALL_TYPE% on %OS% +echo OpenSearch config dir: %OPENSEARCH_CONF_DIR% +echo OpenSearch config file: %OPENSEARCH_CONF_FILE% +echo OpenSearch bin dir: %OPENSEARCH_BIN_DIR% +echo OpenSearch plugins dir: %OPENSEARCH_PLUGINS_DIR% +echo OpenSearch lib dir: %OPENSEARCH_LIB_PATH% +echo Detected OpenSearch Version: %OPENSEARCH_JAR_VERSION% +echo Detected OpenSearch Security Version: %SECURITY_JAR_VERSION% + +>nul findstr /c:"plugins.security" "%OPENSEARCH_CONF_FILE%" && ( + echo %OPENSEARCH_CONF_FILE% seems to be already configured for Security. Quit. + exit /b %skip_updates% +) + +set LF=^ + + +:: two empty line required after LF +set ADMIN_CERT=-----BEGIN CERTIFICATE-----!LF!^ +MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL!LF!^ +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ +dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT!LF!^ +AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs!LF!^ +aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC!LF!^ +ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs!LF!^ +paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+!LF!^ +O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx!LF!^ +vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6!LF!^ +cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0!LF!^ +bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw!LF!^ +DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME!LF!^ +gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy!LF!^ +LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh!LF!^ +bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB!LF!^ +MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G!LF!^ +xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG!LF!^ +9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m!LF!^ +y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p!LF!^ +fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d!LF!^ +1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec!LF!^ +h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp!LF!^ +RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA==!LF!^ +-----END CERTIFICATE-----!LF! + + +set ADMIN_CERT_KEY=-----BEGIN PRIVATE KEY-----!LF!^ +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp!LF!^ +gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky!LF!^ +AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo!LF!^ +7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB!LF!^ +GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+!LF!^ +b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu!LF!^ +y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4!LF!^ +ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0!LF!^ +TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j!LF!^ +xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ!LF!^ +OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo!LF!^ +1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs!LF!^ +9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs!LF!^ +/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3!LF!^ +qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG!LF!^ +/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv!LF!^ +M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0!LF!^ +0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ!LF!^ +K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5!LF!^ +9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF!LF!^ +RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp!LF!^ +nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5!LF!^ +3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h!LF!^ +mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw!LF!^ +F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs!LF!^ +/AHmo368d4PSNRMMzLHw8Q==!LF!^ +-----END PRIVATE KEY-----!LF! + + +set NODE_CERT=-----BEGIN CERTIFICATE-----!LF!^ +MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL!LF!^ +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ +dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT!LF!^ +AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl!LF!^ +MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA!LF!^ +A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud!LF!^ +yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0!LF!^ +HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr!LF!^ +XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n!LF!^ +dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD!LF!^ +ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R!LF!^ +BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA!LF!^ +AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF!LF!^ +BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo!LF!^ +wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ!LF!^ +KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR!LF!^ +MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27!LF!^ +zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N!LF!^ +1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy!LF!^ +vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L!LF!^ +zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo=!LF!^ +-----END CERTIFICATE-----!LF! + + +set NODE_KEY=-----BEGIN PRIVATE KEY-----!LF!^ +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv!LF!^ +bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0!LF!^ +o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50!LF!^ +1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1!LF!^ +MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b!LF!^ +6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa!LF!^ +vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo!LF!^ +FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ!LF!^ +5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O!LF!^ +zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ!LF!^ +xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow!LF!^ +dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn!LF!^ +7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U!LF!^ +hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej!LF!^ +VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B!LF!^ +Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c!LF!^ +uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy!LF!^ +hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv!LF!^ +hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/!LF!^ +A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh!LF!^ +KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX!LF!^ +GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f!LF!^ +5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud!LF!^ +tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71!LF!^ ++x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT!LF!^ +bg/ch9Rhxbq22yrVgWHh6epp!LF!^ +-----END PRIVATE KEY-----!LF! + + +set ROOT_CA=-----BEGIN CERTIFICATE-----!LF!^ +MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL!LF!^ +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt!LF!^ +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl!LF!^ +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v!LF!^ +dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm!LF!^ +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ!LF!^ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290!LF!^ +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG!LF!^ +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU!LF!^ +j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4!LF!^ +U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg!LF!^ +vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA!LF!^ +WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969!LF!^ +VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW!LF!^ +MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU!LF!^ +F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4!LF!^ +uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ!LF!^ +k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD!LF!^ +VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg!LF!^ +Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN!LF!^ +AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f!LF!^ +qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i!LF!^ +jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD!LF!^ +jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae!LF!^ +dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du!LF!^ +8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y=!LF!^ +-----END CERTIFICATE-----!LF! + + +echo !ADMIN_CERT! > "%OPENSEARCH_CONF_DIR%kirk.pem" +echo !NODE_CERT! > "%OPENSEARCH_CONF_DIR%esnode.pem" +echo !ROOT_CA! > "%OPENSEARCH_CONF_DIR%root-ca.pem" +echo !NODE_KEY! > "%OPENSEARCH_CONF_DIR%esnode-key.pem" +echo !ADMIN_CERT_KEY! > "%OPENSEARCH_CONF_DIR%kirk-key.pem" + +echo. >> "%OPENSEARCH_CONF_FILE%" +echo ######## Start OpenSearch Security Demo Configuration ######## >> "%OPENSEARCH_CONF_FILE%" +echo # WARNING: revise all the lines below before you go into production >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.transport.pemcert_filepath: esnode.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.transport.enforce_hostname_verification: false >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.http.enabled: true >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.http.pemcert_filepath: esnode.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.http.pemkey_filepath: esnode-key.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.allow_unsafe_democertificates: true >> "%OPENSEARCH_CONF_FILE%" +if %initsecurity% == 1 ( + echo plugins.security.allow_default_init_securityindex: true >> "%OPENSEARCH_CONF_FILE%" +) +echo plugins.security.authcz.admin_dn: >> "%OPENSEARCH_CONF_FILE%" +echo - CN=kirk,OU=client,O=client,L=test, C=de >> "%OPENSEARCH_CONF_FILE%" +echo. >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.audit.type: internal_opensearch >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%" +echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%" + +setlocal enabledelayedexpansion + +set "ADMIN_PASSWORD_FILE=%OPENSEARCH_CONF_DIR%initialAdminPassword.txt" +set "INTERNAL_USERS_FILE=%OPENSEARCH_CONF_DIR%opensearch-security\internal_users.yml" + +echo "what is in the config directory" +dir %OPENSEARCH_CONF_DIR% + +echo "what is in the password file" +type "%ADMIN_PASSWORD_FILE%" + + +if "%initialAdminPassword%" NEQ "" ( + set "ADMIN_PASSWORD=!initialAdminPassword!" ) else ( - set "JAVA=%OPENSEARCH_HOME%\jdk\bin\java.exe" - set "JAVA_HOME=%OPENSEARCH_HOME%\jdk" - set JAVA_TYPE=bundled jdk + for /f %%a in ('type "%ADMIN_PASSWORD_FILE%"') do set "ADMIN_PASSWORD=%%a" ) -if not exist "%JAVA%" ( - echo "could not find java in %JAVA_TYPE% at %JAVA%" >&2 +if not defined ADMIN_PASSWORD ( + echo Unable to find the admin password for the cluster. Please set initialAdminPassword or create a file %ADMIN_PASSWORD_FILE% with a single line that contains the password. exit /b 1 ) -"%JAVA%" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.democonfig.Installer %DIR% %* 2> nul +echo " ***************************************************" +echo " *** ADMIN PASSWORD SET TO: %ADMIN_PASSWORD% ***" +echo " ***************************************************" + +set "HASH_SCRIPT=%OPENSEARCH_PLUGINS_DIR%\opensearch-security\tools\hash.bat" + +REM Run the command and capture its output +for /f %%a in ('%HASH_SCRIPT% -p !ADMIN_PASSWORD!') do ( + set "HASHED_ADMIN_PASSWORD=%%a" +) + +if errorlevel 1 ( + echo Failed to hash the admin password + exit /b 1 +) + +set "default_line= hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"" +set "search=%default_line%" +set "replace= hash: "%HASHED_ADMIN_PASSWORD%"" + +setlocal enableextensions +for /f "delims=" %%i in ('type "%INTERNAL_USERS_FILE%" ^& break ^> "%INTERNAL_USERS_FILE%" ') do ( + set "line=%%i" + setlocal enabledelayedexpansion + >>"%INTERNAL_USERS_FILE%" echo(!line:%search%=%replace%! + endlocal +) + +:: network.host +>nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && ( + echo network.host already present +) || ( + if %cluster_mode% == 1 ( + echo network.host: 0.0.0.0 >> "%OPENSEARCH_CONF_FILE%" + echo node.name: smoketestnode >> "%OPENSEARCH_CONF_FILE%" + echo cluster.initial_cluster_manager_nodes: smoketestnode >> "%OPENSEARCH_CONF_FILE%" + ) +) + +>nul findstr /b /c:"node.max_local_storage_nodes" "%OPENSEARCH_CONF_FILE%" && ( + echo node.max_local_storage_nodes already present +) || ( + echo node.max_local_storage_nodes: 3 >> "%OPENSEARCH_CONF_FILE%" +) + +echo ######## End OpenSearch Security Demo Configuration ######## >> "%OPENSEARCH_CONF_FILE%" + +echo ### Success +echo ### Execute this script now on all your nodes and then start all nodes +:: Generate securityadmin_demo.bat +echo. > securityadmin_demo.bat +echo %OPENSEARCH_PLUGINS_DIR%opensearch-security\tools\securityadmin.bat -cd %OPENSEARCH_CONF_DIR%opensearch-security -icl -key %OPENSEARCH_CONF_DIR%kirk-key.pem -cert %OPENSEARCH_CONF_DIR%kirk.pem -cacert %OPENSEARCH_CONF_DIR%root-ca.pem -nhnv >> securityadmin_demo.bat + +if %initsecurity% == 0 ( + echo ### After the whole cluster is up execute: + type securityadmin_demo.bat + echo ### or run ./securityadmin_demo.bat + echo ### After that you can also use the Security Plugin ConfigurationGUI +) else ( + echo ### OpenSearch Security will be automatically initialized. + echo ### If you like to change the runtime configuration + echo ### change the files in ../../../config/opensearch-security and execute: + type securityadmin_demo.bat + echo ### or run ./securityadmin_demo.bat + echo ### To use the Security Plugin ConfigurationGUI +) + +echo ### To access your secured cluster open https://: and log in with admin/admin. +echo ### [Ignore the SSL certificate warning because we installed self-signed demo certificates] diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh index d3a3ae8f75..01bc1bfed1 100755 --- a/tools/install_demo_configuration.sh +++ b/tools/install_demo_configuration.sh @@ -1,14 +1,10 @@ #!/bin/bash #install_demo_configuration.sh [-y] -UNAME=$(uname -s) -if [ "$UNAME" = "FreeBSD" ]; then - OS="freebsd" -elif [ "$UNAME" = "Darwin" ]; then - OS="darwin" -else - OS="other" -fi +echo "**************************************************************************" +echo "** This tool will be deprecated in the next major release of OpenSearch **" +echo "** https://github.com/opensearch-project/security/issues/1755 **" +echo "**************************************************************************" SCRIPT_PATH="${BASH_SOURCE[0]}" if ! [ -x "$(command -v realpath)" ]; then @@ -25,40 +21,455 @@ else DIR="$( cd "$( dirname "$(realpath "$SCRIPT_PATH")" )" && pwd -P)" fi +echo "OpenSearch Security Demo Installer" +echo " ** Warning: Do not use on production or public reachable systems **" + +OPTIND=1 +assumeyes=0 +initsecurity=0 +cluster_mode=0 +skip_updates=-1 + +function show_help() { + echo "install_demo_configuration.sh [-y] [-i] [-c]" + echo " -h show help" + echo " -y confirm all installation dialogues automatically" + echo " -i initialize Security plugin with default configuration (default is to ask if -y is not given)" + echo " -c enable cluster mode by binding to all network interfaces (default is to ask if -y is not given)" + echo " -s skip updates if config is already applied to opensearch.yml" +} + +while getopts "h?yics" opt; do + case "$opt" in + h|\?) + show_help + exit 0 + ;; + y) assumeyes=1 + ;; + i) initsecurity=1 + ;; + c) cluster_mode=1 + ;; + s) skip_updates=0 + esac +done + +shift $((OPTIND-1)) + +[ "$1" = "--" ] && shift + +if [ "$assumeyes" == 0 ]; then + read -r -p "Install demo certificates? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + ;; + *) + exit 0 + ;; + esac +fi + +if [ "$initsecurity" == 0 ] && [ "$assumeyes" == 0 ]; then + read -r -p "Initialize Security Modules? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + initsecurity=1 + ;; + *) + initsecurity=0 + ;; + esac +fi -if [ -z "$OPENSEARCH_HOME" ]; then - # move to opensearch root folder and set the variable - OPENSEARCH_HOME=`cd "$DIR/../../.."; pwd` +if [ "$cluster_mode" == 0 ] && [ "$assumeyes" == 0 ]; then + echo "Cluster mode requires maybe additional setup of:" + echo " - Virtual memory (vm.max_map_count)" + echo "" + read -r -p "Enable cluster mode? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + cluster_mode=1 + ;; + *) + cluster_mode=0 + ;; + esac fi -# now set the path to java: OPENSEARCH_JAVA_HOME -> JAVA_HOME -> bundled JRE -> bundled JDK -if [ -n "$OPENSEARCH_JAVA_HOME" ]; then - JAVA="$OPENSEARCH_JAVA_HOME/bin/java" - JAVA_TYPE="OPENSEARCH_JAVA_HOME" -elif [ -n "$JAVA_HOME" ]; then - JAVA="$JAVA_HOME/bin/java" - JAVA_TYPE="JAVA_HOME" +set -e +BASE_DIR="$DIR/../../.." +if [ -d "$BASE_DIR" ]; then + CUR="$(pwd)" + cd "$BASE_DIR" + BASE_DIR="$(pwd)" + cd "$CUR" + echo "Basedir: $BASE_DIR" else - if [ "$OS" = "darwin" ]; then - # macOS bundled Java - JAVA="$OPENSEARCH_HOME/jdk.app/Contents/Home/bin/java" - JAVA_TYPE="bundled jdk" - elif [ "$OS" = "freebsd" ]; then - # using FreeBSD default java from ports if JAVA_HOME is not set - JAVA="/usr/local/bin/java" - JAVA_TYPE="bundled jdk" - elif [ -d "$OPENSEARCH_HOME/jre" ]; then - JAVA="$OPENSEARCH_HOME/jre/bin/java" - JAVA_TYPE="bundled jre" - else - JAVA="$OPENSEARCH_HOME/jdk/bin/java" - JAVA_TYPE="bundled jdk" - fi -fi - -if [ ! -x "$JAVA" ]; then - echo "could not find java in $JAVA_TYPE at $JAVA" >&2 - exit 1 -fi - -"$JAVA" -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "$DIR/../*:$DIR/../../../lib/*:$DIR/../deps/*" org.opensearch.security.tools.democonfig.Installer "$DIR" "$@" 2>/dev/null + echo "DEBUG: basedir does not exist" +fi + +OPENSEARCH_CONF_FILE="$BASE_DIR/config/opensearch.yml" +OPENSEARCH_BIN_DIR="$BASE_DIR/bin" +OPENSEARCH_PLUGINS_DIR="$BASE_DIR/plugins" +OPENSEARCH_MODULES_DIR="$BASE_DIR/modules" +OPENSEARCH_LIB_PATH="$BASE_DIR/lib" +SUDO_CMD="" +OPENSEARCH_INSTALL_TYPE=".tar.gz" + +#Check if its a rpm/deb install +if [ "/usr/share/opensearch" -ef "$BASE_DIR" ]; then + OPENSEARCH_CONF_FILE="/usr/share/opensearch/config/opensearch.yml" + + if [ ! -f "$OPENSEARCH_CONF_FILE" ]; then + OPENSEARCH_CONF_FILE="/etc/opensearch/opensearch.yml" + fi + + if [ -x "$(command -v sudo)" ]; then + SUDO_CMD="sudo" + echo "This script maybe require your root password for 'sudo' privileges" + fi + + OPENSEARCH_INSTALL_TYPE="rpm/deb" +fi + +if [ $SUDO_CMD ]; then + if ! [ -x "$(command -v $SUDO_CMD)" ]; then + echo "Unable to locate 'sudo' command. Quit." + exit 1 + fi +fi + +if $SUDO_CMD test -f "$OPENSEARCH_CONF_FILE"; then + : +else + echo "Unable to determine OpenSearch config directory. Quit." + exit -1 +fi + +if [ ! -d "$OPENSEARCH_BIN_DIR" ]; then + echo "Unable to determine OpenSearch bin directory. Quit." + exit -1 +fi + +if [ ! -d "$OPENSEARCH_PLUGINS_DIR" ]; then + echo "Unable to determine OpenSearch plugins directory. Quit." + exit -1 +fi + +if [ ! -d "$OPENSEARCH_MODULES_DIR" ]; then + echo "Unable to determine OpenSearch modules directory. Quit." + #exit -1 +fi + +if [ ! -d "$OPENSEARCH_LIB_PATH" ]; then + echo "Unable to determine OpenSearch lib directory. Quit." + exit -1 +fi + +OPENSEARCH_CONF_DIR=$(dirname "${OPENSEARCH_CONF_FILE}") +OPENSEARCH_CONF_DIR=`cd "$OPENSEARCH_CONF_DIR" ; pwd` + +if [ ! -d "$OPENSEARCH_PLUGINS_DIR/opensearch-security" ]; then + echo "OpenSearch Security plugin not installed. Quit." + exit -1 +fi + +OPENSEARCH_VERSION=("$OPENSEARCH_LIB_PATH/opensearch-*.jar") +OPENSEARCH_VERSION=$(echo $OPENSEARCH_VERSION | sed 's/.*opensearch-\(.*\)\.jar/\1/') + +SECURITY_VERSION=("$OPENSEARCH_PLUGINS_DIR/opensearch-security/opensearch-security-*.jar") +SECURITY_VERSION=$(echo $SECURITY_VERSION | sed 's/.*opensearch-security-\(.*\)\.jar/\1/') + +OS=$(sb_release -ds 2>/dev/null || cat /etc/*release 2>/dev/null | head -n1 || uname -om) +echo "OpenSearch install type: $OPENSEARCH_INSTALL_TYPE on $OS" +echo "OpenSearch config dir: $OPENSEARCH_CONF_DIR" +echo "OpenSearch config file: $OPENSEARCH_CONF_FILE" +echo "OpenSearch bin dir: $OPENSEARCH_BIN_DIR" +echo "OpenSearch plugins dir: $OPENSEARCH_PLUGINS_DIR" +echo "OpenSearch lib dir: $OPENSEARCH_LIB_PATH" +echo "Detected OpenSearch Version: $OPENSEARCH_VERSION" +echo "Detected OpenSearch Security Version: $SECURITY_VERSION" + +if $SUDO_CMD grep --quiet -i plugins.security "$OPENSEARCH_CONF_FILE"; then + echo "$OPENSEARCH_CONF_FILE seems to be already configured for Security. Quit." + exit $skip_updates +fi + +set +e + +read -r -d '' ADMIN_CERT << EOM +-----BEGIN CERTIFICATE----- +MIIEmDCCA4CgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iYwDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA4MjkyMDA2MzdaFw0zMzA4MjYyMDA2MzdaME0xCzAJBgNVBAYT +AmRlMQ0wCwYDVQQHDAR0ZXN0MQ8wDQYDVQQKDAZjbGllbnQxDzANBgNVBAsMBmNs +aWVudDENMAsGA1UEAwwEa2lyazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAJVcOAQlCiuB9emCljROAXnlsPbG7PE3kNz2sN+BbGuw686Wgyl3uToVHvVs +paMmLUqm1KYz9wMSWTIBZgpJ9hYaIbGxD4RBb7qTAJ8Q4ddCV2f7T4lxao/6ixI+ +O0l/BG9E3mRGo/r0w+jtTQ3aR2p6eoxaOYbVyEMYtFI4QZTkcgGIPGxm05y8xonx +vV5pbSW9L7qAVDzQC8EYGQMMI4ccu0NcHKWtmTYJA/wDPE2JwhngHwbcIbc4cDz6 +cG0S3FmgiKGuuSqUy35v/k3y7zMHQSdx7DSR2tzhH/bBL/9qGvpT71KKrxPtaxS0 +bAqPcEkKWDo7IMlGGW7LaAWfGg8CAwEAAaOCASswggEnMAwGA1UdEwEB/wQCMAAw +DgYDVR0PAQH/BAQDAgXgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMIHPBgNVHSME +gccwgcSAFBeH36Ba62YSp9XQ+LoSRTy3KwCcoYGVpIGSMIGPMRMwEQYKCZImiZPy +LGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhh +bXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENB +MSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCFHfkrz782p+T9k0G +xGeM4+BrehWKMB0GA1UdDgQWBBSjMS8tgguX/V7KSGLoGg7K6XMzIDANBgkqhkiG +9w0BAQsFAAOCAQEANMwD1JYlwAh82yG1gU3WSdh/tb6gqaSzZK7R6I0L7slaXN9m +y2ErUljpTyaHrdiBFmPhU/2Kj2r+fIUXtXdDXzizx/JdmueT0nG9hOixLqzfoC9p +fAhZxM62RgtyZoaczQN82k1/geMSwRpEndFe3OH7arkS/HSbIFxQhAIy229eWe5d +1bUzP59iu7f3r567I4ob8Vy7PP+Ov35p7Vv4oDHHwgsdRzX6pvL6mmwVrQ3BfVec +h9Dqprr+ukYmjho76g6k5cQuRaB6MxqldzUg+2E7IHQP8MCF+co51uZq2nl33mtp +RGr6JbdHXc96zsLTL3saJQ8AWEfu1gbTVrwyRA== +-----END CERTIFICATE----- +EOM + +read -r -d '' ADMIN_CERT_KEY << EOM +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVXDgEJQorgfXp +gpY0TgF55bD2xuzxN5Dc9rDfgWxrsOvOloMpd7k6FR71bKWjJi1KptSmM/cDElky +AWYKSfYWGiGxsQ+EQW+6kwCfEOHXQldn+0+JcWqP+osSPjtJfwRvRN5kRqP69MPo +7U0N2kdqenqMWjmG1chDGLRSOEGU5HIBiDxsZtOcvMaJ8b1eaW0lvS+6gFQ80AvB +GBkDDCOHHLtDXBylrZk2CQP8AzxNicIZ4B8G3CG3OHA8+nBtEtxZoIihrrkqlMt+ +b/5N8u8zB0Encew0kdrc4R/2wS//ahr6U+9Siq8T7WsUtGwKj3BJClg6OyDJRhlu +y2gFnxoPAgMBAAECggEAP5TOycDkx+megAWVoHV2fmgvgZXkBrlzQwUG/VZQi7V4 +ZGzBMBVltdqI38wc5MtbK3TCgHANnnKgor9iq02Z4wXDwytPIiti/ycV9CDRKvv0 +TnD2hllQFjN/IUh5n4thHWbRTxmdM7cfcNgX3aZGkYbLBVVhOMtn4VwyYu/Mxy8j +xClZT2xKOHkxqwmWPmdDTbAeZIbSv7RkIGfrKuQyUGUaWhrPslvYzFkYZ0umaDgQ +OAthZew5Bz3OfUGOMPLH61SVPuJZh9zN1hTWOvT65WFWfsPd2yStI+WD/5PU1Doo +1RyeHJO7s3ug8JPbtNJmaJwHe9nXBb/HXFdqb976yQKBgQDNYhpu+MYSYupaYqjs +9YFmHQNKpNZqgZ4ceRFZ6cMJoqpI5dpEMqToFH7tpor72Lturct2U9nc2WR0HeEs +/6tiptyMPTFEiMFb1opQlXF2ae7LeJllntDGN0Q6vxKnQV+7VMcXA0Y8F7tvGDy3 +qJu5lfvB1mNM2I6y/eMxjBuQhwKBgQC6K41DXMFro0UnoO879pOQYMydCErJRmjG +/tZSy3Wj4KA/QJsDSViwGfvdPuHZRaG9WtxdL6kn0w1exM9Rb0bBKl36lvi7o7xv +M+Lw9eyXMkww8/F5d7YYH77gIhGo+RITkKI3+5BxeBaUnrGvmHrpmpgRXWmINqr0 +0jsnN3u0OQKBgCf45vIgItSjQb8zonLz2SpZjTFy4XQ7I92gxnq8X0Q5z3B+o7tQ +K/4rNwTju/sGFHyXAJlX+nfcK4vZ4OBUJjP+C8CTjEotX4yTNbo3S6zjMyGQqDI5 +9aIOUY4pb+TzeUFJX7If5gR+DfGyQubvvtcg1K3GHu9u2l8FwLj87sRzAoGAflQF +RHuRiG+/AngTPnZAhc0Zq0kwLkpH2Rid6IrFZhGLy8AUL/O6aa0IGoaMDLpSWUJp +nBY2S57MSM11/MVslrEgGmYNnI4r1K25xlaqV6K6ztEJv6n69327MS4NG8L/gCU5 +3pEm38hkUi8pVYU7in7rx4TCkrq94OkzWJYurAkCgYATQCL/rJLQAlJIGulp8s6h +mQGwy8vIqMjAdHGLrCS35sVYBXG13knS52LJHvbVee39AbD5/LlWvjJGlQMzCLrw +F7oILW5kXxhb8S73GWcuMbuQMFVHFONbZAZgn+C9FW4l7XyRdkrbR1MRZ2km8YMs +/AHmo368d4PSNRMMzLHw8Q== +-----END PRIVATE KEY----- +EOM + +read -r -d '' NODE_CERT << EOM +-----BEGIN CERTIFICATE----- +MIIEPDCCAySgAwIBAgIUZjrlDPP8azRDPZchA/XEsx0X2iIwDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA4MjkwNDIzMTJaFw0zMzA4MjYwNDIzMTJaMFcxCzAJBgNVBAYT +AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl +MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud +yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0 +HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr +XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n +dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD +ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R +BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA +AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo +wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ +KoZIhvcNAQELBQADggEBAD2hkndVih6TWxoe/oOW0i2Bq7ScNO/n7/yHWL04HJmR +MaHv/Xjc8zLFLgHuHaRvC02ikWIJyQf5xJt0Oqu2GVbqXH9PBGKuEP2kCsRRyU27 +zTclAzfQhqmKBTYQ/3lJ3GhRQvXIdYTe+t4aq78TCawp1nSN+vdH/1geG6QjMn5N +1FU8tovDd4x8Ib/0dv8RJx+n9gytI8n/giIaDCEbfLLpe4EkV5e5UNpOnRgJjjuy +vtZutc81TQnzBtkS9XuulovDE0qI+jQrKkKu8xgGLhgH0zxnPkKtUg2I3Aq6zl1L +zYkEOUF8Y25J6WeY88Yfnc0iigI+Pnz5NK8R9GL7TYo= +-----END CERTIFICATE----- +EOM + +read -r -d '' NODE_KEY << EOM +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm93kXteDQHMAv +bUPNPW5pyRHKDD42XGWSgq0k1D29C/UdyL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0 +o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0HGkn47XVu3EwbfrTENg3jFu+Oem6a/50 +1SzITzJWtS0cn2dIFOBimTVpT/4Zv5qrXA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1 +MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8ndibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b +6l+KLo3IKpfTbAIJXIO+M67FLtWKtttDao94B069skzKk6FPgW/OZh6PRCD0oxOa +vV+ld2SjAgMBAAECggEAQK1+uAOZeaSZggW2jQut+MaN4JHLi61RH2cFgU3COLgo +FIiNjFn8f2KKU3gpkt1It8PjlmprpYut4wHI7r6UQfuv7ZrmncRiPWHm9PB82+ZQ +5MXYqj4YUxoQJ62Cyz4sM6BobZDrjG6HHGTzuwiKvHHkbsEE9jQ4E5m7yfbVvM0O +zvwrSOM1tkZihKSTpR0j2+taji914tjBssbn12TMZQL5ItGnhR3luY8mEwT9MNkZ +xg0VcREoAH+pu9FE0vPUgLVzhJ3be7qZTTSRqv08bmW+y1plu80GbppePcgYhEow +dlW4l6XPJaHVSn1lSFHE6QAx6sqiAnBz0NoTPIaLyQKBgQDZqDOlhCRciMRicSXn +7yid9rhEmdMkySJHTVFOidFWwlBcp0fGxxn8UNSBcXdSy7GLlUtH41W9PWl8tp9U +hQiiXORxOJ7ZcB80uNKXF01hpPj2DpFPWyHFxpDkWiTAYpZl68rOlYujxZUjJIej +VvcykBC2BlEOG9uZv2kxcqLyJwKBgQDEYULTxaTuLIa17wU3nAhaainKB3vHxw9B +Ksy5p3ND43UNEKkQm7K/WENx0q47TA1mKD9i+BhaLod98mu0YZ+BCUNgWKcBHK8c +uXpauvM/pLhFLXZ2jvEJVpFY3J79FSRK8bwE9RgKfVKMMgEk4zOyZowS8WScOqiy +hnQn1vKTJQKBgElhYuAnl9a2qXcC7KOwRsJS3rcKIVxijzL4xzOyVShp5IwIPbOv +hnxBiBOH/JGmaNpFYBcBdvORE9JfA4KMQ2fx53agfzWRjoPI1/7mdUk5RFI4gRb/ +A3jZRBoopgFSe6ArCbnyQxzYzToG48/Wzwp19ZxYrtUR4UyJct6f5n27AoGBAJDh +KIpQQDOvCdtjcbfrF4aM2DPCfaGPzENJriwxy6oEPzDaX8Bu/dqI5Ykt43i/zQrX +GpyLaHvv4+oZVTiI5UIvcVO9U8hQPyiz9f7F+fu0LHZs6f7hyhYXlbe3XFxeop3f +5dTKdWgXuTTRF2L9dABkA2deS9mutRKwezWBMQk5AoGBALPtX0FrT1zIosibmlud +tu49A/0KZu4PBjrFMYTSEWGNJez3Fb2VsJwylVl6HivwbP61FhlYfyksCzQQFU71 ++x7Nmybp7PmpEBECr3deoZKQ/acNHn0iwb0It+YqV5+TquQebqgwK6WCLsMuiYKT +bg/ch9Rhxbq22yrVgWHh6epp +-----END PRIVATE KEY----- +EOM + +read -r -d '' ROOT_CA << EOM +-----BEGIN CERTIFICATE----- +MIIExjCCA66gAwIBAgIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcNAQEL +BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt +cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl +IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v +dCBDQTAeFw0yMzA4MjkwNDIwMDNaFw0yMzA5MjgwNDIwMDNaMIGPMRMwEQYKCZIm +iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ +RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290 +IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU +j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4 +U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg +vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA +WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969 +VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW +MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU +F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4 +uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ +k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD +VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg +Q29tIEluYy4gUm9vdCBDQYIUd+SvPvzan5P2TQbEZ4zj4Gt6FYowDQYJKoZIhvcN +AQELBQADggEBAIopqco/k9RSjouTeKP4z0EVUxdD4qnNh1GLSRqyAVe0aChyKF5f +qt1Bd1XCY8D16RgekkKGHDpJhGCpel+vtIoXPBxUaGQNYxmJCf5OzLMODlcrZk5i +jHIcv/FMeK02NBcz/WQ3mbWHVwXLhmwqa2zBsF4FmPCJAbFLchLhkAv1HJifHbnD +jQzlKyl5jxam/wtjWxSm0iyso0z2TgyzY+MESqjEqB1hZkCFzD1xtUOCxbXgtKae +dgfHVFuovr3fNLV3GvQk0s9okDwDUcqV7DSH61e5bUMfE84o3of8YA7+HUoPV5Du +8sTOKRf7ncGXdDRA8aofW268pTCuIu3+g/Y= +-----END CERTIFICATE----- +EOM + +set -e + +echo "$ADMIN_CERT" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/kirk.pem" > /dev/null +echo "$NODE_CERT" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/esnode.pem" > /dev/null +echo "$ROOT_CA" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/root-ca.pem" > /dev/null +echo "$NODE_KEY" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/esnode-key.pem" > /dev/null +echo "$ADMIN_CERT_KEY" | $SUDO_CMD tee "$OPENSEARCH_CONF_DIR/kirk-key.pem" > /dev/null + +chmod 0600 "$OPENSEARCH_CONF_DIR/kirk.pem" +chmod 0600 "$OPENSEARCH_CONF_DIR/esnode.pem" +chmod 0600 "$OPENSEARCH_CONF_DIR/root-ca.pem" +chmod 0600 "$OPENSEARCH_CONF_DIR/esnode-key.pem" +chmod 0600 "$OPENSEARCH_CONF_DIR/kirk-key.pem" + +echo "" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" +echo "######## Start OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "# WARNING: revise all the lines below before you go into production" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.transport.pemcert_filepath: esnode.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.transport.enforce_hostname_verification: false" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.http.enabled: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.http.pemcert_filepath: esnode.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.http.pemkey_filepath: esnode-key.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.allow_unsafe_democertificates: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +if [ "$initsecurity" == 1 ]; then + echo "plugins.security.allow_default_init_securityindex: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +fi +echo "plugins.security.authcz.admin_dn:" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo " - CN=kirk,OU=client,O=client,L=test, C=de" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.audit.type: internal_opensearch" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null + +## Read the admin password from the file or use the initialAdminPassword if set +ADMIN_PASSWORD_FILE="$OPENSEARCH_CONF_DIR/initialAdminPassword.txt" +INTERNAL_USERS_FILE="$OPENSEARCH_CONF_DIR/opensearch-security/internal_users.yml" + +if [[ -n "$initialAdminPassword" ]]; then + ADMIN_PASSWORD="$initialAdminPassword" +elif [[ -f "$ADMIN_PASSWORD_FILE" && -s "$ADMIN_PASSWORD_FILE" ]]; then + ADMIN_PASSWORD=$(head -n 1 "$ADMIN_PASSWORD_FILE") +else + echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=' or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password." + exit 1 +fi + +echo " ***************************************************" +echo " *** ADMIN PASSWORD SET TO: $ADMIN_PASSWORD ***" +echo " ***************************************************" + +$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh" + +# Use the Hasher script to hash the admin password +HASHED_ADMIN_PASSWORD=$($OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/hash.sh -p "$ADMIN_PASSWORD" | tail -n 1) + +if [ $? -ne 0 ]; then + echo "Hash the admin password failure, see console for details" + exit 1 +fi + +# Find the line number containing 'admin:' in the internal_users.yml file +ADMIN_HASH_LINE=$(grep -n 'admin:' "$INTERNAL_USERS_FILE" | cut -f1 -d:) + +awk -v hashed_admin_password="$HASHED_ADMIN_PASSWORD" ' + /^ *hash: *"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/ { + sub(/"\$2a\$12\$VcCDgh2NDk07JGN0rjGbM.Ad41qVR\/YFJcgHp0UGns5JDymv..TOG"/, "\"" hashed_admin_password "\""); + } + { print } +' "$INTERNAL_USERS_FILE" > temp_file && mv temp_file "$INTERNAL_USERS_FILE" + +#network.host +if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then + : #already present +else + if [ "$cluster_mode" == 1 ]; then + echo "network.host: 0.0.0.0" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null + echo "node.name: smoketestnode" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null + echo "cluster.initial_cluster_manager_nodes: smoketestnode" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null + fi +fi + +if $SUDO_CMD grep --quiet -i "^node.max_local_storage_nodes" "$OPENSEARCH_CONF_FILE"; then + : #already present +else + echo 'node.max_local_storage_nodes: 3' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null +fi + + + +echo "######## End OpenSearch Security Demo Configuration ########" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null + +$SUDO_CMD chmod +x "$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh" + +OPENSEARCH_PLUGINS_DIR=`cd "$OPENSEARCH_PLUGINS_DIR" ; pwd` + +echo "### Success" +echo "### Execute this script now on all your nodes and then start all nodes" +#Generate securityadmin_demo.sh +echo "#!/bin/bash" | $SUDO_CMD tee securityadmin_demo.sh > /dev/null +echo $SUDO_CMD \""$OPENSEARCH_PLUGINS_DIR/opensearch-security/tools/securityadmin.sh"\" -cd \""$OPENSEARCH_CONF_DIR/opensearch-security"\" -icl -key \""$OPENSEARCH_CONF_DIR/kirk-key.pem"\" -cert \""$OPENSEARCH_CONF_DIR/kirk.pem"\" -cacert \""$OPENSEARCH_CONF_DIR/root-ca.pem"\" -nhnv | $SUDO_CMD tee -a securityadmin_demo.sh > /dev/null +$SUDO_CMD chmod +x securityadmin_demo.sh + +if [ "$initsecurity" == 0 ]; then + echo "### After the whole cluster is up execute: " + $SUDO_CMD cat securityadmin_demo.sh | tail -1 + echo "### or run ./securityadmin_demo.sh" + echo "### After that you can also use the Security Plugin ConfigurationGUI" +else + echo "### OpenSearch Security will be automatically initialized." + echo "### If you like to change the runtime configuration " + echo "### change the files in ../../../config/opensearch-security and execute: " + $SUDO_CMD cat securityadmin_demo.sh | tail -1 + echo "### or run ./securityadmin_demo.sh" + echo "### To use the Security Plugin ConfigurationGUI" +fi + +echo "### To access your secured cluster open https://: and log in with admin/admin." +echo "### (Ignore the SSL certificate warning because we installed self-signed demo certificates)"