Merge branch 'main' into feature/extensions

peternied · May 16, 2023 · f1cee3b · f1cee3b
2 parents 95f9c77 + 15860b6
commit f1cee3b
Show file tree

Hide file tree

Showing 37 changed files with 1,179 additions and 881 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -8,3 +8,25 @@ OpenSearch is a community project that is built and maintained by people just li
 Visit the following link(s) for more information on specific practices: 
 
 - [Triaging](./TRIAGING.md)
+
+## How we work
+
+#### Quality and security form the foundation of our efforts
+* We deliver quality security solutions by understanding issues thoroughly, acting iteratively, and validating solutions through rigorous testing.
+* We hold security to the highest standards of quality. Quality is the first step in building trust with users, stakeholders, and our community as a whole.
+* We move swiftly to solve problems. But we don’t sacrifice quality to achieve quick wins, meet performance indicators, or get the bragging rights related to launching popular, high-profile features.
+
+
+
+#### Privacy won’t be compromised
+* Privacy is a key part of security, and we make sure it isn’t compromised in the pursuit of creating benefits.
+* When we make decisions, we carefully consider any potential impacts to privacy and make sure those decisions protect our users’ and stakeholders’ data.
+* We maintain a focus on creating software that empowers cluster administrators to keep their sensitive data safe.
+
+
+
+#### Transparent collaboration creates secure outcomes
+* Transparent collaboration promotes community inclusion, creates a space for concise and authentic communication, and supports accountability.
+* We operate through transparent collaboration. We believe a secure product is built through diverse perspectives, knowledge sharing, candid discussions, and doing our work in the open when and where it’s safe to do so.
+* We are relationship builders who create safe, respectful, and accessible spaces for everyone so we can engage and work towards the common goal of building secure solutions.
+* When circumstances do require privacy, we make every effort to quickly resolve those requirements and return circumstances to a state of full visibility with our community and collaborators.
diff --git a/build.gradle b/build.gradle
@@ -395,6 +395,7 @@ dependencies {
     implementation ('org.opensaml:opensaml-saml-impl:3.4.5') {
         exclude(group: 'org.apache.velocity', module: 'velocity')
     }
+    implementation "com.nulab-inc:zxcvbn:1.7.0"
     testImplementation 'org.opensaml:opensaml-messaging-impl:3.4.5'
     implementation 'org.opensaml:opensaml-messaging-api:3.4.5'
     runtimeOnly 'org.opensaml:opensaml-profile-api:3.4.5'

diff --git a/config/roles.yml b/config/roles.yml
@@ -136,6 +136,19 @@ observability_full_access:
     - 'cluster:admin/opensearch/observability/delete'
     - 'cluster:admin/opensearch/observability/get'
 
+# Allows users to all PPL functionality
+ppl_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/opensearch/ppl'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:admin/mappings/get'
+        - 'indices:data/read/search*'
+        - 'indices:monitor/settings/get'
+
 # Allows users to read and download Reports
 reports_instances_read_access:
   reserved: true
@@ -228,6 +241,16 @@ cross_cluster_replication_follower_full_access:
         - "indices:admin/plugins/replication/index/update"
         - "indices:admin/plugins/replication/index/status_check"
 
+# Allows users to use all cross cluster search functionality at remote cluster
+cross_cluster_search_remote_full_access:
+  reserved: true
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices:admin/shards/search_shards'
+        - 'indices:data/read/search'
+
 # Allow users to read ML stats/models/tasks
 ml_read_access:
   reserved: true

diff --git a/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java b/src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java
@@ -50,10 +50,10 @@ public class SecurityConfigurationTests {
 			.roles(new Role("limited-role").indexPermissions("indices:data/read/search", "indices:data/read/get").on("user-${user.name}"));
 	public static final String LIMITED_USER_INDEX = "user-" + LIMITED_USER.getName();
 	public static final String ADDITIONAL_USER_1 = "additional00001";
-	public static final String ADDITIONAL_PASSWORD_1 = ADDITIONAL_USER_1;
+	public static final String ADDITIONAL_PASSWORD_1 = "user 1 fair password";
 
 	public static final String ADDITIONAL_USER_2 = "additional2";
-	public static final String ADDITIONAL_PASSWORD_2 = ADDITIONAL_USER_2;
+	public static final String ADDITIONAL_PASSWORD_2 = "user 2 fair password";
 	public static final String CREATE_USER_BODY = "{\"password\": \"%s\",\"opendistro_security_roles\": []}";
 	public static final String INTERNAL_USERS_RESOURCE = "_plugins/_security/api/internalusers/";
 	public static final String ID_1 = "one";

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -117,11 +117,6 @@
 import org.opensearch.search.query.QuerySearchResult;
 import org.opensearch.security.action.configupdate.ConfigUpdateAction;
 import org.opensearch.security.action.configupdate.TransportConfigUpdateAction;
-import org.opensearch.security.action.tenancy.TenancyConfigRestHandler;
-import org.opensearch.security.action.tenancy.TenancyConfigRetrieveActions;
-import org.opensearch.security.action.tenancy.TenancyConfigRetrieveTransportAction;
-import org.opensearch.security.action.tenancy.TenancyConfigUpdateAction;
-import org.opensearch.security.action.tenancy.TenancyConfigUpdateTransportAction;
 import org.opensearch.security.action.whoami.TransportWhoAmIAction;
 import org.opensearch.security.action.whoami.WhoAmIAction;
 import org.opensearch.security.auditlog.AuditLog;
@@ -143,6 +138,7 @@
 import org.opensearch.security.configuration.Salt;
 import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper;
 import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
+import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.filter.SecurityFilter;
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.http.HTTPOnBehalfOfJwtAuthenticator;
@@ -481,7 +477,6 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                         Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
                 handlers.add(new SecurityConfigUpdateAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 handlers.add(new SecurityWhoAmIAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
-                handlers.add(new TenancyConfigRestHandler());
                 handlers.addAll(
                         SecurityRestApiActions.getHandler(
                                 settings,
@@ -519,10 +514,6 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
         if(!disabled && !SSLConfig.isSslOnlyMode()) {
             actions.add(new ActionHandler<>(ConfigUpdateAction.INSTANCE, TransportConfigUpdateAction.class));
             actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
-
-            actions.add(new ActionHandler<>(TenancyConfigRetrieveActions.INSTANCE, TenancyConfigRetrieveTransportAction.class));
-            actions.add(new ActionHandler<>(TenancyConfigUpdateAction.INSTANCE, TenancyConfigUpdateTransportAction.class));
-
         }
         return actions;
     }
@@ -1057,6 +1048,19 @@ public List<Setting<?>> getSettings() {
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Property.NodeScope, Property.Filtered));
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Property.NodeScope, Property.Filtered));
 
+            settings.add(
+                    Setting.intSetting(
+                            ConfigConstants.SECURITY_RESTAPI_PASSWORD_MIN_LENGTH,
+                            -1, -1, Property.NodeScope, Property.Filtered)
+            );
+            settings.add(
+                    Setting.simpleString(
+                            ConfigConstants.SECURITY_RESTAPI_PASSWORD_SCORE_BASED_VALIDATION_STRENGTH,
+                            PasswordValidator.ScoreStrength.STRONG.name(),
+                            PasswordValidator.ScoreStrength::fromConfiguration,
+                            Property.NodeScope, Property.Filtered
+                    )
+            );
 
             // Compliance
             settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here

diff --git a/src/main/java/org/opensearch/security/action/tenancy/EmptyRequest.java b/src/main/java/org/opensearch/security/action/tenancy/EmptyRequest.java
diff --git a/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRestHandler.java b/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRestHandler.java
diff --git a/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveActions.java b/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveActions.java
diff --git a/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveResponse.java b/src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveResponse.java