Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Cypress13 testing frame work for OIDC and SAML #1691

Merged
merged 3 commits into from
Dec 18, 2023

Conversation

RyanL1997
Copy link
Collaborator

Description

Manual Backport from #1579

Category

Enhancement

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

RyanL1997 and others added 3 commits December 8, 2023 12:52
* Cypress13 testing frame work for OIDC and SAML
---------
Signed-off-by: Ryan Liang <[email protected]>
Signed-off-by: Ryan Liang <[email protected]>
Copy link

codecov bot commented Dec 8, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (61d9530) 66.73% compared to head (3801960) 66.73%.

❗ Current head 3801960 differs from pull request most recent head 38e6d4b. Consider uploading reports for the commit 38e6d4b to get more accurate results

Additional details and impacted files
@@           Coverage Diff           @@
##              2.x    #1691   +/-   ##
=======================================
  Coverage   66.73%   66.73%           
=======================================
  Files          93       93           
  Lines        2351     2351           
  Branches      311      316    +5     
=======================================
  Hits         1569     1569           
  Misses        705      705           
  Partials       77       77           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cwperks
Copy link
Member

cwperks commented Dec 12, 2023

@RyanL1997 I will help looking at the saml_multiauth test failures. One thing I noticed is that on a fresh cluster I get this issue, but if I manually update the security config they pass.

Command to update security config curl -XPUT https://admin:admin@localhost:9200/_plugins/_security/api/securityconfig/config -k -H "Content-Type: application/json" --data ' { "dynamic": { "filtered_alias_mode": "warn", "disable_rest_auth": false, "disable_intertransport_auth": false, "respect_request_indices_options": false, "kibana": { "multitenancy_enabled": true, "server_username": "kibanaserver", "index": ".kibana" }, "http": { "anonymous_auth_enabled": false, "xff": { "enabled": false, "internalProxies": "192\\.168\\.0\\.10|192\\.168\\.0\\.11", "remoteIpHeader": "X-Forwarded-For" } }, "authc": { "jwt_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 0, "http_authenticator": { "challenge": false, "type": "jwt", "config": { "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key", "jwt_header": "Authorization", "jwt_clock_skew_tolerance_seconds": 30 } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via Json Web Token" }, "ldap": { "http_enabled": false, "transport_enabled": false, "order": 5, "http_authenticator": { "challenge": false, "type": "basic", "config": {} }, "authentication_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "userbase": "ou=people,dc=example,dc=com", "usersearch": "(sAMAccountName={0})" } }, "description": "Authenticate via LDAP or Active Directory" }, "basic_internal_auth_domain": { "http_enabled": true, "transport_enabled": true, "order": 4, "http_authenticator": { "challenge": false, "type": "basic", "config": {} }, "authentication_backend": { "type": "intern", "config": {} }, "description": "Authenticate via HTTP Basic against internal users database" }, "proxy_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 3, "http_authenticator": { "challenge": false, "type": "proxy", "config": { "user_header": "x-proxy-user", "roles_header": "x-proxy-roles" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via proxy" }, "clientcert_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 2, "http_authenticator": { "challenge": false, "type": "clientcert", "config": { "username_attribute": "cn" } }, "authentication_backend": { "type": "noop", "config": {} }, "description": "Authenticate via SSL client certificates" }, "saml_auth_domain": { "http_enabled": true, "transport_enabled": false, "order": 5, "http_authenticator": { "challenge": true, "type": "saml", "config": { "idp": { "metadata_url": "http://localhost:7000/metadata", "entity_id": "urn:example:idp" }, "sp": { "entity_id": "https://localhost:9200" }, "kibana_url": "http://localhost:5601", "exchange_key": "6aff3042-1327-4f3d-82f0-40a157ac4464" } }, "authentication_backend": { "type": "noop", "config": {} } }, "kerberos_auth_domain": { "http_enabled": false, "transport_enabled": false, "order": 6, "http_authenticator": { "challenge": true, "type": "kerberos", "config": { "krb_debug": false, "strip_realm_from_principal": true } }, "authentication_backend": { "type": "noop", "config": {} } } }, "authz": { "roles_from_another_ldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": {} }, "description": "Authorize via another Active Directory" }, "roles_from_myldap": { "http_enabled": false, "transport_enabled": false, "authorization_backend": { "type": "ldap", "config": { "enable_ssl": false, "enable_start_tls": false, "enable_ssl_client_auth": false, "verify_hostnames": true, "hosts": [ "localhost:8389" ], "rolebase": "ou=groups,dc=example,dc=com", "rolesearch": "(member={0})", "userrolename": "disabled", "rolename": "cn", "resolve_nested_roles": true, "userbase": "ou=people,dc=example,dc=com", "usersearch": "(uid={0})" } }, "description": "Authorize via LDAP or Active Directory" } }, "auth_failure_listeners": {}, "do_not_fail_on_forbidden": false, "multi_rolespan_enabled": true, "hosts_resolver_mode": "ip-only", "do_not_fail_on_forbidden_empty": false } }'

Edit: They may also be related to opensearch-project/security#3671

@cwperks
Copy link
Member

cwperks commented Dec 16, 2023

@RyanL1997 This PR will fix the failing SAML checks: opensearch-project/security#3853

cwperks added a commit to opensearch-project/security that referenced this pull request Dec 18, 2023
### Description

Resolves an issue with permissions in the SAML auth flow after merge of
#3671

This backports code from
#2987 that wraps the
call to `instantiateAAA` in `AccessController.doPrivileged`. Expand the
section below to see the stack trace with permissions error.

<details>
<summary>Permission issue stack trace</summary>
[2023-12-15T23:45:14,828][WARN ][o.o.s.s.ReflectionHelper ]
[6c7e67b914eb] Unable to enable
'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to
java.lang.reflect.InvocationTargetException
[2023-12-15T23:45:14,832][ERROR][o.o.s.s.DynamicConfigModelV7]
[6c7e67b914eb] Unable to initialize auth domain
saml_auth_domain=AuthcDomain [http_enabled=true,
transport_enabled=false, order=5, http_authenticator=HttpAuthenticator
[challenge=true, type=saml,
config={idp={metadata_url=http://localhost:7000/metadata,
entity_id=urn:example:idp}, sp={entity_id=https://localhost:9200/},
kibana_url=http://localhost:5601/,
exchange_key=6aff3042-1327-4f3d-82f0-40a157ac4464}],
authentication_backend=AuthcBackend [type=noop, config={}],
description=null] due to
OpenSearchException[java.lang.reflect.InvocationTargetException];
nested: InvocationTargetException; nested:
RuntimeException[java.security.AccessControlException: access denied
("java.util.PropertyPermission" "*" "read,write")]; nested:
AccessControlException[access denied ("java.util.PropertyPermission" "*"
"read,write")];
org.opensearch.OpenSearchException:
java.lang.reflect.InvocationTargetException
at
org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:73)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:443)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:330)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:100)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:285)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:406)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:395)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:379)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:128)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:52)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:200)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:328)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:324)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceivedDecorate(SecuritySSLRequestHandler.java:224)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.transport.SecurityRequestHandler.messageReceivedDecorate(SecurityRequestHandler.java:211)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:109)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.security.OpenSearchSecurityPlugin$6$1.messageReceived(OpenSearchSecurityPlugin.java:794)
[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.transport.TransportService$7.doRun(TransportService.java:1067)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:911)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
[opensearch-2.12.0-SNAPSHOT.jar:2.12.0-SNAPSHOT]
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[?:?]
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[?:?]
	at java.base/java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.lang.reflect.InvocationTargetException
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) ~[?:?]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
~[?:?]
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[?:?]
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
~[?:?]
at
org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
	... 23 more
Caused by: java.lang.RuntimeException:
java.security.AccessControlException: access denied
("java.util.PropertyPermission" "*" "read,write")
at
com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:154)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) ~[?:?]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
~[?:?]
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[?:?]
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
~[?:?]
at
org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
	... 23 more
Caused by: java.security.AccessControlException: access denied
("java.util.PropertyPermission" "*" "read,write")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
~[?:?]
at
java.base/java.security.AccessController.checkPermission(AccessController.java:897)
~[?:?]
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
~[?:?]
at
java.base/java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1034)
~[?:?]
	at java.base/java.lang.System.getProperties(System.java:731) ~[?:?]
at
org.opensaml.core.config.provider.SystemPropertyConfigurationPropertiesSource.getProperties(SystemPropertyConfigurationPropertiesSource.java:31)
~[opensaml-core-4.3.0.jar:?]
at
org.opensaml.core.config.ConfigurationService.getConfigurationProperties(ConfigurationService.java:148)
~[opensaml-core-4.3.0.jar:?]
at
org.opensaml.core.config.ConfigurationService.getPartitionName(ConfigurationService.java:192)
~[opensaml-core-4.3.0.jar:?]
at
org.opensaml.core.config.ConfigurationService.get(ConfigurationService.java:90)
~[opensaml-core-4.3.0.jar:?]
at
org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getUnmarshallerFactory(XMLObjectProviderRegistrySupport.java:126)
~[opensaml-core-4.3.0.jar:?]
at
org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.<init>(AbstractMetadataResolver.java:118)
~[opensaml-saml-impl-4.3.0.jar:?]
at
org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver.<init>(AbstractBatchMetadataResolver.java:75)
~[opensaml-saml-impl-4.3.0.jar:?]
at
org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.<init>(AbstractReloadingMetadataResolver.java:128)
~[opensaml-saml-impl-4.3.0.jar:?]
at
org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver.<init>(HTTPMetadataResolver.java:103)
~[opensaml-saml-impl-4.3.0.jar:?]
at
org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver.<init>(HTTPMetadataResolver.java:89)
~[opensaml-saml-impl-4.3.0.jar:?]
at
com.amazon.dlic.auth.http.saml.SamlHTTPMetadataResolver.<init>(SamlHTTPMetadataResolver.java:34)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.createMetadataResolver(HTTPSamlAuthenticator.java:336)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:133)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) ~[?:?]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
~[?:?]
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
~[?:?]
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
~[?:?]
at
org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62)
~[opensearch-security-2.12.0.0-SNAPSHOT.jar:2.12.0.0-SNAPSHOT]
	... 23 more
</details>

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Bug fix

### Issues Resolved

Fixes CI issues seen in:

-
opensearch-project/security-dashboards-plugin#1691
-
opensearch-project/security-dashboards-plugin#1686

### Testing

Tested by creating a local distribution and running the
security-dashboards-plugin integration tests before and after this
change to show that it resolves the issue.

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Craig Perkins <[email protected]>
@cwperks cwperks merged commit cac1be2 into opensearch-project:2.x Dec 18, 2023
18 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants