From 63fa8d268a65b3fcfb2634b455696383dd61b2fb Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Wed, 6 Nov 2024 17:38:28 -0500
Subject: [PATCH] Download certs from security repo (#650)

* Download certs from security repo

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove unused import

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Fix ci check

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Include setup-java step

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* getParent

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove markAsSystemContext

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Configure basic auth header

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove unused imports

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Update link to security repo

Signed-off-by: Craig Perkins <cwperx@amazon.com>

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/build.yml                   |  12 +++++--
 build.gradle                                  |  15 +++++++++
 .../AsynchronousSearchManagementService.java  |   2 --
 .../SecurityEnabledRestTestCase.java          |  30 ++++++++----------
 src/test/resources/security/sample.pem        |  25 ---------------
 src/test/resources/security/test-kirk.jks     | Bin 3766 -> 0 bytes
 6 files changed, 38 insertions(+), 46 deletions(-)
 delete mode 100644 src/test/resources/security/sample.pem
 delete mode 100644 src/test/resources/security/test-kirk.jks

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e49961ce..44f6775e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -82,6 +82,12 @@ jobs:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
 
     steps:
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: ${{ matrix.java }}
       - name: Checkout Branch
         uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
@@ -90,9 +96,9 @@ jobs:
       - name: Pull and Run Docker for security tests
         run: |
           plugin=${{ needs.linux-build.outputs.build-test-linux }}
-          version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-3`
-          plugin_version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-4`
-          qualifier=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-1`
+          version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-3`
+          plugin_version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-4`
+          qualifier=`echo $plugin|awk -F- '{print $5}'| cut -d. -f 1-1`
 
           if [ -n "$qualifier" ] && [ "$qualifier" != "SNAPSHOT" ]; then
               qualifier=-${qualifier}
diff --git a/build.gradle b/build.gradle
index 3b832e49..fa90b1fd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -42,6 +42,7 @@ buildscript {
 //****************************************************************************/
 
 plugins {
+    id "de.undercouch.download" version "5.3.0"
     id 'com.netflix.nebula.ospackage' version "11.10.0"
     id 'checkstyle'
 }
@@ -79,6 +80,20 @@ ext {
     projectSubstitutions = [:]
     licenseFile = rootProject.file('LICENSE.txt')
     noticeFile = rootProject.file('NOTICE.txt')
+
+    ['sample.pem', 'test-kirk.jks'].forEach { file ->
+        File local = getLayout().getBuildDirectory().file(file).get().getAsFile()
+        download.run {
+            src "https://raw.githubusercontent.com/opensearch-project/security/refs/heads/main/bwc-test/src/test/resources/security/" + file
+            dest local
+            overwrite false
+        }
+    }
+
+    processResources {
+        from(getLayout().getBuildDirectory().file('sample.pem').get().getAsFile())
+        from(getLayout().getBuildDirectory().file('test-kirk.jks').get().getAsFile())
+    }
 }
 
 java {
diff --git a/src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java b/src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java
index 1746356a..fa9c6610 100644
--- a/src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java
+++ b/src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java
@@ -194,8 +194,6 @@ public void run() {
     public final void performCleanUp() {
         final ThreadContext threadContext = threadPool.getThreadContext();
         try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
-            // we have to execute under the system context so that if security is enabled the sync is authorized
-            threadContext.markAsSystemContext();
             final Map<String, DiscoveryNode> dataNodes = clusterService.state().nodes().getDataNodes();
             List<DiscoveryNode> nodes = Stream.of(dataNodes.values().toArray(new DiscoveryNode[0]))
                     .collect(Collectors.toList());
diff --git a/src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java b/src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java
index a40f821f..f1a00680 100644
--- a/src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java
+++ b/src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java
@@ -7,9 +7,6 @@
 
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.client5.http.auth.AuthScope;
-import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
-import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.Timeout;
@@ -36,8 +33,11 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
+import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -95,7 +95,7 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE
             if (Objects.nonNull(keystore)) {
                 URI uri = null;
                 try {
-                    uri = this.getClass().getClassLoader().getResource("security/sample.pem").toURI();
+                    uri = this.getClass().getClassLoader().getResource("sample.pem").toURI();
                 } catch (URISyntaxException e) {
                     throw new RuntimeException(e);
                 }
@@ -145,7 +145,15 @@ protected void wipeAllOSIndices() throws IOException {
     }
 
     protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException {
-        Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
+        Map<String, String> headers = new HashMap<>(ThreadContext.buildDefaultHeaders(settings));
+        if (System.getProperty("user") != null && System.getProperty("password") != null) {
+            String userName = System.getProperty("user");
+            String password = System.getProperty("password");
+            headers.put(
+                "Authorization",
+                "Basic " + Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(StandardCharsets.UTF_8))
+            );
+        }
         Header[] defaultHeaders = new Header[headers.size()];
         int i = 0;
         for (Map.Entry<String, String> entry : headers.entrySet()) {
@@ -153,15 +161,6 @@ protected static void configureHttpsClient(RestClientBuilder builder, Settings s
         }
         builder.setDefaultHeaders(defaultHeaders);
         builder.setHttpClientConfigCallback(httpClientBuilder -> {
-            String userName = Optional
-                    .ofNullable(System.getProperty("user"))
-                    .orElseThrow(() -> new RuntimeException("user name is missing"));
-            String password = Optional
-                    .ofNullable(System.getProperty("password"))
-                    .orElseThrow(() -> new RuntimeException("password is missing"));
-            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
-            credentialsProvider.setCredentials(new AuthScope(new HttpHost("localhost", 9200)),
-                    new UsernamePasswordCredentials(userName, password.toCharArray()));
             try {
                 final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create()
                         .setSslContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build())
@@ -172,8 +171,7 @@ protected static void configureHttpsClient(RestClientBuilder builder, Settings s
                         .build();
 
                 return httpClientBuilder
-                        .setConnectionManager(connectionManager)
-                        .setDefaultCredentialsProvider(credentialsProvider);
+                        .setConnectionManager(connectionManager);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
diff --git a/src/test/resources/security/sample.pem b/src/test/resources/security/sample.pem
deleted file mode 100644
index b690a603..00000000
--- a/src/test/resources/security/sample.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEPDCCAySgAwIBAgIUaYSlET3nzsotWTrWueVPPh10yLYwDQYJKoZIhvcNAQEL
-BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
-cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
-IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
-dCBDQTAeFw0yNDAyMjAxNzAzMjVaFw0zNDAyMTcxNzAzMjVaMFcxCzAJBgNVBAYT
-AmRlMQ0wCwYDVQQHDAR0ZXN0MQ0wCwYDVQQKDARub2RlMQ0wCwYDVQQLDARub2Rl
-MRswGQYDVQQDDBJub2RlLTAuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCm93kXteDQHMAvbUPNPW5pyRHKDD42XGWSgq0k1D29C/Ud
-yL21HLzTJa49ZU2ldIkSKs9JqbkHdyK0o8MO6L8dotLoYbxDWbJFW8bp1w6tDTU0
-HGkn47XVu3EwbfrTENg3jFu+Oem6a/501SzITzJWtS0cn2dIFOBimTVpT/4Zv5qr
-XA6Cp4biOmoTYWhi/qQl8d0IaADiqoZ1MvZbZ6x76qTrRAbg+UWkpTEXoH1xTc8n
-dibR7+HP6OTqCKvo1NhE8uP4pY+fWd6b6l+KLo3IKpfTbAIJXIO+M67FLtWKtttD
-ao94B069skzKk6FPgW/OZh6PRCD0oxOavV+ld2SjAgMBAAGjgcYwgcMwRwYDVR0R
-BEAwPogFKgMEBQWCEm5vZGUtMC5leGFtcGxlLmNvbYIJbG9jYWxob3N0hxAAAAAA
-AAAAAAAAAAAAAAABhwR/AAABMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU0/qDQaY10jIo
-wCjLUpz/HfQXyt8wHwYDVR0jBBgwFoAUF4ffoFrrZhKn1dD4uhJFPLcrAJwwDQYJ
-KoZIhvcNAQELBQADggEBAGbij5WyF0dKhQodQfTiFDb73ygU6IyeJkFSnxF67gDz
-pQJZKFvXuVBa3cGP5e7Qp3TK50N+blXGH0xXeIV9lXeYUk4hVfBlp9LclZGX8tGi
-7Xa2enMvIt5q/Yg3Hh755ZxnDYxCoGkNOXUmnMusKstE0YzvZ5Gv6fcRKFBUgZLh
-hUBqIEAYly1EqH/y45APiRt3Nor1yF6zEI4TnL0yNrHw6LyQkUNCHIGMJLfnJQ9L
-camMGIXOx60kXNMTigF9oXXwixWAnDM9y3QT8QXA7hej/4zkbO+vIeV/7lGUdkyg
-PAi92EvyxmsliEMyMR0VINl8emyobvfwa7oMeWMR+hg=
------END CERTIFICATE-----
diff --git a/src/test/resources/security/test-kirk.jks b/src/test/resources/security/test-kirk.jks
deleted file mode 100644
index 6c8c5ef77e20980f8c78295b159256b805da6a28..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3766
zcmd^=c{r47AIImJ%`(PV###wuU&o%k$xbMgr4m`Pk2Tv-j4?=zEwY?!X|aVw)I`=A
zPAY52Rt6y<MCcv8=bWqaUhjLo@1N(o-aqa?zTe;dT+e;~p5OEN?k(*tfj}TIeE~lf
z)Y~)An=X>ODkPjhAQ%WsfbL*f;mp!-018Nf*#Q6sf)b!}Nv;s_8gzOC@mT<CUb9=$
zb*GftTO^)EqWVFr<Fd9FB>mi+D9F}jyYkhL=#Xk3eYM2csmxKA&W!xAdE{tZ2mEGS
z;L%QU`DHcrbdbw$3GsKUvmf<JNYcVO>Qu0Z^?sH7B)!W)eLbG*fXB^G$&6CbCnj4~
z*J>Rkut6vL1EvT!JqAq#X=O~#!JHQ#QVSPuOGlnLrXXB~{{FsGRq?o?I;>^GFEhMB
z<S6%^>w;z!v1sXap8nq3zz&+prKs-DRPm*XsS4BaP6Z{8tM~n@m|rxMA=p6*i(w=7
z*2&*Yg-uWU$5|W>>g5h)Fn{3B={`skAJ5_wXB5pDwyj{vG1_{{Y-`wB_i^B!5PA|=
zrx=_>rprb&75BQ=J)SKPAJI;?(D#46)o+a?SsR^-&qJj<M@haWtNMJaJC{ZhmE(KW
zR`GsYms+rN;FF)lWOFvHpnx>XY2ER8S*1ZvU`t7~M6?NKULuzlAZ8C#X9>8j2;WDY
z(TY-^!`&0%67`u|U_-Y(knWVcSlh-kwZQ6KG@S?L`W!iVl>Gyd(LnpMc@C!QeY{(E
z)uAwF_CcqH#00}jer2dQk3}R|p^87XCxR8`n4c@g9rASTt9$8}SuGW!!+QQ&w&G!P
zvv5Mft<&pzv^&XuuQAj&ieoa*3nI-hx}0`4kym=(cd>?v6yM3v43y@5@;yPeJ_N{@
z622W$@5Z4VqliMF3GAf_RcB;$HX^%cwTCgxg^4)5I0?*&oW|giBB@nUNBO+IX=iON
zo~;L}HOwhyeqH4GHvAQ5i=|0c+_5*661aDyT_tr=I#+<g(Yu10zfD_^pDpQO19RRH
zPu{Y%5Os~c%c~M4;1lLWX=8Pmc=7A5%@HXNs>Zog%!9nRiuBb8m&SS4qp2fv7HJMG
zwJFuqV*Hoq3`|Mayml;So|9W4Um6Lu8(k+(Hc2}p@&>?!7!7H~9*O%@BrKNAOa-~e
z$e6#G)fJ+<lU2(P^650WZ?&Mj95TPOxc2CP-dS!rkL$d&lh3k>wNz5x9zU;#>&V}d
z?!F1W_eNN;&LI9$!kWa0Zqa)0CVM4D=x(r>aXgW=XQ)PTRsJJ&MC?WjjoMwLRh`-I
z8yD|^&(r#NU|pRpRF%wn&t%X`)8HQe%uxEKnXxIu9yui1s$eH0*YZ^Wvt25yOg6{5
zPefKstjqam-PRDz=&-BVb^xZe>{C{$cza!_sV&3M*l0ocMJVr!l~TlJi4JChDn9Nn
zc&la1caY}0P&Ho=r;)l;mKBf$V<6A*R6XC}s98g%I7ZIAFI=e6SqQ4;oevw)nw0%^
zKq9#$;{3R0zJv}#mr7@}e+5-(`{C?^vEE#xb7uBY=X#_1v+@~@l?W@Zaq+Yo9bpu&
zR<0us_T`(Q6qp1xYb)Rq;tJ|aTZ&y5xqx<_j-|<O%}#{2?ityHF3aw0N57-#y`Ww0
z-c2pK`KdJXhW0p$jGEqJg~+U%?7C)s7?$GYdTCx@+&suSP}XlD@L31lS`Yx<N?pS0
zUP|G0vv_7T#<RSFC+5}g+}j-+o|4Rsc{JR&QsnDx9Wl)6S*z2z^Wl9fpN420S~IQ2
zp?Q9SExxWJZQ5n#gNVET<L!+{Rg1U-&XWdLl&#?~=Ab%`WM`%e2fb5y58&r8Kj;Xv
zlT*Q}gFw)HIu37O36SVQ2p9l^(VoOocJ0}hR9SnC!NwU&okPLT8?Z<?lN8CAw21@&
z1RbC;WCczvJDiy*T`VzURmK(I<A%84eHD1HTz@ec+`^oF{e9dN_^>>1$SEi@3!A||
z9YH<3ub_#ai=2WG_V9iQ!NU8mB|$4ZK3Gr>_s15<f8K%>;6W-XV-*##3TjwoMP&yb
zq!L{!sQoUn<_ZWb)BbzloM2Zs1tb=+FBn*$!EQmp3Ml#oe;g0);^XP&_osni`NR1A
z0SL>FG{F)8;h%d#4-g0eK+%&0U<MNa0CfHA5vVA$bj<oZAxqf;2%o9m=v-V;OC8&&
zo`~`Bu3mVV6)PFqsKF($?o(PKCTn`T|F+U5gu`ADaA!8z;N};qsX-BO_@)d{0o&Bj
zG24sZEE5B~$lFOAI+`X|pm_apSHqI+FKu&6=ExBvuZW0i4(g<V=X$(#R!4A|9|C~{
zEg$#3{3o4>D-=ghUr~yDQ?!lNE5tKiJ_rjY{@`Q1vj<Bnb5xliI}k1N#8$q^!|*Yo
zh9mx3+y1^BWA=p!MOBSbncbK1d*-XlN(?yhfJNoBk+G@68_(pwd+~2uFI!!`&$;A{
zuJd6g`<pP^X=n<*Fy!;=_J9@eqreaV1e6c}X?jP*u`KlF9^wRm?@%xnL{DD2LhUOk
z1Pq(Ra_?)=ea(VphBMMr83tp3fU$@6eO4$p6kVbqFH1mV?>bVAFU;|?Qs;w|1hFx_
z`*jR7rVAU>9*yRSpD1)#aOb!)@ak(5hk;guG$_9)=K8Ie^uOP<63|FjrX2UEcJw07
zD5c?bxHD${?)1+CMgPg@0|kH>4NzJZO*;#rl-xA_8*SHCS}ygKZP7*uHbRtmaTE%n
zp7Vt7QIt|IIN?)fyS#8IxKHO$?TeY{DpQl5^kyAd$HH^Aa)SJC+I0<z&*NNZ>!ULR
znF7*z6R6~{CCW6M^qKuU!N`I`>YB3i6toA7f7#3%T&$5&wm0nY{&d9(g)LB$%g9dX
zf>HfjVn9;)rG-^=)tiGDd<5M4wDHPl@yEGU_whS<g&rJ+Rb%+=ZyFTN@}Y@k7&(T@
z2;NT8ul|J&6eZ6YH=!~y>h78l$%S*WCqjvj^Xt?_VKp0T{pQGU!F;?_^4EMT$__$E
zH0hMGQlo@W2p^_tPZsnirl@pGb<#0a^*g5ihYtSzKKx%Wg;i4h8B_c6Z+PPWM!I%g
zOr-dLp|0@RV@@&InVrwRJfPT~ZY840gT$Jl4)HP^qcTUWE~1&}C2wS3Sv9pJWiRva
zyK}a9ilnrYe7SB$bu~GF&GM`D1h@ukNsJY|Yt>|?q(4gzgSUuGwSIfsmlD)%J2V0@
zTU&-58&x%P)-#Oev2~&}bv^wwRbD$?Enu(jJiuwM3shGOZ{$juY+RGk#m^`!p7+vO
zAjWFn1{dq`T?N^TggHmN3~VGf^5?a_)R-cj5yfk-?V<|S)%uKn{YGL)7(~eAhWA56
zj7ZS7amp#qQM;t>%6F)v{1S-Gq>88IPiL?2X9<M>=q_r$vhc4{Pd3$WssBMbZaV2W
zu&8||{U99-3!x+JudoA1KSAx^0qg$*YLr)FKtJ($lC@k)W?khPY!~B&<W<arFY(u3
zN1`-czniH!)qyX}OsWyeh1z(ICPkl>3F~Xnxs_<Wt8Jiq<vQ*c;n|YmUNm#PgNNj?
z&B8Cxfp=VUroyV0O;+*v7rFOB5Raom9B=j?&#>WH)b*(MC{~@><C8HVrq;{Ld|t?)
zup7gNL`{k>r={U4@A6+2p8il>0lojdT`r8~C><sXPQO`P{>rA6;jw^lZK9gk<_y!v
za(Rbclc{1;TFBtT`lr|YO0}|UXzh>FLsx6RQUq8=?V4{NR#=oxL2}kHb-ZAfuN<I7
wRG#a8-Cg3pI0*!e`9$?S&FE;i+7p(D(a$T2T}ZlS8exCJi}74&y<F@+00~9w<p2Nx