Pulled in a squashed version of changes to the ODFE repository since …

…the v1.1.0 release notes were added. Removed the ODFE v.1.1.0 release notes.

Updated the THIRD-PARTY file with dependencies for Data Prepper v1.1.0.

Signed-off-by: David Venable <[email protected]>

Data Prepper v1.1.0

Signed-off-by: David Venable <[email protected]>

Updating to a Descriptive ARN Exception with a try-catch
Signed-off-by: Shivani Shukla <[email protected]>

Updated to InvalidArn Exception
Signed-off-by: Shivani Shukla <[email protected]>

Added AWSSDK ARNs for format validation
Signed-off-by: Shivani Shukla <[email protected]>

Added validation for ARN format
Signed-off-by: Shivani Shukla <[email protected]>

Netty 4.1.61

Signed-off-by: David Venable <[email protected]>

Apache httpclient 4.5.13

Signed-off-by: David Venable <[email protected]>

Guava 30.0.1; ElasticSearch 7.10.2; Log4J 2.14.1; BeanUtils 1.9.4

Signed-off-by: David Venable <[email protected]>

Added v1.1.0 release notes.

Signed-off-by: Jeff Wright <[email protected]>

Signed-off-by: David Venable <[email protected]>

build.gradle

@@ -49,16 +49,34 @@ subprojects {
         }
     }
     dependencies {
-        implementation 'com.google.guava:guava:29.0-jre'
-        implementation 'org.apache.logging.log4j:log4j-core:2.14.0'
+        implementation 'com.google.guava:guava:31.0.1-jre'
+        implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
         implementation 'org.slf4j:slf4j-api:1.7.30'
-        implementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.14.0'
+        implementation 'org.apache.logging.log4j:log4j-slf4j-impl:2.14.1'
         testImplementation platform("org.junit:junit-bom:${versionMap.junitJupiter}")
         testImplementation 'org.junit.jupiter:junit-jupiter'
         testImplementation 'org.junit.vintage:junit-vintage-engine'
         testImplementation "org.mockito:mockito-core:${versionMap.mockito}"
         testImplementation "org.mockito:mockito-junit-jupiter:${versionMap.mockito}"
+        constraints {
+            implementation('org.apache.httpcomponents:httpclient') {
+                version {
+                    require '4.5.13'
+                }
+                because 'We want the newest version of httpclient.'
+            }
+        }
+    }
+
+    configurations.all {
+        resolutionStrategy.eachDependency { def details ->
+            if (details.requested.group == 'io.netty' && !details.requested.name.startsWith('netty-tcnative')) {
+                details.useVersion '4.1.61.Final'
+                details.because 'includes CVE fix'
+            }
+        }
     }
+
     build.dependsOn test
     jacocoTestReport {
         dependsOn test // tests are required to run before generating the report

data-prepper-plugins/opensearch/build.gradle

@@ -55,6 +55,7 @@ dependencies {
     implementation 'software.amazon.awssdk:utils:2.17.15'
     implementation 'software.amazon.awssdk:sts:2.17.15'
     implementation 'software.amazon.awssdk:url-connection-client:2.17.15'
+    implementation 'software.amazon.awssdk:arns:2.17.53'
     implementation "io.micrometer:micrometer-core:1.7.2"
     // The OpenSearch build-tools plugin appears to be preventing Gradle's platform
     // support from working correctly, so we have to specify the JUnit versions here.
@@ -82,15 +83,17 @@ configurations.all {
         force 'com.fasterxml.jackson:jackson-bom:2.12.4'
         force 'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.12.4'
         force 'commons-logging:commons-logging:1.2'
-        force 'org.apache.httpcomponents:httpclient:4.5.10'
+        force 'org.apache.httpcomponents:httpclient:4.5.13'
         force "org.hdrhistogram:HdrHistogram:2.1.12"
         force 'joda-time:joda-time:2.10.10'
         force 'org.yaml:snakeyaml:1.29'
         force 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.12.4'
+        force 'com.google.guava:guava:31.0.1-jre'
         force 'junit:junit:4.13.2'
         force "org.slf4j:slf4j-api:1.7.32"
         force "org.apache.logging.log4j:log4j-api:2.14.1"
         force "org.apache.logging.log4j:log4j-core:2.14.1"
+        force 'commons-beanutils:commons-beanutils:1.9.4'
     }
     // The OpenSearch plugins appear to provide their own version of Mockito
     // which is causing problems, so we exclude it.

data-prepper-plugins/opensearch/src/main/java/com/amazon/dataprepper/plugins/sink/opensearch/ConnectionConfiguration.java

@@ -35,6 +35,7 @@
 import software.amazon.awssdk.services.sts.StsClient;
 import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
 import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
+import software.amazon.awssdk.arns.Arn;
 
 import javax.net.ssl.SSLContext;
 import java.io.InputStream;
@@ -349,6 +350,14 @@ public Builder withAwsRegion(final String awsRegion) {
     }
 
     public Builder withAWSStsRoleArn(final String awsStsRoleArn) {
+      checkArgument(awsStsRoleArn == null || awsStsRoleArn.length() <= 2048, "awsStsRoleArn length cannot exceed 2048");
+      if(awsStsRoleArn != null) {
+        try {
+          Arn.fromString(awsStsRoleArn);
+        } catch (Exception e) {
+          throw new IllegalArgumentException("Invalid ARN format for awsStsRoleArn");
+        }
+      }
       this.awsStsRoleArn = awsStsRoleArn;
       return this;
     }

data-prepper-plugins/opensearch/src/test/java/com/amazon/dataprepper/plugins/sink/opensearch/ConnectionConfigurationTests.java

@@ -158,12 +158,12 @@ public void testCreateClientWithAWSSigV4AndCertPath() throws IOException {
     @Test
     public void testCreateClientWithAWSSigV4AndSTSRole() throws IOException {
         final PluginSetting pluginSetting = generatePluginSetting(
-                TEST_HOSTS, null, null, null, null, true, null, "some-iam-role", TEST_CERT_PATH, false);
+                TEST_HOSTS, null, null, null, null, true, null, "arn:aws:iam::123456789012:iam-role", TEST_CERT_PATH, false);
         final ConnectionConfiguration connectionConfiguration =
                 ConnectionConfiguration.readConnectionConfiguration(pluginSetting);
         assertEquals("us-east-1", connectionConfiguration.getAwsRegion());
         assertTrue(connectionConfiguration.isAwsSigv4());
-        assertEquals("some-iam-role", connectionConfiguration.getAwsStsRoleArn());
+        assertEquals("arn:aws:iam::123456789012:iam-role", connectionConfiguration.getAwsStsRoleArn());
         assertEquals(TEST_PIPELINE_NAME, connectionConfiguration.getPipelineName());
     }
 

data-prepper-plugins/otel-trace-raw-prepper/build.gradle

@@ -24,7 +24,6 @@ dependencies {
     implementation "com.linecorp.armeria:armeria-grpc:1.9.2"
     implementation "com.fasterxml.jackson.core:jackson-databind:2.12.4"
     implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4"
-    implementation group: 'com.google.guava', name: 'guava', version: '30.1.1-jre'
     testImplementation 'org.assertj:assertj-core:3.20.2'
     testImplementation "org.mockito:mockito-inline:${versionMap.mockito}"
     testImplementation "org.hamcrest:hamcrest:2.2"

data-prepper-plugins/otel-trace-source/src/main/java/com/amazon/dataprepper/plugins/certificate/acm/ACMCertificateProvider.java

@@ -2,6 +2,7 @@
 
 import com.amazon.dataprepper.plugins.certificate.CertificateProvider;
 import com.amazon.dataprepper.plugins.certificate.model.Certificate;
+import com.amazonaws.arn.Arn;
 import com.amazonaws.services.certificatemanager.AWSCertificateManager;
 import com.amazonaws.services.certificatemanager.model.ExportCertificateRequest;
 import com.amazonaws.services.certificatemanager.model.ExportCertificateResult;
@@ -53,6 +54,11 @@ public ACMCertificateProvider(final AWSCertificateManager awsCertificateManager,
                                   final String passphrase) {
         this.awsCertificateManager = Objects.requireNonNull(awsCertificateManager);
         this.acmArn = Objects.requireNonNull(acmArn);
+        try {
+            Arn.fromString(acmArn);
+        } catch (Exception e) {
+            throw new InvalidArnException("Invalid ARN format for acmArn");
+        }
         this.totalTimeout = Objects.requireNonNull(totalTimeout);
         // Passphrase can be null. If null a random passphrase will be generated.
         this.passphrase = passphrase;

data-prepper-plugins/peer-forwarder/src/main/java/com/amazon/dataprepper/plugins/prepper/peerforwarder/certificate/CertificateProviderConfig.java

@@ -1,5 +1,8 @@
 package com.amazon.dataprepper.plugins.prepper.peerforwarder.certificate;
 
+import com.amazonaws.arn.Arn;
+import com.amazonaws.services.certificatemanager.model.InvalidArnException;
+
 public class CertificateProviderConfig {
     private static final String S3_PREFIX = "s3://";
 
@@ -12,6 +15,13 @@ public class CertificateProviderConfig {
     public CertificateProviderConfig(final boolean useAcmCertForSSL, final String acmCertificateArn, final String awsRegion, final long acmCertIssueTimeOutMillis, final String sslKeyCertChainFile) {
         this.useAcmCertForSSL = useAcmCertForSSL;
         this.acmCertificateArn = acmCertificateArn;
+        if(acmCertificateArn != null) {
+            try {
+                Arn.fromString(acmCertificateArn);
+            } catch(Exception e) {
+                throw new InvalidArnException("Invalid ARN format for acmCertificateArn");
+            }
+        }
         this.awsRegion = awsRegion;
         this.acmCertIssueTimeOutMillis = acmCertIssueTimeOutMillis;
         this.sslKeyCertChainFile = sslKeyCertChainFile;

gradle.properties

@@ -1 +1 @@
-version=1.0.0
+version=1.1.0