[Backport 2.x] Download certs from security repo (#650) (#668)

* Download certs from security repo (#650)

* Download certs from security repo

Signed-off-by: Craig Perkins <[email protected]>

* Remove unused import

Signed-off-by: Craig Perkins <[email protected]>

* Fix ci check

Signed-off-by: Craig Perkins <[email protected]>

* Include setup-java step

Signed-off-by: Craig Perkins <[email protected]>

* getParent

Signed-off-by: Craig Perkins <[email protected]>

* Remove markAsSystemContext

Signed-off-by: Craig Perkins <[email protected]>

* Configure basic auth header

Signed-off-by: Craig Perkins <[email protected]>

* Remove unused imports

Signed-off-by: Craig Perkins <[email protected]>

* Update link to security repo

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 63fa8d2)

* Remove unused imports

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>

.github/workflows/build.yml

@@ -79,6 +79,12 @@ jobs:
     # This job runs on Linux.
     runs-on: ubuntu-latest
     steps:
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: ${{ matrix.java }}
       - name: Checkout Branch
         uses: actions/checkout@v2
       - uses: actions/download-artifact@v3
@@ -87,9 +93,9 @@ jobs:
       - name: Pull and Run Docker for security tests
         run: |
           plugin=${{ needs.linux-build.outputs.build-test-linux }}
-          version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-3`
-          plugin_version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-4`
-          qualifier=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-1`
+          version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-3`
+          plugin_version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-4`
+          qualifier=`echo $plugin|awk -F- '{print $5}'| cut -d. -f 1-1`
 
           if [ -n "$qualifier" ] && [ "$qualifier" != "SNAPSHOT" ]; then
               qualifier=-${qualifier}

build.gradle

@@ -42,7 +42,8 @@ buildscript {
 //****************************************************************************/
 
 plugins {
-    id 'com.netflix.nebula.ospackage' version "11.6.0"
+    id "de.undercouch.download" version "5.3.0"
+    id 'com.netflix.nebula.ospackage' version "11.10.0"
     id 'checkstyle'
 }
 
@@ -79,6 +80,20 @@ ext {
     projectSubstitutions = [:]
     licenseFile = rootProject.file('LICENSE.txt')
     noticeFile = rootProject.file('NOTICE.txt')
+
+    ['sample.pem', 'test-kirk.jks'].forEach { file ->
+        File local = getLayout().getBuildDirectory().file(file).get().getAsFile()
+        download.run {
+            src "https://raw.githubusercontent.com/opensearch-project/security/refs/heads/main/bwc-test/src/test/resources/security/" + file
+            dest local
+            overwrite false
+        }
+    }
+
+    processResources {
+        from(getLayout().getBuildDirectory().file('sample.pem').get().getAsFile())
+        from(getLayout().getBuildDirectory().file('test-kirk.jks').get().getAsFile())
+    }
 }
 
 java {

src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java

@@ -194,8 +194,6 @@ public void run() {
     public final void performCleanUp() {
         final ThreadContext threadContext = threadPool.getThreadContext();
         try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
-            // we have to execute under the system context so that if security is enabled the sync is authorized
-            threadContext.markAsSystemContext();
             final Map<String, DiscoveryNode> dataNodes = clusterService.state().nodes().getDataNodes();
             List<DiscoveryNode> nodes = Stream.of(dataNodes.values().toArray(new DiscoveryNode[0]))
                     .collect(Collectors.toList());

src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java

@@ -7,11 +7,7 @@
 
 import org.apache.http.Header;
 import org.apache.http.HttpHost;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.http.client.CredentialsProvider;
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.ssl.SSLContextBuilder;
 import org.junit.After;
@@ -33,8 +29,11 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
+import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -92,7 +91,7 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE
             if (Objects.nonNull(keystore)) {
                 URI uri = null;
                 try {
-                    uri = this.getClass().getClassLoader().getResource("security/sample.pem").toURI();
+                    uri = this.getClass().getClassLoader().getResource("sample.pem").toURI();
                 } catch (URISyntaxException e) {
                     throw new RuntimeException(e);
                 }
@@ -142,25 +141,24 @@ protected void wipeAllOSIndices() throws IOException {
     }
 
     protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException {
-        Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
+        Map<String, String> headers = new HashMap<>(ThreadContext.buildDefaultHeaders(settings));
+        if (System.getProperty("user") != null && System.getProperty("password") != null) {
+            String userName = System.getProperty("user");
+            String password = System.getProperty("password");
+            headers.put(
+                "Authorization",
+                "Basic " + Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(StandardCharsets.UTF_8))
+            );
+        }
         Header[] defaultHeaders = new Header[headers.size()];
         int i = 0;
         for (Map.Entry<String, String> entry : headers.entrySet()) {
             defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue());
         }
         builder.setDefaultHeaders(defaultHeaders);
         builder.setHttpClientConfigCallback(httpClientBuilder -> {
-            String userName = Optional
-                    .ofNullable(System.getProperty("user"))
-                    .orElseThrow(() -> new RuntimeException("user name is missing"));
-            String password = Optional
-                    .ofNullable(System.getProperty("password"))
-                    .orElseThrow(() -> new RuntimeException("password is missing"));
-            CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
-            credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(userName, password));
             try {
                 return httpClientBuilder
-                        .setDefaultCredentialsProvider(credentialsProvider)
                         // disable the certificate since our testing cluster just uses the default security configuration
                         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                         .setSSLContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build());