Merge branch 'main' of https://github.com/opensearch-project/security…

…-dashboards-plugin into password-strenght-ui

Signed-off-by: Derek Ho <dxho@amazon.com>

.eslintignore

@@ -4,3 +4,4 @@ node_modules
 /build
 /target
 /.eslintrc.js
+/cypress.config.js

.eslintrc.js

@@ -15,9 +15,15 @@ const LICENSE_HEADER = `
  */
 `
 
-module.exports = {	
-  root: true,	
+module.exports = {
+  root: true,
   extends: ['@elastic/eslint-config-kibana', 'plugin:@elastic/eui/recommended'],
+  env: {
+    'cypress/globals': true,
+  },
+  plugins: [
+    'cypress',
+  ],
   rules: {
     // "@osd/eslint/require-license-header": "off"
     '@osd/eslint/no-restricted-paths': [
@@ -27,11 +33,17 @@ module.exports = {
         zones: [
           {
             target: ['(public|server)/**/*'],
-            from: ['../../packages/**/*','packages/**/*']
+            from: ['../../packages/**/*','packages/**/*'],
           },
-        ]
-      }
-    ]
+        ],
+      },
+    ],
+    // Add cypress specific rules here
+    'cypress/no-assigning-return-values': 'error',
+    'cypress/no-unnecessary-waiting': 'error',
+    'cypress/assertion-before-screenshot': 'warn',
+    'cypress/no-force': 'warn',
+    'cypress/no-async-tests': 'error',
   },
   overrides: [
     {
@@ -43,8 +55,8 @@ module.exports = {
             licenses: [ LICENSE_HEADER ],
           },
         ],
-        "no-console": 0
-      }
-    }
+        'no-console': 0,
+      },
+    },
   ],
-};
+};

.github/actions/download-plugin/action.yml

@@ -30,16 +30,18 @@ runs:
       run: |
         cat > setup.sh <<'EOF'
         chmod +x  ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh 
-        /bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh"
+        /bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh -t"
         echo "plugins.security.unsupported.restapi.allow_securityconfig_modification: true" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
+        echo "cluster.routing.allocation.disk.threshold_enabled: false" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
         EOF
       shell: bash
 
     - name: Create Setup Script for Windows
       if: ${{ runner.os == 'Windows' }}
       run: |
         New-Item .\setup.bat -type file
-        Set-Content .\setup.bat -Value "powershell.exe -noexit -command `".\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\plugins\${{ inputs.plugin-name }}\tools\install_demo_configuration.bat -y -i -c`""
+        Set-Content .\setup.bat -Value "powershell.exe -noexit -command `".\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\plugins\${{ inputs.plugin-name }}\tools\install_demo_configuration.bat -y -i -c -t`""
         Add-Content -Path .\setup.bat -Value "echo plugins.security.unsupported.restapi.allow_securityconfig_modification: true >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
+        Add-Content -Path .\setup.bat -Value "echo cluster.routing.allocation.disk.threshold_enabled: false >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
         Get-Content .\setup.bat
       shell: pwsh

.github/actions/install-dashboards/action.yml

@@ -33,6 +33,9 @@ runs:
         repository: opensearch-project/OpenSearch-Dashboards
         ref: 'main'
         fetch-depth: 0
+        filter: |
+          cypress
+          test
 
     - uses: actions/checkout@v2
       with:

.github/workflows/cypress-test-oidc-e2e.yml

@@ -0,0 +1,249 @@
+name: Snapshot based E2E OIDC tests workflow
+on:
+  pull_request:
+    branches: [ '**' ]
+env:
+  OPENSEARCH_VERSION: '3.0.0'
+  KEYCLOAK_VERSION: '21.0.1'
+  TEST_KEYCLOAK_CLIENT_SECRET: 'oacHfNaXyy81r2uHq1A9RY4ASryre4rZ'
+  CI: 1
+  # avoid warnings like "tput: No value for $TERM and no -T specified"
+  TERM: xterm
+  PLUGIN_NAME: opensearch-security
+  # This is the SHA256 checksum of the known good kc.sh script for Keycloak version 21.0.1.
+  KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT: 'f825ea1a9ffa5ad91673737c06857ababbb69b6b8f09e0c637b4c998517f9608'
+  OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!
+
+jobs:
+  tests:
+    name: Run Cypress E2E OIDC tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+
+      - name: Checkout Branch
+        uses: actions/checkout@v3
+
+      - name: Set env
+        run: |
+          opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
+          plugin_version=$(node -p "require('./package.json').version")
+          echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
+          echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
+        shell: bash
+
+      # Download and Check Keycloak Version
+      - name: Download and Check Keyloak Version on Linux
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          echo "Downloading Keycloak ${{ env.KEYCLOAK_VERSION }}"
+          wget https://github.com/keycloak/keycloak/releases/download/${{ env.KEYCLOAK_VERSION }}/keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
+          echo "Unpacking Keycloak"
+          tar -xzf keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
+          cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin
+          echo "Generating checksum for the downloaded kc.sh script..."
+          DOWNLOADED_CHECKSUM=$(sha256sum kc.sh | awk '{print $1}')
+          echo "Downloaded kc.sh checksum: $DOWNLOADED_CHECKSUM"
+          echo "Known good kc.sh checksum: ${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}"
+          KNOWN_GOOD_CHECKSUM="${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}" 
+          if [ "$DOWNLOADED_CHECKSUM" != "$KNOWN_GOOD_CHECKSUM" ]; then
+              echo "Checksum mismatch. The kc.sh script does not match the known good version. Please check https://github.com/keycloak/keycloak and verify the updates."
+              exit 1
+          else
+              echo "Checksum match confirmed. Proceeding with setup."
+          fi
+          chmod +x ./kc.sh
+
+      # Setup and Run Keycloak
+      - name: Get and run Keycloak on Linux
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          export KEYCLOAK_ADMIN=admin
+          export KEYCLOAK_ADMIN_PASSWORD=admin
+          cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin
+          echo "Starting keycloak"
+          ./kc.sh start-dev --http-enabled=true --hostname-strict-https=false --http-host=localhost --http-relative-path /auth --health-enabled=true &
+          timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8080/auth/health)" != "200" ]]; do sleep 5; done'
+          chmod +x kcadm.sh
+          echo "Creating client"
+          ./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
+          CID=$(./kcadm.sh create clients -r master -s clientId=opensearch -s secret="${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" -s 'attributes."access.token.lifespan"=60' -s 'redirectUris=["http://localhost:5603/auth/openid/login", "http://localhost:5601", "http://localhost:5601/auth/openid/login"]' -i)
+          ./kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json > tmp
+          echo "Getting client secret for dashboards configuration purpose"
+          CLIENT_SECRET=$(grep -o '"secret" : "[^"]*' tmp | grep -o '[^"]*$')
+          echo "KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV
+          echo "The client secret is: $CLIENT_SECRET"
+          echo "Creating client mapper"
+          ./kcadm.sh create clients/$CID/protocol-mappers/models  -r master -s 'config."id.token.claim"=true' -s 'config."multivalued"=true' -s 'config."claim.name"="roles"' -s 'config."userinfo.token.claim"=true' -s 'config."access.token.claim"=true' -s 'name=rolemapper' -s 'protocolMapper=oidc-usermodel-realm-role-mapper' -s "protocol=openid-connect"
+      
+      - name: Download security plugin and create setup scripts
+        uses: ./.github/actions/download-plugin
+        with:
+          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
+          plugin-name: ${{ env.PLUGIN_NAME }}
+          plugin-version: ${{ env.PLUGIN_VERSION }}
+
+      # Download OpenSearch
+      - name: Download OpenSearch for Linux
+        uses: peternied/download-file@v2
+        if: ${{ runner.os == 'Linux' }}
+        with:
+          url: https://artifacts.opensearch.org/snapshots/core/opensearch/${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/opensearch-min-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT-linux-x64-latest.tar.gz
+
+      # Extract downloaded tar/zip
+      - name: Extract downloaded tar
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          tar -xzf opensearch-*.tar.gz
+          rm -f opensearch-*.tar.gz
+        shell: bash
+
+      # Install the security plugin
+      - name: Install Plugin into OpenSearch for Linux
+        if: ${{ runner.os == 'Linux'}}
+        run: |
+          chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin
+          /bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin install file:$(pwd)/opensearch-security.zip"
+        shell: bash
+
+      # Add OIDC Configuration
+      - name: Injecting OIDC Configuration for Linux
+        if: ${{ runner.os == 'Linux'}}
+        run: |
+          echo "Creating new SAML configuration"
+          cd ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/
+          rm -rf config.yml
+          cat << 'EOT' > config.yml
+          ---
+          _meta:
+            type: "config"
+            config_version: 2
+          config:
+            dynamic:
+              http:
+                anonymous_auth_enabled: false
+              authc:
+                basic_internal_auth_domain:
+                  description: "Authenticate via HTTP Basic against internal users database"
+                  http_enabled: true
+                  transport_enabled: true
+                  order: 0
+                  http_authenticator:
+                    type: basic
+                    challenge: false
+                  authentication_backend:
+                    type: intern
+                openid_auth_domain:
+                  http_enabled: true
+                  transport_enabled: true
+                  order: 1
+                  http_authenticator:
+                    type: openid
+                    challenge: false
+                    config:
+                      subject_key: preferred_username
+                      roles_key: roles
+                      openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration
+                  authentication_backend:
+                    type: noop
+          EOT
+          echo "THIS IS THE SECURITY CONFIG FILE: "
+          cat config.yml
+
+      # Run any configuration scripts
+      - name: Run Setup Script for Linux
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          echo "running linux setup"
+          chmod +x ./setup.sh
+          ./setup.sh
+        shell: bash
+
+      # Run OpenSearch
+      - name: Run OpenSearch with plugin on Linux
+        if: ${{ runner.os == 'Linux'}}
+        run: |
+          /bin/bash -c "./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch &"
+        shell: bash
+
+      # Give the OpenSearch process some time to boot up before sending any requires, might need to increase the default time!
+      - name: Sleep while OpenSearch starts
+        uses: peternied/action-sleep@v1
+        with:
+          seconds: 30
+
+      # Verify that the server is operational
+      - name: Check OpenSearch Running on Linux
+        if: ${{ runner.os != 'Windows'}}
+        run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}' -k -v
+        shell: bash
+
+      - if: always()
+        run: cat ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/logs/opensearch.log
+        shell: bash
+
+      # OSD bootstrap
+      - name: Run Dashboard with Security Dashboards Plugin
+        uses: ./.github/actions/install-dashboards
+        with:
+          plugin_name: security-dashboards-plugin
+
+      # Configure the Dashboard for OIDC setup
+      - name: Configure and Run OpenSearch Dashboards with Cypress Test Cases
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          cd ./OpenSearch-Dashboards
+          rm -rf ./config/opensearch_dashboards.yml
+          cat << 'EOT' > ./config/opensearch_dashboards.yml
+          server.host: "localhost"
+          opensearch.hosts: ["https://localhost:9200"]
+          opensearch.ssl.verificationMode: none
+          opensearch.username: "kibanaserver"
+          opensearch.password: "kibanaserver"
+          opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+          opensearch_security.multitenancy.enabled: true
+          opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
+          opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+          opensearch_security.cookie.secure: false
+          opensearch_security.openid.connect_url: "http://127.0.0.1:8080/auth/realms/master/.well-known/openid-configuration"
+          opensearch_security.openid.client_id: "opensearch"
+          opensearch_security.openid.client_secret: "${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}"
+          opensearch_security.auth.type: ["openid"]
+          opensearch_security.auth.multiple_auth_enabled: true
+          opensearch_security.ui.openid.login.buttonname: "OIDC"
+          home.disableWelcomeScreen: true
+          EOT
+          echo 'HERE IS THE DASHBOARD CONFIG FILE: '
+          cat ./config/opensearch_dashboards.yml
+          nohup yarn start --no-base-path --no-watch | tee dashboard.log &
+
+      # Check if OSD is ready with a max timeout of 600 seconds
+      - name : Check If OpenSearch Dashboards Is Ready
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          cd ./OpenSearch-Dashboards
+          echo "Start checking OpenSearch Dashboards."
+          for i in {1..60}; do
+            if grep -q "bundles compiled successfully after" "dashboard.log"; then
+              echo "OpenSearch Dashboards compiled successfully."
+              break
+            fi
+            if [ $i -eq 60 ]; then
+              echo "Timeout for 600 seconds reached. OpenSearch Dashboards did not finish compiling."
+              exit 1
+            fi
+            sleep 10
+          done
+
+      - name: Run Cypress
+        run : |
+          yarn add cypress --save-dev
+          yarn cypress:run --browser chrome --headless --spec 'test/cypress/e2e/oidc/*.js'