opensearch-project · SuZhou-Joe · Oct 14, 2024 · Oct 11, 2024 · Oct 11, 2024 · Oct 11, 2024
@@ -0,0 +1,2 @@
+feat:
+- Add ACL auditor ([#8557](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/8557))
@@ -0,0 +1,51 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { loggerMock } from '../logging/logger.mock';
+import { httpServerMock } from '../mocks';
+import {
+  initializeACLAuditor,
+  getACLAuditor,
+  destroyACLAuditor,
+  ACLAuditorStateKey,
+} from './acl_auditor';
+
+describe('#getACLAuditor', () => {
+  it('should be able to get ACL auditor if request initialized', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    const uninilizedMockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    const mockedLogger = loggerMock.create();
+    initializeACLAuditor(mockRequest, mockedLogger);
+    expect(getACLAuditor(mockRequest)).not.toBeFalsy();
+    expect(getACLAuditor(uninilizedMockRequest)).toBeFalsy();
+  });
+});
+
+describe('#destroyACLAuditor', () => {
+  it('should be able to destroy the auditor', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    const mockedLogger = loggerMock.create();
+    initializeACLAuditor(mockRequest, mockedLogger);
+    expect(getACLAuditor(mockRequest)).not.toBeFalsy();
+    destroyACLAuditor(mockRequest);
+    expect(getACLAuditor(mockRequest)).toBeFalsy();
+  });
+});
+
+describe('#ACLAuditor', () => {
+  it('should log error when auditor value is not correct', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    const mockedLogger = loggerMock.create();
+    initializeACLAuditor(mockRequest, mockedLogger);
+    const ACLAuditorInstance = getACLAuditor(mockRequest);
+    ACLAuditorInstance?.increment(ACLAuditorStateKey.DATABASE_OPERATION, 1);
+    ACLAuditorInstance?.checkout();
+    expect(
+      mockedLogger.error.mock.calls[0][0].toString().startsWith('[ACLCounterCheckoutFailed]')
+    ).toEqual(true);
+    ACLAuditorInstance?.checkout();
+    expect(mockedLogger.error).toBeCalledTimes(1);
+  });
+});
@@ -0,0 +1,87 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { OpenSearchDashboardsRequest, ensureRawRequest } from '../http/router';
+import { Logger } from '../logging';
+
+const ACLAuditorKey = Symbol('ACLAuditor');
+
+export const ACLAuditorStateKey = {
+  VALIDATE_SUCCESS: 'validateSuccess',
+  VALIDATE_FAILURE: 'validateFailure',
+  DATABASE_OPERATION: 'databaseOperation',
+} as const;
+
+const defaultState = {
+  [ACLAuditorStateKey.VALIDATE_SUCCESS]: 0,
+  [ACLAuditorStateKey.VALIDATE_FAILURE]: 0,
+  [ACLAuditorStateKey.DATABASE_OPERATION]: 0,
+};
+
+type ValueOf<T> = T[keyof T];
+
+class ACLAuditor {
+  private state = { ...defaultState };
+
+  constructor(private logger: Logger) {}
+
+  reset = () => {
+    this.state = { ...defaultState };
+  };
+
+  increment = (key: ValueOf<typeof ACLAuditorStateKey>, count: number) => {
+    if (typeof count !== 'number' || !this.state.hasOwnProperty(key)) {
+      return;
+    }
+
+    this.state[key] = this.state[key] + count;
+  };
+
+  checkout = (requestInfo?: string) => {
+    if (
+      this.state[ACLAuditorStateKey.VALIDATE_FAILURE] +
+        this.state[ACLAuditorStateKey.VALIDATE_SUCCESS] <
+      this.state[ACLAuditorStateKey.DATABASE_OPERATION]
+    ) {
+      this.logger.error(
+        `[ACLCounterCheckoutFailed] counter state: ${JSON.stringify(this.state)}, ${
+          requestInfo ? `requestInfo: ${requestInfo}` : ''
+        }`
+      );
+    }
+
+    this.reset();
+  };
+}
+
+interface AppState {
+  [ACLAuditorKey]?: ACLAuditor;
+}
+
+/**
+ * This function will be used to initialize a new app state to the request
+ *
+ * @param request OpenSearchDashboardsRequest
+ * @returns void
+ */
+export const initializeACLAuditor = (request: OpenSearchDashboardsRequest, logger: Logger) => {
+  const rawRequest = ensureRawRequest(request);
+  const appState: AppState = rawRequest.app;
+  const ACLCounterInstance = appState[ACLAuditorKey];
+
+  if (ACLCounterInstance) {
+    return;
+  }
+
+  appState[ACLAuditorKey] = new ACLAuditor(logger);
+};
+
+export const getACLAuditor = (request: OpenSearchDashboardsRequest): ACLAuditor | undefined => {
+  return (ensureRawRequest(request).app as AppState)[ACLAuditorKey];
+};
+
+export const destroyACLAuditor = (request: OpenSearchDashboardsRequest) => {
+  (ensureRawRequest(request).app as AppState)[ACLAuditorKey] = undefined;
+};
@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { httpServerMock } from '../../../core/server/mocks';
+import {
+  initializeClientCallAuditor,
+  getClientCallAuditor,
+  CLIENT_CALL_AUDITOR_KEY,
+  destroyClientCallAuditor,
+} from './client_call_auditor';
+
+describe('#getClientCallAuditor', () => {
+  it('should be able to get clientCallAuditor if request initialized', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    const uninilizedMockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    initializeClientCallAuditor(mockRequest);
+    expect(getClientCallAuditor(mockRequest)).not.toBeFalsy();
+    expect(getClientCallAuditor(uninilizedMockRequest)).toBeFalsy();
+  });
+});
+
+describe('#destroyClientCallAuditor', () => {
+  it('should be able to destroy the auditor', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    initializeClientCallAuditor(mockRequest);
+    expect(getClientCallAuditor(mockRequest)).not.toBeFalsy();
+    destroyClientCallAuditor(mockRequest);
+    expect(getClientCallAuditor(mockRequest)).toBeFalsy();
+  });
+});
+
+describe('#ClientCallAuditor', () => {
+  it('should return false when auditor incoming not equal outgoing', () => {
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest();
+    initializeClientCallAuditor(mockRequest);
+    const ACLAuditorInstance = getClientCallAuditor(mockRequest);
+    ACLAuditorInstance?.increment(CLIENT_CALL_AUDITOR_KEY.incoming);
+    expect(ACLAuditorInstance?.ifAsyncClientCallsBalance()).toEqual(false);
+  });
+});
@@ -0,0 +1,63 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { OpenSearchDashboardsRequest, ensureRawRequest } from '../http/router';
+
+const clientCallAuditorKey = Symbol('clientCallAuditor');
+
+interface AppState {
+  [clientCallAuditorKey]?: ClientCallAuditor;
+}
+
+export const CLIENT_CALL_AUDITOR_KEY = {
+  incoming: 'incoming',
+  outgoing: 'outgoing',
+} as const;
+
+/**
+ * This class will be used to audit all the async calls to saved objects client.
+ * For example, `/api/sample_data` will call savedObjectsClient.get() 3 times parallely and for ACL auditor,
+ * it should only `checkout` when the incoming calls equal outgoing call.
+ */
+class ClientCallAuditor {
+  private state: {
+    incoming?: number;
+    outgoing?: number;
+  } = {};
+  increment(key: keyof typeof CLIENT_CALL_AUDITOR_KEY) {
+    this.state[key] = (this.state[key] || 0) + 1;
+  }
+  ifAsyncClientCallsBalance() {
+    return this.state.incoming === this.state.outgoing;
+  }
+}
+
+/**
+ * This function will be used to initialize a new app state to the request
+ *
+ * @param request OpenSearchDashboardsRequest
+ * @returns void
+ */
+export const initializeClientCallAuditor = (request: OpenSearchDashboardsRequest) => {
+  const rawRequest = ensureRawRequest(request);
+  const appState: AppState = rawRequest.app;
+  const clientCallAuditorInstance = appState[clientCallAuditorKey];
+
+  if (clientCallAuditorInstance) {
+    return;
+  }
+
+  appState[clientCallAuditorKey] = new ClientCallAuditor();
+};
+
+export const getClientCallAuditor = (
+  request: OpenSearchDashboardsRequest
+): ClientCallAuditor | undefined => {
+  return (ensureRawRequest(request).app as AppState)[clientCallAuditorKey];
+};
+
+export const destroyClientCallAuditor = (request: OpenSearchDashboardsRequest) => {
+  (ensureRawRequest(request).app as AppState)[clientCallAuditorKey] = undefined;
+};
@@ -35,3 +35,15 @@ export * from './streams';
 export { getPrincipalsFromRequest } from './auth_info';
 export { getWorkspaceIdFromUrl, cleanWorkspaceId } from '../../utils';
 export { updateWorkspaceState, getWorkspaceState } from './workspace';
+export {
+  ACLAuditorStateKey,
+  initializeACLAuditor,
+  getACLAuditor,
+  destroyACLAuditor,
+} from './acl_auditor';
+export {
+  CLIENT_CALL_AUDITOR_KEY,
+  getClientCallAuditor,
+  initializeClientCallAuditor,
+  destroyClientCallAuditor,
+} from './client_call_auditor';
@@ -44,6 +44,12 @@ export const PRIORITY_FOR_WORKSPACE_UI_SETTINGS_WRAPPER = -2;
 export const PRIORITY_FOR_WORKSPACE_CONFLICT_CONTROL_WRAPPER = -1;
 export const PRIORITY_FOR_PERMISSION_CONTROL_WRAPPER = 0;
 
+/**
+ * The repository wrapper should be the wrapper closest to the repository client,
+ * so we give a large number to the wrapper
+ */
+export const PRIORITY_FOR_REPOSITORY_WRAPPER = 100 * 100;
+
 /**
  *
  * This is a temp solution to store relationships between use cases  and features.

@@ -16,7 +16,11 @@ import {
   HttpAuth,
 } from '../../../../core/server';
 import { WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID } from '../../common/constants';
-import { getPrincipalsFromRequest } from '../../../../core/server/utils';
+import {
+  ACLAuditorStateKey,
+  getACLAuditor,
+  getPrincipalsFromRequest,
+} from '../../../../core/server/utils';
 
 export type SavedObjectsPermissionControlContract = Pick<
   SavedObjectsPermissionControl,
@@ -57,6 +61,7 @@ export class SavedObjectsPermissionControl {
     request: OpenSearchDashboardsRequest,
     savedObjects: SavedObjectsBulkGetObject[]
   ) {
+    const ACLAuditor = getACLAuditor(request);
     const requestKey = request.uuid;
     const savedObjectsToGet = savedObjects.filter(
       (savedObject) =>
@@ -66,6 +71,8 @@ export class SavedObjectsPermissionControl {
       savedObjectsToGet.length > 0
         ? (await this.getScopedClient?.(request)?.bulkGet(savedObjectsToGet))?.saved_objects || []
         : [];
+    // System request, -1 * savedObjectsToGet.length for compensation.
+    ACLAuditor?.increment(ACLAuditorStateKey.DATABASE_OPERATION, -1 * savedObjectsToGet.length);
 
     const retrievedSavedObjectsMap: { [key: string]: SavedObject } = {};
     retrievedSavedObjects.forEach((savedObject) => {

@@ -44,7 +44,7 @@ describe('Workspace server plugin', () => {
         },
       }
     `);
-    expect(setupMock.savedObjects.addClientWrapper).toBeCalledTimes(4);
+    expect(setupMock.savedObjects.addClientWrapper).toBeCalledTimes(5);
 
     let registerSwitcher;
     let result;

@@ -25,15 +25,21 @@
   WORKSPACE_INITIAL_APP_ID,
   WORKSPACE_NAVIGATION_APP_ID,
   DEFAULT_WORKSPACE,
+  PRIORITY_FOR_REPOSITORY_WRAPPER,
 } from '../common/constants';
 import { IWorkspaceClientImpl, WorkspacePluginSetup, WorkspacePluginStart } from './types';
 import { WorkspaceClient } from './workspace_client';
 import { registerRoutes } from './routes';
 import { WorkspaceSavedObjectsClientWrapper } from './saved_objects';
 import {
   cleanWorkspaceId,
+  destroyACLAuditor,
+  destroyClientCallAuditor,
+  getACLAuditor,
   getWorkspaceIdFromUrl,
   getWorkspaceState,
+  initializeACLAuditor,
+  initializeClientCallAuditor,
   updateWorkspaceState,
 } from '../../../core/server/utils';
 import { WorkspaceConflictSavedObjectsClientWrapper } from './saved_objects/saved_objects_wrapper_for_check_workspace_conflict';
@@ -45,6 +51,7 @@
 import { WorkspaceIdConsumerWrapper } from './saved_objects/workspace_id_consumer_wrapper';
 import { WorkspaceUiSettingsClientWrapper } from './saved_objects/workspace_ui_settings_client_wrapper';
 import { uiSettings } from './ui_settings';
+import { RepositoryWrapper } from './saved_objects/repository_wrapper';
 
 export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePluginStart> {
   private readonly logger: Logger;
@@ -110,6 +117,25 @@
       this.permissionControl?.clearSavedObjectsCache(request);
       return toolkit.next();
     });
+
+    // Initialize ACL auditor in request.
+    core.http.registerOnPostAuth((request, response, toolkit) => {
+      initializeACLAuditor(request, this.logger);
+      initializeClientCallAuditor(request);
+      return toolkit.next();
+    });
+
+    // Clean up auditor before response.
+    core.http.registerOnPreResponse((request, response, toolkit) => {
+      const { isDashboardAdmin } = getWorkspaceState(request);
+      if (!isDashboardAdmin) {
+        // Only checkout auditor when current login user is not dashboard admin
+        getACLAuditor(request)?.checkout();
+      }
+      destroyACLAuditor(request);
+      destroyClientCallAuditor(request);
+      return toolkit.next();
+    });
   }
 
   private setUpRedirectPage(core: CoreSetup) {
@@ -203,6 +229,13 @@
       new WorkspaceIdConsumerWrapper(this.client).wrapperFactory
     );
 
+    core.savedObjects.addClientWrapper(
+      PRIORITY_FOR_REPOSITORY_WRAPPER,
+      // Give a symbol here so this wrapper won't be bypassed
+      Symbol('repository_wrapper').toString(),
+      new RepositoryWrapper().wrapperFactory
+    );
+
     const maxImportExportSize = core.savedObjects.getImportExportObjectLimit();
     this.logger.info('Workspace permission control enabled:' + isPermissionControlEnabled);
     if (isPermissionControlEnabled) this.setupPermission(core);