Get more of the BWC tests running

Signed-off-by: Peter Nied <[email protected]>
stephen-crawford · Aug 14, 2023 · 568c468 · 568c468
1 parent f96bd78
commit 568c468
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 59 deletions.
diff --git a/bwc-test/README.md b/bwc-test/README.md
@@ -0,0 +1,57 @@
+## Run BWC Tests
+
+### Setup env var
+```sh
+export GIT_PROJECT_ROOT="/home/petern/git" # Change as needed
+```
+
+### Build OpenSearch with the patch
+```sh
+cd ~/git/OpenSearch/
+git remote add scrawfor99 https://github.com/scrawfor99/OpenSearch.git
+git fetch scrawfor99
+git checkout scrawfor99/bwcFix
+git merge origin/main
+./gradlew build-tools:publishToMavenLocal
+./gradlew distribution:archives:linux-tar:assemble
+```
+
+### Build security
+```sh
+cd ../security
+git remote add scrawfor99 https://github.com/scrawfor99/OpenSearch.git
+git checkout scrawfor99/testClusterChanges
+git merge origin/main
+```
+
+### Build and update 3.0.0.0 version of security plugin bwc folder
+```sh
+./gradlew assemble
+mkdir -p ${GIT_PROJECT_ROOT}/security/bwc-test/src/test/resources/3.0.0.0
+cp ${GIT_PROJECT_ROOT}/security/build/distributions/opensearch-security-3.0.0.0-SNAPSHOT.zip ${GIT_PROJECT_ROOT}/security/bwc-test/src/test/resources/3.0.0.0/opensearch-security-3.0.0.0-SNAPSHOT.zip
+```
+
+### Get most recent 2.9.0.0 build so upgrade test can go from 2.9 -> 3.0
+
+```sh
+mkdir -p ${GIT_PROJECT_ROOT}/security/bwc-test/src/test/resources/2.9.0.0
+wget https://repo1.maven.org/maven2/org/opensearch/plugin/opensearch-security/2.9.0.0/opensearch-security-2.9.0.0.zip
+mv opensearch-security-2.9.0.0.zip ${GIT_PROJECT_ROOT}/security/bwc-test/src/test/resources/2.9.0.0/opensearch-security-2.9.0.0.zip
+```
+
+### Run bwc tests (from root of security repo)
+
+```sh
+./gradlew -p bwc-test clean bwcTestSuite \
+   -Dtests.security.manager=false \
+   -Dtests.opensearch.http.protocol=https \
+   -Dtests.opensearch.username=admin \
+   -Dtests.opensearch.password=admin \
+   -PcustomDistributionUrl="/home/petern/git/opensearch/distribution/archives/linux-tar/build/distributions/opensearch-min-3.0.0-SNAPSHOT-linux-x64.tar.gz" \
+   -i
+```
+
+#### Remarks:
+ * `-Dtests.security.manager=false` - Handles access issues attempting to read the certificates from the file system
+ * `-Dtests.opensearch.http.protocol=https` - Tells the wait for cluster startup task to do the right thing
+ * `-PcustomDistributionUrl=...` uses a custom build of the distribution of opensearch, might be able to fallback to maven local?
diff --git a/bwc-test/build.gradle b/bwc-test/build.gradle
@@ -76,7 +76,7 @@ loggerUsageCheck.enabled = false
 testingConventions.enabled = false
 validateNebulaPom.enabled = false
 
-String previousVersion = System.getProperty("bwc.version.previous", "3.0.0.0")
+String previousVersion = System.getProperty("bwc.version.previous", "2.9.0.0")
 String nextVersion = System.getProperty("bwc.version.next", "3.0.0.0")
 
 String bwcVersion = previousVersion
@@ -126,6 +126,7 @@ def String extractVersion(versionStr) {
                 node.extraConfigFile("esnode.pem", file("src/test/resources/security/esnode.pem"))
                 node.extraConfigFile("esnode-key.pem", file("src/test/resources/security/esnode-key.pem"))
                 node.extraConfigFile("root-ca.pem", file("src/test/resources/security/root-ca.pem"))
+                node.extraConfigFile("kirk-keystore.jks", file("src/test/resources/security/kirk-keystore.jks"))
                 node.setting("plugins.security.disabled", "false")
                 node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem")

diff --git a/bwc-test/src/test/java/SecureRestClientBuilder.java b/bwc-test/src/test/java/SecureRestClientBuilder.java
@@ -43,6 +43,9 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.commons.ConfigConstants;
 import org.opensearch.core.common.Strings;
+import java.security.cert.X509Certificate;
+import org.apache.hc.core5.ssl.TrustStrategy;
+
 
 /**
  * Provides builder to create low-level and high-level REST client to make calls to OpenSearch.
@@ -239,7 +242,13 @@ private SSLContext createSSLContext() throws IOException, GeneralSecurityExcepti
             // Handle trust store
             String pemFile = getTrustPem();
             if (Strings.isNullOrEmpty(pemFile)) {
-                builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
+                // Force a trust everything strategy, looks like the certs aren't only self-signed
+                builder.loadTrustMaterial(null, new TrustStrategy() {
+                    @Override
+                    public boolean isTrusted(X509Certificate[] chain, String authType) {
+                        return true;
+                    }
+                });
             } else {
                 String pem = resolve(pemFile, configPath);
                 KeyStore trustStore = new TrustStore(pem).create();

diff --git a/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java b/bwc-test/src/test/java/SecurityBackwardsCompatibilityIT.java
@@ -34,6 +34,12 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.commons.rest.SecureRestClientBuilder;
 import org.opensearch.test.rest.OpenSearchRestTestCase;
+import java.nio.file.Path;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.Arrays;
+import java.util.Collection;
+import org.opensearch.SpecialPermission;
 
 public class SecurityBackwardsCompatibilityIT extends OpenSearchRestTestCase {
 
@@ -63,6 +69,12 @@ protected boolean preserveTemplatesUponCompletion() {
         return true;
     }
 
+    // otherwise the generated urls are http://clustername...:port.../
+    @Override
+    protected String getProtocol() {
+        return "https";
+    }
+
     // Many changes from SecurityRestTestCase which replaces the rest client, not sure if this works
     // ../src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java
     /** START SecurityRestTestCase */
@@ -83,30 +95,58 @@ protected Settings restClientSettings() {
         return Settings.builder()
             .put("http.port", 9200)
             .put(SECURITY_SSL_HTTP_ENABLED, "true")
-            .put(SECURITY_SSL_HTTP_PEMCERT_FILEPATH, "opensearch-node.pem")
-            .put(SECURITY_SSL_HTTP_PEMKEY_FILEPATH, "opensearch-node-key.pem")
+            .put(SECURITY_SSL_HTTP_PEMCERT_FILEPATH, "esnode.pem")
+            .put(SECURITY_SSL_HTTP_PEMKEY_FILEPATH, "esnode-key.pem")
             .put(SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "root-ca.pem")
-            .put(SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, "test-kirk.jks")
+            // Tried to  use this, but I think the one I grabbed from ${GIT_ROOT}/src/test/resources might need to be modified?
+//            .put(SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, "kirk-keystore.jks")
             .put("plugins.security.ssl.http.keystore_password", "changeit")
             .put("plugins.security.ssl.http.keystore_keypassword", "changeit")
             .build();
     }
 
+
+    // Disabled security manager and didn't follow through if this was needed/not
+    // @Override
+    // protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
+    //     System.out.println("What are the hosts" + Arrays.stream(hosts).map(h -> h.toHostString()).collect(Collectors.joining(",")));
+
+    //     final SecurityManager sm = System.getSecurityManager();
+
+    //     if (sm != null) {
+    //         sm.checkPermission(new SpecialPermission());
+    //     }
+
+    //     final RestClient client = AccessController.doPrivileged(new PrivilegedAction<RestClient>() {
+    //         @Override
+    //         public RestClient run() {
+    //             try {
+    //                 return buildClient0(settings, hosts);
+    //             } catch (IOException ioe) {
+    //                 throw new RuntimeException(ioe);
+    //             }
+    //         }
+    //     });
+    //     return client;
+    // }
+
     @Override
     protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
         String keystore = settings.get(SECURITY_SSL_HTTP_KEYSTORE_FILEPATH);
 
         if (keystore != null) {
             // create adminDN (super-admin) client
-            File file = new File(getClass().getClassLoader().getResource(".").getFile());
-            Path configPath = PathUtils.get(file.toURI()).getParent().toAbsolutePath();
+            // TODO: Don't know that this was needed - uses admin cert?, but the resolution of this path wasn't correct
+            File file = new File("/home/petern/git/security/bwc-test/src/test/resources/security/");
+            Path configPath = PathUtils.get(file.toURI()).toAbsolutePath();
             return new SecureRestClientBuilder(settings, configPath).setSocketTimeout(60000).setConnectionRequestTimeout(180000).build();
         }
 
         // TODO: These should be part of the test properties
         // create client with passed user
-        String userName = System.getProperty("user");
-        String password = System.getProperty("password");
+        // TODO: updated property reference
+        String userName = System.getProperty("tests.opensearch.username");
+        String password = System.getProperty("tests.opensearch.password");
 
         return new SecureRestClientBuilder(hosts, true, userName, password).setSocketTimeout(60000)
             .setConnectionRequestTimeout(180000)
@@ -154,7 +194,6 @@ private void assertPluginUpgrade(String uri) throws Exception {
         // ./security/bwc-test/build/testclusters/securityBwcCluster1-1/logs/opensearch.stdout.log
         // ./security/bwc-test/build/testclusters/securityBwcCluster1-2/logs/opensearch.stdout.log
         // TODO: Make an issue about capturing the output from these cases better, even when they pass.
-        fail("Testing output from typical run");
 
         // As written this test isn't using a user to make the call to _nodes, maybe as part of setup this is
         // handled, but we need a way to switch between different user accounts during the test.

diff --git a/bwc-test/src/test/resources/3.0.0.0/opensearch-security-3.0.0.0-SNAPSHOT.zip b/bwc-test/src/test/resources/3.0.0.0/opensearch-security-3.0.0.0-SNAPSHOT.zip
diff --git a/bwc-test/src/test/resources/security/kirk-keystore.jks b/bwc-test/src/test/resources/security/kirk-keystore.jks
diff --git a/plugin-security.policy b/plugin-security.policy
@@ -27,56 +27,9 @@
  */
 
 
+// Disabled security manager and didn't follow through if this was needed/not
 grant { 
-  permission java.lang.RuntimePermission "shutdownHooks";
-  permission java.lang.RuntimePermission "getClassLoader";
-  permission java.lang.RuntimePermission "setContextClassLoader";
-  permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
-  permission javax.security.auth.AuthPermission "doAs";
-  permission javax.security.auth.kerberos.ServicePermission "*","accept";
-  permission java.util.PropertyPermission "*","read,write";
-
-  //Enable when we switch to UnboundID LDAP SDK
-  //permission java.util.PropertyPermission "*", "read,write";
-  //permission java.lang.RuntimePermission "setFactory";
-  //permission javax.net.ssl.SSLPermission "setHostnameVerifier";
-
-  //below permissions are needed for netty native open ssl support
-  permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
-  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-  permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
-  permission java.lang.RuntimePermission "accessDeclaredMembers";
-  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.x509";
-  permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
-  permission java.io.FilePermission "/proc/sys/net/core/somaxconn","read";
-
-  permission java.security.SecurityPermission "setProperty.ocsp.enable";
-
-  permission java.net.NetPermission "getNetworkInformation";
-  permission java.net.NetPermission "getProxySelector";
-  permission java.net.SocketPermission "*", "connect,accept,resolve";
-
-  // BouncyCastle permissions
-  permission java.security.SecurityPermission "putProviderProperty.BC";
-  permission java.security.SecurityPermission "insertProvider.BC";
-  permission java.security.SecurityPermission "removeProviderProperty.BC";
-
-  permission java.lang.RuntimePermission "accessUserInformation";
-
-  permission java.security.SecurityPermission "org.apache.xml.security.register";
-  permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "write";
-
-  permission java.lang.RuntimePermission "createClassLoader";
-
-  //Java 9+
-  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jndi.*";
-
-  //Enable this permission to debug unauthorized de-serialization attempt
-  //permission java.io.SerializablePermission "enableSubstitution";
-
-  //SAML policy
-  permission java.util.PropertyPermission "*", "read,write";
-  permission org.opensearch.secure_sm.ThreadPermission "modifyArbitraryThread";
+  permission java.security.AllPermission;
 };
 
 grant codeBase "${codebase.netty-common}" {