Backports sanity tests to 1.3

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

.github/workflows/plugin_install.yml

@@ -54,3 +54,6 @@ jobs:
           opensearch-version: ${{ env.OPENSEARCH_VERSION }}
           plugin-name: ${{ env.PLUGIN_NAME }}
           setup-script-name: setup
+
+      - name: Run sanity tests
+        run: ./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="opensearch" -Dhttps=true -Duser=admin -Dpassword=admin

README.md

@@ -65,6 +65,16 @@ Run all tests:
 ./gradlew clean test
 ```
 
+Run tests against local cluster:
+```bash
+./gradlew integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dsecurity=true -Dhttps=true -Duser=admin -Dpassword=admin -Dcommon_utils.version="2.2.0.0"
+```
+OR
+```bash
+./scripts/integtest.sh
+```
+Note: To run against a remote cluster replace cluster-name and `localhost:9200` with the IPAddress:Port of that cluster.
+
 Build artifacts (zip, deb, rpm):
 ```bash
 ./gradlew clean assemble

build.gradle

@@ -44,10 +44,12 @@ plugins {
     id "org.gradle.test-retry" version "1.3.1"
     id "com.github.spotbugs" version "5.0.13"
 }
+
 import org.gradle.crypto.checksum.Checksum
 
 import java.text.SimpleDateFormat
 
+import org.opensearch.gradle.test.RestIntegTestTask
 
 repositories {
     mavenLocal()
@@ -64,6 +66,8 @@ ext {
     opensearch_build = version_tokens[0] + '.0'
     kafka_version  = '3.0.2'
 
+    common_utils_version = System.getProperty("common_utils.version", '2.1.0.0')
+
     if (buildVersionQualifier) {
         opensearch_build += "-${buildVersionQualifier}"
         opensearch_build_nosnapshot = opensearch_build
@@ -73,6 +77,10 @@ ext {
     }
 }
 
+
+apply plugin: 'opensearch.rest-test'
+apply plugin: 'opensearch.testclusters'
+
 configurations.all {
     resolutionStrategy {
         force 'commons-codec:commons-codec:1.14'
@@ -139,6 +147,7 @@ dependencies {
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}"
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test"
+    testImplementation "org.opensearch:common-utils:${common_utils_version}"
     compileOnly "org.opensearch:opensearch:${opensearch_version}"
 }
 
@@ -235,6 +244,9 @@ spotbugsTest {
 }
 
 test {
+    filter {
+        excludeTestsMatching "org.opensearch.security.sanity.tests.*"
+    }
     maxParallelForks = 3
     jvmArgs += "-Xmx3072m"
     if (JavaVersion.current() > JavaVersion.VERSION_1_8) {
@@ -402,4 +414,21 @@ task updateVersion {
         println "Setting version to ${newVersion}."
         ant.replaceregexp(file:'build.gradle', match: '"opensearch.version", "\\d.*"', replace: '"opensearch.version", "' + newVersion.tokenize('-')[0] + '-SNAPSHOT"', flags:'g', byline:true)
     }
-} 
+}
+
+task integTestRemote(type: RestIntegTestTask) {
+
+    systemProperty "tests.security.manager", "false"
+    systemProperty "user", System.getProperty("user")
+    systemProperty "password", System.getProperty("password")
+    systemProperty "https", System.getProperty("https")
+    systemProperty "security.enabled", "true"
+
+    filter {
+        setIncludePatterns("org.opensearch.security.sanity.tests.*IT")
+    }
+}
+
+integTestRemote.enabled = System.getProperty("tests.rest.cluster") != null
+// should be updated appropriately, when we add integTests in future
+integTest.enabled = false

integtest.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+set -e
+
+function usage() {
+    echo ""
+    echo "This script is used to run integration tests for plugin installed on a remote OpenSearch/Dashboards cluster."
+    echo "--------------------------------------------------------------------------"
+    echo "Usage: $0 [args]"
+    echo ""
+    echo "Required arguments:"
+    echo "None"
+    echo ""
+    echo "Optional arguments:"
+    echo -e "-b BIND_ADDRESS\t, defaults to localhost | 127.0.0.1, can be changed to any IP or domain name for the cluster location."
+    echo -e "-p BIND_PORT\t, defaults to 9200, can be changed to any port for the cluster location."
+    echo -e "-s SECURITY_ENABLED\t(true | false), defaults to true. Specify the OpenSearch/Dashboards have security enabled or not."
+    echo -e "-c CREDENTIAL\t(usename:password), no defaults, effective when SECURITY_ENABLED=true."
+    echo -e "-h\tPrint this message."
+    echo -e "-v OPENSEARCH_VERSION\t, no defaults"
+    echo -e "-n SNAPSHOT\t, defaults to false"
+    echo -e "-m CLUSTER_NAME\t, defaults to docker-cluster"
+    echo -e "-u COMMON_UTILS_VERSION\t, defaults to 2.2.0.0"
+    echo "--------------------------------------------------------------------------"
+}
+
+while getopts ":h:b:p:s:c:v:n:t:m:u:" arg; do
+    case $arg in
+        h)
+            usage
+            exit 1
+            ;;
+        b)
+            BIND_ADDRESS=$OPTARG
+            ;;
+        p)
+            BIND_PORT=$OPTARG
+            ;;
+        t)
+            TRANSPORT_PORT=$OPTARG
+            ;;
+        s)
+            SECURITY_ENABLED=$OPTARG
+            ;;
+        c)
+            CREDENTIAL=$OPTARG
+            ;;
+        m)
+            CLUSTER_NAME=$OPTARG
+            ;;
+        v)
+            # Do nothing as we're not consuming this param.
+            ;;
+        n)
+            # Do nothing as we're not consuming this param.
+            ;;
+        u)
+            COMMON_UTILS_VERSION=$OPTARG
+            ;;
+        :)
+            echo "-${OPTARG} requires an argument"
+            usage
+            exit 1
+            ;;
+        ?)
+            echo "Invalid option: -${OPTARG}"
+            exit 1
+            ;;
+    esac
+done
+
+
+if [ -z "$BIND_ADDRESS" ]
+then
+  BIND_ADDRESS="localhost"
+fi
+
+if [ -z "$BIND_PORT" ]
+then
+  BIND_PORT="9200"
+fi
+
+if [ -z "$SECURITY_ENABLED" ]
+then
+  SECURITY_ENABLED="true"
+fi
+
+if [ -z "$CREDENTIAL" ]
+then
+  CREDENTIAL="admin:admin"
+fi
+
+if [ -z "$CREDENTIAL" ]
+then
+  CREDENTIAL="admin:admin"
+fi
+
+if [ -z "$CLUSTER_NAME" ]
+then
+  CLUSTER_NAME="docker-cluster"
+fi
+if [ -z "$COMMON_UTILS_VERSION" ]
+then
+  COMMON_UTILS_VERSION="2.2.0.0"
+fi
+
+USERNAME=`echo $CREDENTIAL | awk -F ':' '{print $1}'`
+PASSWORD=`echo $CREDENTIAL | awk -F ':' '{print $2}'`
+
+./gradlew integTestRemote -Dtests.rest.cluster="$BIND_ADDRESS:$BIND_PORT" -Dtests.cluster="$BIND_ADDRESS:$BIND_PORT" -Dsecurity_enabled=$SECURITY_ENABLED -Dtests.clustername=$CLUSTER_NAME -Dhttps=true -Duser=$USERNAME -Dpassword=$PASSWORD -Dcommon_utils.version=$COMMON_UTILS_VERSION

src/test/java/org/opensearch/bootstrap/JarHell.java

@@ -0,0 +1,32 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.bootstrap;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.function.Consumer;
+
+/**
+ * Disable JarHell to unblock test development
+ * https://github.com/opensearch-project/security/issues/1938
+ */
+public class JarHell {
+    private JarHell() {}
+    public static void checkJarHell(Consumer<String> output) throws IOException, Exception {}
+    public static void checkJarHell(Set<URL> urls, Consumer<String> output) throws URISyntaxException, IOException {}
+    public static void checkVersionFormat(String targetVersion) {}
+    public static void checkJavaVersion(String resource, String targetVersion) {}
+    public static Set<URL> parseClassPath() {return new HashSet<URL>();}
+}

src/test/java/org/opensearch/security/sanity/tests/SecurityRestTestCase.java

@@ -0,0 +1,99 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.sanity.tests;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.Map;
+
+import org.apache.http.HttpHost;
+
+import org.opensearch.client.Request;
+import org.opensearch.client.Response;
+import org.opensearch.client.RestClient;
+import org.opensearch.client.RestClientBuilder;
+import org.opensearch.common.io.PathUtils;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.commons.rest.SecureRestClientBuilder;
+import org.opensearch.test.rest.OpenSearchRestTestCase;
+
+import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_ENABLED;
+import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH;
+import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD;
+import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD;
+import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_PEMCERT_FILEPATH;
+
+/**
+ * Overrides OpenSearchRestTestCase to fit the use-case for testing
+ * against remote cluster for Security Plugin.
+ *
+ * Modify this test class as needed
+ */
+@SuppressWarnings("unchecked")
+public class SecurityRestTestCase extends OpenSearchRestTestCase {
+
+    private static final String CERT_FILE_DIRECTORY = "sanity-tests/";
+    private boolean isHttps() {
+        return System.getProperty("https").equals("true");
+    }
+    private boolean securityEnabled() {
+        return System.getProperty("security.enabled").equals("true");
+    }
+
+    @Override
+    protected Settings restAdminSettings(){
+
+        return Settings
+                .builder()
+                .put("http.port", 9200)
+                .put(OPENSEARCH_SECURITY_SSL_HTTP_ENABLED, isHttps())
+                .put(OPENSEARCH_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, CERT_FILE_DIRECTORY + "opensearch-node.pem")
+                .put("plugins.security.ssl.http.pemkey_filepath", CERT_FILE_DIRECTORY + "opensearch-node-key.pem")
+                .put("plugins.security.ssl.transport.pemtrustedcas_filepath", CERT_FILE_DIRECTORY + "root-ca.pem")
+                .put(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, CERT_FILE_DIRECTORY + "test-kirk.jks")
+                .put(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, "changeit")
+                .put(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit")
+                .build();
+    }
+
+    @Override
+    protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
+
+        if(securityEnabled()){
+            String keystore = settings.get(OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH);
+
+            if(keystore != null){
+                // create adminDN (super-admin) client
+                File file = new File(getClass().getClassLoader().getResource(CERT_FILE_DIRECTORY).getFile());
+                Path configPath = PathUtils.get(file.toURI()).getParent().toAbsolutePath();
+                return new SecureRestClientBuilder(settings, configPath).setSocketTimeout(60000).build();
+            }
+
+            // create client with passed user
+            String userName = System.getProperty("user");
+            String password = System.getProperty("password");
+            return new SecureRestClientBuilder(hosts, isHttps(), userName, password).setSocketTimeout(60000).build();
+        }
+        else {
+            RestClientBuilder builder = RestClient.builder(hosts);
+            configureClient(builder, settings);
+            builder.setStrictDeprecationMode(true);
+            return builder.build();
+        }
+    }
+
+    protected static Map<String, Object> getAsMapByAdmin(final String endpoint) throws IOException {
+        Response response = adminClient().performRequest(new Request("GET", endpoint));
+        return responseAsMap(response);
+    }
+}

src/test/java/org/opensearch/security/sanity/tests/SingleClusterSanityIT.java

@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.sanity.tests;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import org.hamcrest.MatcherAssert;
+import org.junit.Test;
+
+import static org.hamcrest.Matchers.anEmptyMap;
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+
+
+@SuppressWarnings("unchecked")
+public class SingleClusterSanityIT extends SecurityRestTestCase {
+
+    private static final String SECURITY_PLUGIN_NAME = "opensearch-security";
+
+    @Test
+    public void testSecurityPluginInstallation() throws Exception {
+        verifyPluginInstallationOnAllNodes();
+    }
+
+    private void verifyPluginInstallationOnAllNodes() throws Exception {
+
+        Map<String, Map<String, Object>> nodesInCluster = (Map<String, Map<String, Object>>) getAsMapByAdmin("_nodes").get("nodes");
+
+        for (Map<String, Object> node : nodesInCluster.values()) {
+
+            List<Map<String, Object>> plugins = (List<Map<String, Object>>) node.get("plugins");
+            Set<Object> pluginNames = plugins.stream().map(map -> map.get("name")).collect(Collectors.toSet());
+
+            MatcherAssert.assertThat(pluginNames, contains(SECURITY_PLUGIN_NAME));
+        }
+        MatcherAssert.assertThat(nodesInCluster, is(not(anEmptyMap())));
+    }
+}