From 08d17343c0821f7b7528a9559fc3384af5aa2c5b Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 31 Jul 2023 09:20:23 -0400
Subject: [PATCH 01/13] Fix build after Lucene upgrade and breaking
 XContentFactory changes (#3069)

There are multiple PRs in core affecting the security plugin that the
security plugin needs to adapt to.

- https://github.com/opensearch-project/OpenSearch/pull/7792
- https://github.com/opensearch-project/OpenSearch/pull/8826
- https://github.com/opensearch-project/OpenSearch/pull/8668

I am opening a Draft PR that includes a fix for the Lucene-related test
failures which was caused by
https://github.com/opensearch-project/OpenSearch/pull/7792

Resolves: https://github.com/opensearch-project/security/issues/3064

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../configuration/DlsFlsFilterLeafReader.java | 25 +++++++++++++++++++
 .../security/support/ConfigHelper.java        |  2 +-
 .../security/tools/SecurityAdmin.java         |  2 +-
 .../RequestContentValidatorTest.java          |  3 +--
 .../security/test/helper/file/FileHelper.java |  4 +--
 5 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java
index 508c3dd9b4..0966a3f3ac 100644
--- a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java
+++ b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java
@@ -46,6 +46,7 @@
 import org.apache.lucene.index.SortedNumericDocValues;
 import org.apache.lucene.index.SortedSetDocValues;
 import org.apache.lucene.index.StoredFieldVisitor;
+import org.apache.lucene.index.StoredFields;
 import org.apache.lucene.index.TermState;
 import org.apache.lucene.index.Terms;
 import org.apache.lucene.index.TermsEnum;
@@ -473,6 +474,24 @@ public void close() throws IOException {
         }
     }
 
+    private class DlsFlsStoredFields extends StoredFields {
+        private final StoredFields in;
+
+        public DlsFlsStoredFields(StoredFields storedFields) {
+            this.in = storedFields;
+        }
+
+        @Override
+        public void document(final int docID, StoredFieldVisitor visitor) throws IOException {
+            visitor = getDlsFlsVisitor(visitor);
+            try {
+                in.document(docID, visitor);
+            } finally {
+                finishVisitor(visitor);
+            }
+        }
+    }
+
     @Override
     protected StoredFieldsReader doGetSequentialStoredFieldsReader(final StoredFieldsReader reader) {
         return new DlsFlsStoredFieldsReader(reader);
@@ -1284,6 +1303,12 @@ public TermState termState() throws IOException {
 
     }
 
+    @Override
+    public StoredFields storedFields() throws IOException {
+        ensureOpen();
+        return new DlsFlsStoredFields(in.storedFields());
+    }
+
     private String getRuntimeActionName() {
         return (String) threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ACTION_NAME);
     }
diff --git a/src/main/java/org/opensearch/security/support/ConfigHelper.java b/src/main/java/org/opensearch/security/support/ConfigHelper.java
index 92bf069028..434a8a02fa 100644
--- a/src/main/java/org/opensearch/security/support/ConfigHelper.java
+++ b/src/main/java/org/opensearch/security/support/ConfigHelper.java
@@ -141,7 +141,7 @@ public static BytesReference readXContent(final Reader reader, final MediaType m
         BytesReference retVal;
         XContentParser parser = null;
         try {
-            parser = XContentFactory.xContent(mediaType).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, reader);
+            parser = mediaType.xContent().createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, reader);
             parser.nextToken();
             final XContentBuilder builder = XContentFactory.jsonBuilder();
             builder.copyCurrentStructure(parser);
diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java
index d2dc85f9d2..7d8a8a7b0b 100644
--- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java
+++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java
@@ -1202,7 +1202,7 @@ private static BytesReference readXContent(final String content, final MediaType
         BytesReference retVal;
         XContentParser parser = null;
         try {
-            parser = XContentFactory.xContent(mediaType).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, content);
+            parser = mediaType.xContent().createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, content);
             parser.nextToken();
             final XContentBuilder builder = XContentFactory.jsonBuilder();
             builder.copyCurrentStructure(parser);
diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java
index ee98d2a10b..55b8664188 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java
@@ -24,7 +24,6 @@
 import org.opensearch.common.Strings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentFactory;
-import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.common.bytes.BytesArray;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.ToXContent;
@@ -300,7 +299,7 @@ public Map<String, RequestContentValidator.DataType> allowedKeys() {
     }
 
     private JsonNode xContentToJsonNode(final ToXContent toXContent) throws IOException {
-        try (final var xContentBuilder = XContentFactory.contentBuilder(XContentType.JSON)) {
+        try (final var xContentBuilder = XContentFactory.jsonBuilder()) {
             toXContent.toXContent(xContentBuilder, ToXContent.EMPTY_PARAMS);
             return DefaultObjectMapper.readTree(Strings.toString(xContentBuilder));
         }
diff --git a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java
index 90adca6a91..df1495ed10 100644
--- a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java
+++ b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java
@@ -110,7 +110,7 @@ public static BytesReference readYamlContent(final String file) {
 
         XContentParser parser = null;
         try {
-            parser = XContentFactory.xContent(XContentType.YAML)
+            parser = XContentType.YAML.xContent()
                 .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(loadFile(file)));
             parser.nextToken();
             final XContentBuilder builder = XContentFactory.jsonBuilder();
@@ -133,7 +133,7 @@ public static BytesReference readYamlContentFromString(final String yaml) {
 
         XContentParser parser = null;
         try {
-            parser = XContentFactory.xContent(XContentType.YAML)
+            parser = XContentType.YAML.xContent()
                 .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(yaml));
             parser.nextToken();
             final XContentBuilder builder = XContentFactory.jsonBuilder();

From cca77bec5350d59d4c8570c4dee9834ff9b3c33c Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com>
Date: Mon, 31 Jul 2023 14:32:50 -0400
Subject: [PATCH 02/13] Remove static local-node reference (#3066)

### Description
Remove static reference/initialization of localNode variable inside
security plugin, to fix `No user found..` errors caused due to
mismatching localNode values in test.

Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
---
 .../security/OpenSearchSecurityPlugin.java         | 14 +++-----------
 .../security/transport/SecurityInterceptor.java    |  6 +++---
 .../transport/SecurityInterceptorTests.java        |  7 ++-----
 3 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 1dbc787b74..e46a04f81f 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -212,7 +212,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile ConfigurationRepository cr;
     private volatile AdminDNs adminDns;
     private volatile ClusterService cs;
-    private static volatile DiscoveryNode localNode;
+    private volatile AtomicReference<DiscoveryNode> localNode = new AtomicReference<>();
     private volatile AuditLog auditLog;
     private volatile BackendRegistry backendRegistry;
     private volatile SslExceptionHandler sslExceptionHandler;
@@ -776,7 +776,7 @@ public <T extends TransportResponse> void sendRequest(
                             TransportRequestOptions options,
                             TransportResponseHandler<T> handler
                         ) {
-                            si.sendRequestDecorate(sender, connection, action, request, options, handler);
+                            si.sendRequestDecorate(sender, connection, action, request, options, handler, localNode.get());
                         }
                     };
                 }
@@ -1806,7 +1806,7 @@ public void onNodeStarted(DiscoveryNode localNode) {
         if (!SSLConfig.isSslOnlyMode() && !client && !disabled) {
             cr.initOnNodeStart();
         }
-        this.localNode = localNode;
+        this.localNode.set(localNode);
         final Set<ModuleInfo> securityModules = ReflectionHelper.getModulesLoaded();
         log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules);
     }
@@ -1886,14 +1886,6 @@ private static String handleKeyword(final String field) {
         return field;
     }
 
-    public static DiscoveryNode getLocalNode() {
-        return localNode;
-    }
-
-    public static void setLocalNode(DiscoveryNode node) {
-        localNode = node;
-    }
-
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;
diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
index 015704e087..5bb4b1d1e3 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
@@ -130,7 +130,8 @@ public <T extends TransportResponse> void sendRequestDecorate(
         String action,
         TransportRequest request,
         TransportRequestOptions options,
-        TransportResponseHandler<T> handler
+        TransportResponseHandler<T> handler,
+        DiscoveryNode localNode
     ) {
         final Map<String, String> origHeaders0 = getThreadContext().getHeaders();
         final User user0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
@@ -146,8 +147,7 @@ public <T extends TransportResponse> void sendRequestDecorate(
         final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS);
 
         final boolean isDebugEnabled = log.isDebugEnabled();
-        final DiscoveryNode localNode = OpenSearchSecurityPlugin.getLocalNode();
-        boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode());
+        final boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode());
 
         try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) {
             final TransportResponseHandler<T> restoringHandler = new RestoringTransportResponseHandler<T>(handler, stashedContext);
diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
index 7291050d6e..6c16e0cdbd 100644
--- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
+++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
@@ -147,11 +147,8 @@ public void testSendRequestDecorate() {
         DiscoveryNode otherNode = new DiscoveryNode("local-node", OpenSearchTestCase.buildNewFakeTransportAddress(), Version.CURRENT);
         Connection connection2 = transportService.getConnection(otherNode);
 
-        // setting localNode value explicitly
-        OpenSearchSecurityPlugin.setLocalNode(localNode);
-
         // isSameNodeRequest = true
-        securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler);
+        securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler, localNode);
         // from thread context inside sendRequestDecorate
         doAnswer(i -> {
             User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
@@ -165,7 +162,7 @@ public void testSendRequestDecorate() {
         assertEquals(threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER), null);
 
         // isSameNodeRequest = false
-        securityInterceptor.sendRequestDecorate(sender, connection2, action, request, options, handler);
+        securityInterceptor.sendRequestDecorate(sender, connection2, action, request, options, handler, otherNode);
         // checking thread context inside sendRequestDecorate
         doAnswer(i -> {
             String serializedUserHeader = threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);

From c0e50da8a13161c3996aab6d20904ebd40b7b837 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Jul 2023 16:02:04 -0400
Subject: [PATCH 03/13] dependabot: bump org.cryptacular:cryptacular from 1.2.4
 to 1.2.5 (#3071)

Bumps
[org.cryptacular:cryptacular](https://github.com/vt-middleware/cryptacular)
from 1.2.4 to 1.2.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vt-middleware/cryptacular/releases">org.cryptacular:cryptacular's
releases</a>.</em></p>
<blockquote>
<h2>v1.2.5 release</h2>
<p>See <a
href="https://www.cryptacular.org/download.html">https://www.cryptacular.org/download.html</a>
for change log and binaries.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/39eead746e18a49a8bbb108457b8879c1b7f6bce"><code>39eead7</code></a>
Update version for 1.2.5 release.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/75b6c398dce88dafc22c85938ff0685c9d57906a"><code>75b6c39</code></a>
Remove travis config.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/ae821d23f8e76ef50e57a1592a2d2def89a4eb8d"><code>ae821d2</code></a>
Update plugin and library dependencies.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/f7dbd7a0b47c1eb70e89626d286dd8ef87940e5a"><code>f7dbd7a</code></a>
Improve release script.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/5b28d50122737c19ab4eb5852bdf8be1fa905208"><code>5b28d50</code></a>
Update plugin versions.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/3419f66009b1a9e4cb6e2ff9bc9a40be96b99771"><code>3419f66</code></a>
Use variable for computing buffer length. (<a
href="https://redirect.github.com/vt-middleware/cryptacular/issues/60">#60</a>)</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/bef8a9f3e736ea1d704b878008e5807eef9f3ae5"><code>bef8a9f</code></a>
Add publish snapshot script.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/5285b5ef57f0a253b1ee0680b04b72292b27979e"><code>5285b5e</code></a>
Update plugin and library dependencies.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/04e243c61d35e3ec69617ae12d9742112fa3c80e"><code>04e243c</code></a>
Formatting fix.</li>
<li><a
href="https://github.com/vt-middleware/cryptacular/commit/99d4d9072898af5a1232eba34bf53af3919652cc"><code>99d4d90</code></a>
Update copyright year.</li>
<li>Additional commits viewable in <a
href="https://github.com/vt-middleware/cryptacular/compare/v1.2.4...v1.2.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.cryptacular:cryptacular&package-manager=gradle&previous-version=1.2.4&new-version=1.2.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 813abd6f4f..5490e25193 100644
--- a/build.gradle
+++ b/build.gradle
@@ -524,7 +524,7 @@ dependencies {
     runtimeOnly 'com.sun.activation:jakarta.activation:1.2.2'
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.16.0'
-    runtimeOnly 'org.cryptacular:cryptacular:1.2.4'
+    runtimeOnly 'org.cryptacular:cryptacular:1.2.5'
     runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0'

From 2f69a102134e2f946938cccfa8042d4ab9ce7778 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 31 Jul 2023 16:02:22 -0400
Subject: [PATCH 04/13] bump com.github.wnameless.json:json-base from 2.4.0 to
 2.4.1 (#3062)

Manually re-creating dependabot's
[PR](https://github.com/opensearch-project/security/pull/3042) off of
the latest changes from main which has build fixes.

Is there a way we can open PRs with main at the push of a button?

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 5490e25193..904559cb48 100644
--- a/build.gradle
+++ b/build.gradle
@@ -496,7 +496,7 @@ dependencies {
     implementation "io.jsonwebtoken:jjwt-impl:${jjwt_version}"
     implementation "io.jsonwebtoken:jjwt-jackson:${jjwt_version}"
     // JSON flattener
-    implementation ("com.github.wnameless.json:json-base:2.4.0") {
+    implementation ("com.github.wnameless.json:json-base:2.4.1") {
         exclude group: "org.glassfish", module: "jakarta.json"
         exclude group: "com.google.code.gson", module: "gson"
         exclude group: "org.json", module: "json"

From 5f62e8a9153bdfe1b9f89ead3a59f3022f0ccf63 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Jul 2023 20:11:07 -0400
Subject: [PATCH 05/13] dependabot: bump commons-io:commons-io from 2.11.0 to
 2.13.0 (#3074)

Bumps commons-io:commons-io from 2.11.0 to 2.13.0.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=commons-io:commons-io&package-manager=gradle&previous-version=2.11.0&new-version=2.13.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 904559cb48..3d51b9600e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -630,7 +630,7 @@ dependencies {
     integrationTestImplementation 'junit:junit:4.13.2'
     integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
     integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
-    integrationTestImplementation 'commons-io:commons-io:2.11.0'
+    integrationTestImplementation 'commons-io:commons-io:2.13.0'
     integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'

From dca76cb80cd7f665a0a292504fd8c70034005185 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Jul 2023 20:11:24 -0400
Subject: [PATCH 06/13] dependabot: bump io.dropwizard.metrics:metrics-core
 from 3.1.2 to 4.2.19 (#3073)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[io.dropwizard.metrics:metrics-core](https://github.com/dropwizard/metrics)
from 3.1.2 to 4.2.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dropwizard/metrics/releases">io.dropwizard.metrics:metrics-core's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.19</h2>
<h2>What's Changed</h2>
<ul>
<li>Update dependency maven to v3.9.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3249">dropwizard/metrics#3249</a></li>
<li>Update dependency org.apache.maven.plugins:maven-release-plugin to
v3 by <a href="https://github.com/renovate"><code>@​renovate</code></a>
in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3251">dropwizard/metrics#3251</a></li>
<li>Update dependency com.rabbitmq:amqp-client to v5.17.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3254">dropwizard/metrics#3254</a></li>
<li>Update actions/stale action to v8 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3257">dropwizard/metrics#3257</a></li>
<li>Update logback.version to v1.2.12 (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3260">dropwizard/metrics#3260</a></li>
<li>Update dependency org.glassfish.jersey:jersey-bom to v2.39.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3259">dropwizard/metrics#3259</a></li>
<li>Update actions/checkout digest to 8f4b7f8 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3261">dropwizard/metrics#3261</a></li>
<li>Update dependency org.apache.maven.plugins:maven-deploy-plugin to
v3.1.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3262">dropwizard/metrics#3262</a></li>
<li>Update dependency org.apache.maven.plugins:maven-resources-plugin to
v3.3.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3263">dropwizard/metrics#3263</a></li>
<li>Update actions/setup-java digest to 5ffc13f by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3269">dropwizard/metrics#3269</a></li>
<li>Update dependency net.bytebuddy:byte-buddy to v1.14.3 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3272">dropwizard/metrics#3272</a></li>
<li>Update dependency org.apache.maven.plugins:maven-enforcer-plugin to
v3 by <a href="https://github.com/renovate"><code>@​renovate</code></a>
in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3276">dropwizard/metrics#3276</a></li>
<li>Update dependency org.glassfish.jersey:jersey-bom to v3.0.10 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3277">dropwizard/metrics#3277</a></li>
<li>Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.6 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3279">dropwizard/metrics#3279</a></li>
<li>Update dependency org.checkerframework:checker-qual to v3.33.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3282">dropwizard/metrics#3282</a></li>
<li>Update dependency org.jacoco:jacoco-maven-plugin to v0.8.9 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3281">dropwizard/metrics#3281</a></li>
<li>Update dependency net.bytebuddy:byte-buddy to v1.14.4 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3288">dropwizard/metrics#3288</a></li>
<li>Update dependency org.apache.maven.plugins:maven-enforcer-plugin to
v3.3.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3285">dropwizard/metrics#3285</a></li>
<li>Update dependency com.github.ben-manes.caffeine:caffeine to v3.1.6
by <a href="https://github.com/renovate"><code>@​renovate</code></a> in
<a
href="https://redirect.github.com/dropwizard/metrics/pull/3290">dropwizard/metrics#3290</a></li>
<li>Update dependency org.mockito:mockito-core to v5.3.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3292">dropwizard/metrics#3292</a></li>
<li>Update actions/checkout digest to 83b7061 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3294">dropwizard/metrics#3294</a></li>
<li>Update dependency org.eclipse.jetty:jetty-bom to v10.0.15 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3298">dropwizard/metrics#3298</a></li>
<li>Update dependency org.eclipse.jetty:jetty-bom to v11.0.15 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3299">dropwizard/metrics#3299</a></li>
<li>Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.7 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3301">dropwizard/metrics#3301</a></li>
<li>Update actions/checkout digest to 8e5e7e5 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3297">dropwizard/metrics#3297</a></li>
<li>Update logback13.version to v1.3.7 (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3305">dropwizard/metrics#3305</a></li>
<li>Update dependency
org.apache.maven.plugins:maven-project-info-reports-plugin to v3.4.3 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3304">dropwizard/metrics#3304</a></li>
<li>Update dependency org.apache.maven.plugins:maven-checkstyle-plugin
to v3.2.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3313">dropwizard/metrics#3313</a></li>
<li>Update logback14.version to v1.4.7 (patch) by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3306">dropwizard/metrics#3306</a></li>
<li>Update dependency org.mockito:mockito-core to v5.3.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3320">dropwizard/metrics#3320</a></li>
<li>Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.8 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3326">dropwizard/metrics#3326</a></li>
<li>Update dependency org.jacoco:jacoco-maven-plugin to v0.8.10 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3327">dropwizard/metrics#3327</a></li>
<li>Update dependency org.jdbi:jdbi3-core to v3.38.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3328">dropwizard/metrics#3328</a></li>
<li>Add reference to poiu-de/metrics-jfr by <a
href="https://github.com/joschi"><code>@​joschi</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3335">dropwizard/metrics#3335</a></li>
<li>Update dependency org.jdbi:jdbi3-core to v3.38.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3336">dropwizard/metrics#3336</a></li>
<li>Update dependency org.checkerframework:checker-qual to v3.34.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3337">dropwizard/metrics#3337</a></li>
<li>Update dependency org.jdbi:jdbi3-core to v3.38.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3339">dropwizard/metrics#3339</a></li>
<li>Update dependency org.apache.maven.plugins:maven-gpg-plugin to
v3.1.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3343">dropwizard/metrics#3343</a></li>
<li>Update dependency org.apache.maven.plugins:maven-surefire-plugin to
v3.1.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3345">dropwizard/metrics#3345</a></li>
<li>Update dependency com.google.errorprone:error_prone_core to v2.19.1
by <a href="https://github.com/renovate"><code>@​renovate</code></a> in
<a
href="https://redirect.github.com/dropwizard/metrics/pull/3348">dropwizard/metrics#3348</a></li>
<li>Update dependency maven to v3.9.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3352">dropwizard/metrics#3352</a></li>
<li>Update dependency org.codehaus.mojo:build-helper-maven-plugin to
v3.4.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3353">dropwizard/metrics#3353</a></li>
<li>Update dependency org.glassfish.jersey:jersey-bom to v3.1.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3357">dropwizard/metrics#3357</a></li>
<li>Update dependency org.cyclonedx:cyclonedx-maven-plugin to v2.7.9 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3356">dropwizard/metrics#3356</a></li>
<li>Update dependency org.apache.felix:maven-bundle-plugin to v5.1.9 by
<a href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3358">dropwizard/metrics#3358</a></li>
<li>Update dependency org.apache.maven.plugins:maven-source-plugin to
v3.3.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3369">dropwizard/metrics#3369</a></li>
<li>Update dependency org.apache.maven.plugins:maven-checkstyle-plugin
to v3.3.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3371">dropwizard/metrics#3371</a></li>
<li>Update dependency org.apache.maven.plugins:maven-dependency-plugin
to v3.6.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a> in <a
href="https://redirect.github.com/dropwizard/metrics/pull/3372">dropwizard/metrics#3372</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dropwizard/metrics/commit/5b9ab08b4e5dcb748f95245dad2cc70076abc199"><code>5b9ab08</code></a>
[maven-release-plugin] prepare release v4.2.19</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/5abe0ed4e375d145be7f7490027c2b8e8305d3c0"><code>5abe0ed</code></a>
Add workflow to trigger a new release</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/6cc440a658562d2a820a8ce3d7c152a925f01688"><code>6cc440a</code></a>
Fix NPE in InstrumentedHandler#doStop (Jetty 9, 10, 11) (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3379">#3379</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/8cd308b3381715d651d05fa4b2824cbb24e52c72"><code>8cd308b</code></a>
Generate metadata for reflection on method parameters (<a
href="https://redirect.github.com/dropwizard/metrics/issues/3377">#3377</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/07f47a3fce4d5127a1e512be27b034d8ef023aeb"><code>07f47a3</code></a>
Update dependency
org.apache.maven.plugins:maven-project-info-reports-plugin ...</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/b9464a29488cf55083d422607874268783741112"><code>b9464a2</code></a>
Fix build with maven-source-plugin</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/96a8d8eac2e74c24032757cf67255f16a59e2545"><code>96a8d8e</code></a>
Update dependency org.apache.maven.plugins:maven-dependency-plugin to
v3.6.0 ...</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/2241714ecf202e0a032042e14269d317f03f5318"><code>2241714</code></a>
Update dependency org.apache.maven.plugins:maven-checkstyle-plugin to
v3.3.0 ...</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/d7b813f1ff19ab8d9cfd1af97079180b837b6fb2"><code>d7b813f</code></a>
Update dependency org.apache.maven.plugins:maven-source-plugin to v3.3.0
(<a
href="https://redirect.github.com/dropwizard/metrics/issues/3369">#3369</a>)</li>
<li><a
href="https://github.com/dropwizard/metrics/commit/0e8c3ce7ae0e0d400497d22f66935565fd7f0677"><code>0e8c3ce</code></a>
Update dependency org.apache.felix:maven-bundle-plugin to v5.1.9</li>
<li>Additional commits viewable in <a
href="https://github.com/dropwizard/metrics/compare/v3.1.2...v4.2.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=io.dropwizard.metrics:metrics-core&package-manager=gradle&previous-version=3.1.2&new-version=4.2.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 3d51b9600e..28bc02340c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -559,7 +559,7 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     runtimeOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:3.1.2'
+    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.30'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.1'

From ac57b48fa421ce0657ae511cec94da081f46b93e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 31 Jul 2023 20:11:39 -0400
Subject: [PATCH 07/13] dependabot: bump org.gradle.test-retry from 1.5.2 to
 1.5.4 (#3072)

Bumps org.gradle.test-retry from 1.5.2 to 1.5.4.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.gradle.test-retry&package-manager=gradle&previous-version=1.5.2&new-version=1.5.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 28bc02340c..9391b26017 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,7 +64,7 @@ plugins {
     id 'com.diffplug.spotless' version '6.19.0'
     id 'checkstyle'
     id 'com.netflix.nebula.ospackage' version "11.3.0"
-    id "org.gradle.test-retry" version "1.5.2"
+    id "org.gradle.test-retry" version "1.5.4"
     id 'eclipse'
     id "com.github.spotbugs" version "5.0.14"
     id "com.google.osdetector" version "1.7.3"

From 634e3af1f65a918bb66746cd74aa1d7eb4608aa3 Mon Sep 17 00:00:00 2001
From: Heemin Kim <heemin@amazon.com>
Date: Mon, 31 Jul 2023 18:03:24 -0700
Subject: [PATCH 08/13] Integrate geospatial ip2geo functionality with security
 plugin (#3051)

### Description
Adds 2 ip2geo related roles to the plugin: read only and fully access.
Adds ip2geo system index to demo scripts as well.

Signed-off-by: Heemin Kim <heemin@amazon.com>
---
 config/roles.yml                     | 12 ++++++++++++
 tools/install_demo_configuration.bat |  2 +-
 tools/install_demo_configuration.sh  |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/config/roles.yml b/config/roles.yml
index bd0e0f6b21..570168fe10 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -108,6 +108,18 @@ knn_full_access:
     - 'cluster:admin/knn_update_model_graveyard_action'
     - 'cluster:admin/knn_warmup_action'
 
+# Allow users to execute read only ip2geo datasource action
+ip2geo_datasource_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/geospatial/datasource/get'
+
+# Allow users to use all ip2geo datasource action
+ip2geo_datasource_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/geospatial/datasource/*'
+
 # Allows users to read Notebooks
 notebooks_read_access:
   reserved: true
diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat
index f648b7bdf5..b0032f318c 100755
--- a/tools/install_demo_configuration.bat
+++ b/tools/install_demo_configuration.bat
@@ -315,7 +315,7 @@ echo plugins.security.enable_snapshot_restore_privilege: true >> "%OPENSEARCH_CO
 echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
-echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"] >> "%OPENSEARCH_CONF_FILE%"
+echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"] >> "%OPENSEARCH_CONF_FILE%"
 
 :: network.host
 >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (
diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
index 7cdbe5f2f0..c7a9f57579 100755
--- a/tools/install_demo_configuration.sh
+++ b/tools/install_demo_configuration.sh
@@ -383,7 +383,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee
 echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
-echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
+echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then

From eac670f286b9d04eb73104937f8e10619efd7673 Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Mon, 31 Jul 2023 20:05:13 -0500
Subject: [PATCH 09/13] Update backport version for failure labels (#3063)

There have been improvements including adding a label to a pull request
when any backport on it has failed.

- Related https://github.com/VachaShah/backport/pull/8

Signed-off-by: Peter Nied <peternied@hotmail.com>
Signed-off-by: Peter Nied <petern@amazon.com>
---
 .github/workflows/backport.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index e47d8d88c0..ab835cbe9a 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -22,7 +22,9 @@ jobs:
           installation_id: 22958780
 
       - name: Backport
-        uses: VachaShah/backport@v1.1.4
+        uses: VachaShah/backport@v2.2.0
         with:
           github_token: ${{ steps.github_app_token.outputs.token }}
           branch_name: backport/backport-${{ github.event.number }}
+          head_template: backport/backport-<%= number %>-to-<%= base %>
+          failure_labels: backport-failed

From 5384272a63771433905ae409de794786d5747cba Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 1 Aug 2023 14:11:44 -0400
Subject: [PATCH 10/13] Update CircuitBreakerService and LifecycleComponent
 after core refactor in #9006 (#3082)

This PR reacts to changes introduced in core in this PR:
https://github.com/opensearch-project/OpenSearch/pull/9006

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../opensearch/security/OpenSearchSecurityPlugin.java  | 10 +++++-----
 .../security/ssl/OpenSearchSecuritySSLPlugin.java      |  2 +-
 .../ssl/transport/SecuritySSLNettyTransport.java       |  2 +-
 .../security/test/plugin/UserInjectorPlugin.java       |  2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index e46a04f81f..07865cce67 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -76,10 +76,10 @@
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.node.DiscoveryNodes;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.component.Lifecycle.State;
-import org.opensearch.common.component.LifecycleComponent;
-import org.opensearch.common.component.LifecycleListener;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.common.lifecycle.Lifecycle;
+import org.opensearch.common.lifecycle.LifecycleComponent;
+import org.opensearch.common.lifecycle.LifecycleListener;
 import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
 import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.network.NetworkModule;
@@ -93,6 +93,7 @@
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.PageCacheRecycler;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.indices.breaker.CircuitBreakerService;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
@@ -104,7 +105,6 @@
 import org.opensearch.index.cache.query.QueryCache;
 import org.opensearch.indices.IndicesService;
 import org.opensearch.indices.SystemIndexDescriptor;
-import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.ClusterPlugin;
 import org.opensearch.plugins.MapperPlugin;
 import org.opensearch.repositories.RepositoriesService;
@@ -1938,7 +1938,7 @@ public static ExtensionsManager getExtensionsManager() {
         public void close() {}
 
         @Override
-        public State lifecycleState() {
+        public Lifecycle.State lifecycleState() {
             return null;
         }
 
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 358e547470..d7f888dfca 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -56,12 +56,12 @@
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.PageCacheRecycler;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.indices.breaker.CircuitBreakerService;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
-import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.NetworkPlugin;
 import org.opensearch.plugins.Plugin;
 import org.opensearch.plugins.SystemIndexPlugin;
diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
index 3c3d23022a..ad4ebec1c5 100644
--- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
+++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java
@@ -53,7 +53,7 @@
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.PageCacheRecycler;
-import org.opensearch.indices.breaker.CircuitBreakerService;
+import org.opensearch.core.indices.breaker.CircuitBreakerService;
 import org.opensearch.security.ssl.SecurityKeyStore;
 import org.opensearch.security.ssl.SslExceptionHandler;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
diff --git a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java
index 227dd6699d..1046bc81e9 100644
--- a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java
+++ b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java
@@ -38,11 +38,11 @@
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.PageCacheRecycler;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.indices.breaker.CircuitBreakerService;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
 import org.opensearch.http.netty4.Netty4HttpServerTransport;
-import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.NetworkPlugin;
 import org.opensearch.plugins.Plugin;
 import org.opensearch.rest.RestChannel;

From 3d78135d26f1a309005928f93f9448e3376a9e14 Mon Sep 17 00:00:00 2001
From: Andrey Pleskach <ples@aiven.io>
Date: Thu, 3 Aug 2023 17:23:14 +0200
Subject: [PATCH 11/13] Fix import for TransportAddress after core refactor
 #9073 (#3091)

### Description
This PR fixed `TransportAddress` imports after core refactor in
[#9073](https://github.com/opensearch-project/OpenSearch/pull/9073)


### Testing
[Please provide details of testing done: unit testing, integration
testing and manual testing]

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Andrey Pleskach <ples@aiven.io>
---
 .../org/opensearch/security/OpenSearchSecurityPlugin.java     | 2 +-
 .../opensearch/security/auditlog/impl/AbstractAuditLog.java   | 2 +-
 .../org/opensearch/security/auditlog/impl/AuditMessage.java   | 2 +-
 .../opensearch/security/auditlog/impl/RequestResolver.java    | 2 +-
 .../java/org/opensearch/security/auth/BackendRegistry.java    | 2 +-
 src/main/java/org/opensearch/security/auth/UserInjector.java  | 2 +-
 .../security/configuration/SecurityIndexSearcherWrapper.java  | 2 +-
 .../opensearch/security/dlic/rest/api/AccountApiAction.java   | 2 +-
 .../security/dlic/rest/api/PermissionsInfoAction.java         | 2 +-
 .../dlic/rest/api/RestApiAdminPrivilegesEvaluator.java        | 2 +-
 .../security/dlic/rest/api/RestApiPrivilegesEvaluator.java    | 2 +-
 .../java/org/opensearch/security/dlic/rest/support/Utils.java | 2 +-
 src/main/java/org/opensearch/security/http/XFFResolver.java   | 2 +-
 .../opensearch/security/privileges/PrivilegesEvaluator.java   | 2 +-
 .../security/privileges/RestLayerPrivilegesEvaluator.java     | 2 +-
 .../java/org/opensearch/security/rest/SecurityInfoAction.java | 2 +-
 .../org/opensearch/security/securityconf/ConfigModel.java     | 2 +-
 .../org/opensearch/security/securityconf/ConfigModelV6.java   | 2 +-
 .../org/opensearch/security/securityconf/ConfigModelV7.java   | 2 +-
 .../opensearch/security/transport/SecurityInterceptor.java    | 4 ++--
 .../opensearch/security/transport/SecurityRequestHandler.java | 2 +-
 .../opensearch/security/InitializationIntegrationTests.java   | 2 +-
 .../security/auditlog/helper/MockAuditMessageFactory.java     | 2 +-
 .../security/auditlog/impl/IgnoreAuditUsersTest.java          | 2 +-
 .../security/test/helper/cluster/ClusterHelper.java           | 2 +-
 .../opensearch/security/test/helper/cluster/ClusterInfo.java  | 2 +-
 .../security/transport/SecurityInterceptorTests.java          | 2 +-
 27 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 07865cce67..28ba1a716b 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -187,7 +187,7 @@
 import org.opensearch.transport.TransportRequest;
 import org.opensearch.transport.TransportRequestHandler;
 import org.opensearch.transport.TransportRequestOptions;
-import org.opensearch.transport.TransportResponse;
+import org.opensearch.core.transport.TransportResponse;
 import org.opensearch.transport.TransportResponseHandler;
 import org.opensearch.transport.TransportService;
 import org.opensearch.watcher.ResourceWatcherService;
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
index f884738f4b..b62092d148 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java
@@ -46,7 +46,7 @@
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.core.xcontent.MediaType;
 import org.opensearch.common.xcontent.XContentType;
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 34f8f1fef5..fb2c1e11af 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -36,7 +36,7 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.collect.Tuple;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.core.xcontent.MediaType;
 import org.opensearch.common.xcontent.XContentType;
diff --git a/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java b/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java
index 198fbe6366..352c959504 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java
@@ -45,7 +45,7 @@
 import org.opensearch.core.common.bytes.BytesReference;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.MediaType;
 import org.opensearch.common.xcontent.XContentType;
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index b2873f9625..9721664c70 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -49,7 +49,7 @@
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.rest.BytesRestResponse;
 import org.opensearch.rest.RestChannel;
diff --git a/src/main/java/org/opensearch/security/auth/UserInjector.java b/src/main/java/org/opensearch/security/auth/UserInjector.java
index 9ce040c485..3e89a52e93 100644
--- a/src/main/java/org/opensearch/security/auth/UserInjector.java
+++ b/src/main/java/org/opensearch/security/auth/UserInjector.java
@@ -37,7 +37,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.http.XFFResolver;
diff --git a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
index 1619b3da32..15a20db98d 100644
--- a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
+++ b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java
@@ -36,7 +36,7 @@
 
 import org.opensearch.common.CheckedFunction;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.index.Index;
 import org.opensearch.index.IndexService;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java
index 4763d312dd..b5d210df5c 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java
@@ -29,7 +29,7 @@
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.xcontent.XContentBuilder;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java
index ad8a536bfc..56d2d24337 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java
@@ -25,7 +25,7 @@
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.BytesRestResponse;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
index b0a0d828cc..c72e69876d 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
@@ -19,7 +19,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.configuration.AdminDNs;
 import org.opensearch.security.dlic.rest.support.Utils;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java
index 96787bb4f5..35f4332520 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java
@@ -30,7 +30,7 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestRequest.Method;
 import org.opensearch.security.configuration.AdminDNs;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
index 52220b2450..34a8da8b9d 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java
@@ -36,7 +36,7 @@
 import org.opensearch.OpenSearchParseException;
 import org.opensearch.SpecialPermission;
 import org.opensearch.core.common.bytes.BytesReference;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.XContentType;
diff --git a/src/main/java/org/opensearch/security/http/XFFResolver.java b/src/main/java/org/opensearch/security/http/XFFResolver.java
index aff5043f61..ddb7255179 100644
--- a/src/main/java/org/opensearch/security/http/XFFResolver.java
+++ b/src/main/java/org/opensearch/security/http/XFFResolver.java
@@ -33,7 +33,7 @@
 import org.greenrobot.eventbus.Subscribe;
 
 import org.opensearch.OpenSearchSecurityException;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.http.netty4.Netty4HttpChannel;
 import org.opensearch.rest.RestRequest;
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index a3738dadac..b05b29657d 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -78,7 +78,7 @@
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
diff --git a/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java
index 301207022b..8602fb91e6 100644
--- a/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluator.java
@@ -20,7 +20,7 @@
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.security.auditlog.AuditLog;
diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
index 9ed1427122..a10c58f058 100644
--- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
+++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java
@@ -40,7 +40,7 @@
 
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.rest.BaseRestHandler;
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModel.java b/src/main/java/org/opensearch/security/securityconf/ConfigModel.java
index 653ff23896..33af51257c 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModel.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModel.java
@@ -29,7 +29,7 @@
 import java.util.Map;
 import java.util.Set;
 
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.security.user.User;
 
 public abstract class ConfigModel {
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
index 837dc0cff0..d488c9b7d1 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
@@ -51,7 +51,7 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.set.Sets;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
index 1fb6e4da0e..6f43c43d03 100644
--- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
+++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
@@ -54,7 +54,7 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.set.Sets;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
index 5bb4b1d1e3..0c645c9a00 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java
@@ -47,7 +47,7 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.security.OpenSearchSecurityPlugin;
 import org.opensearch.security.auditlog.AuditLog;
@@ -67,7 +67,7 @@
 import org.opensearch.transport.TransportRequest;
 import org.opensearch.transport.TransportRequestHandler;
 import org.opensearch.transport.TransportRequestOptions;
-import org.opensearch.transport.TransportResponse;
+import org.opensearch.core.transport.TransportResponse;
 import org.opensearch.transport.TransportResponseHandler;
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.isActionTraceEnabled;
diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
index 8ea82c9d9d..1284ca9781 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
@@ -40,7 +40,7 @@
 import org.opensearch.action.bulk.BulkShardRequest;
 import org.opensearch.action.support.replication.TransportReplicationAction.ConcreteShardRequest;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.extensions.ExtensionsManager;
 import org.opensearch.search.internal.ShardSearchRequest;
diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
index 0fec953472..d6306e7f5d 100644
--- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
+++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java
@@ -48,7 +48,7 @@
 import org.opensearch.client.RestHighLevelClient;
 import org.opensearch.cluster.health.ClusterHealthStatus;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.security.action.configupdate.ConfigUpdateAction;
 import org.opensearch.security.action.configupdate.ConfigUpdateRequest;
 import org.opensearch.security.action.configupdate.ConfigUpdateResponse;
diff --git a/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java b/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java
index 7e67fc374c..0f495d5063 100644
--- a/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java
+++ b/src/test/java/org/opensearch/security/auditlog/helper/MockAuditMessageFactory.java
@@ -16,7 +16,7 @@
 import org.opensearch.cluster.ClusterName;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.service.ClusterService;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.security.auditlog.AuditLog.Origin;
 import org.opensearch.security.auditlog.impl.AuditCategory;
 import org.opensearch.security.auditlog.impl.AuditMessage;
diff --git a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java
index 036482e8f3..8e33401c69 100644
--- a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java
+++ b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java
@@ -23,7 +23,7 @@
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.security.auditlog.AuditTestUtils;
 import org.opensearch.security.auditlog.integration.TestAuditlogImpl;
 import org.opensearch.security.support.ConfigConstants;
diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java
index b038949782..5a175f57f7 100644
--- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java
+++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java
@@ -59,7 +59,7 @@
 import org.opensearch.cluster.health.ClusterHealthStatus;
 import org.opensearch.cluster.node.DiscoveryNodeRole;
 import org.opensearch.common.settings.Settings;
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.http.HttpInfo;
diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java
index d50274e0e0..a7656e1884 100644
--- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java
+++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterInfo.java
@@ -30,7 +30,7 @@
 import java.util.List;
 import java.util.Set;
 
-import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.core.common.transport.TransportAddress;
 
 public class ClusterInfo {
     public int numNodes;
diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
index 6c16e0cdbd..291f4b7935 100644
--- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
+++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java
@@ -39,7 +39,7 @@
 import org.opensearch.transport.TransportInterceptor.AsyncSender;
 import org.opensearch.transport.TransportRequest;
 import org.opensearch.transport.TransportRequestOptions;
-import org.opensearch.transport.TransportResponse;
+import org.opensearch.core.transport.TransportResponse;
 import org.opensearch.transport.TransportResponseHandler;
 import org.opensearch.transport.TransportService;
 

From 527495ddd869a5b0b6b7cb58a5e716844721476c Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 4 Aug 2023 09:02:37 -0400
Subject: [PATCH 12/13] Add release notes for 1.3.12.0 (#3095)

### Description

Add release notes for 1.3.12.0

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Documentation

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../opensearch-security.release-notes-1.3.12.0.md        | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 release-notes/opensearch-security.release-notes-1.3.12.0.md

diff --git a/release-notes/opensearch-security.release-notes-1.3.12.0.md b/release-notes/opensearch-security.release-notes-1.3.12.0.md
new file mode 100644
index 0000000000..d942c19a86
--- /dev/null
+++ b/release-notes/opensearch-security.release-notes-1.3.12.0.md
@@ -0,0 +1,9 @@
+## 2023-08-10 Version 1.3.12.0
+
+Compatible with OpenSearch 1.3.12
+
+### Maintenance
+
+* Bump BouncyCastle from jdk15on to jdk15to18 ([#2901](https://github.com/opensearch-project/security/pull/2901)) [#2931](https://github.com/opensearch-project/security/pull/2931)
+* Update guava to address CVE-2023-2976 ([#3060](https://github.com/opensearch-project/security/pull/3060))
+* Bump the version of kafka and spring-kafka-test (CVE Related) ([#3087](https://github.com/opensearch-project/security/pull/3087))

From 1822e13770f4bf67ec97f3d7226b40282e5b7e19 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Fri, 4 Aug 2023 18:02:09 -0400
Subject: [PATCH 13/13] Make user service use a random password (#3077)

Uses Passay to generate a random password for service accounts where
each password is between 8 and 16 characters and has at least 1 of each:
lower case letter, upper case letter, digit, special symbol.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 build.gradle                                  |  3 ++
 .../opensearch/security/user/UserService.java | 29 +++++++++++++---
 .../security/dlic/rest/api/UserApiTest.java   | 33 +++++++++++++++++++
 3 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 9391b26017..a22a044ba0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -506,6 +506,9 @@ dependencies {
     implementation 'com.flipkart.zjsonpatch:zjsonpatch:0.4.14'
     implementation 'org.apache.commons:commons-collections4:4.4'
 
+    //Password generation
+    implementation 'org.passay:passay:1.6.3'
+
     //JSON path
     implementation 'com.jayway.jsonpath:json-path:2.8.0'
     implementation 'net.minidev:json-smart:2.4.11'
diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java
index 0653948a38..bf2e3e0273 100644
--- a/src/main/java/org/opensearch/security/user/UserService.java
+++ b/src/main/java/org/opensearch/security/user/UserService.java
@@ -13,10 +13,12 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
+import java.util.Random;
 import java.util.stream.Collectors;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -31,6 +33,7 @@
 import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.common.Randomness;
 import org.opensearch.common.inject.Inject;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentHelper;
@@ -43,6 +46,9 @@
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.SecurityJsonNode;
+import org.passay.CharacterRule;
+import org.passay.EnglishCharacterData;
+import org.passay.PasswordGenerator;
 
 import static org.opensearch.security.dlic.rest.support.Utils.hash;
 
@@ -204,13 +210,28 @@ private void verifyServiceAccount(SecurityJsonNode securityJsonNode, String acco
     }
 
     /**
-     * This will be swapped in for a real solution once one is decided on.
+     * Use Passay to generate an 8 - 16 character password with 1+ lowercase, 1+ uppercase, 1+ digit, 1+ special character
      *
      * @return A password for a service account.
      */
-    private String generatePassword() {
-        String generatedPassword = "superSecurePassword";
-        return generatedPassword;
+    public static String generatePassword() {
+
+        CharacterRule lowercaseCharacterRule = new CharacterRule(EnglishCharacterData.LowerCase, 1);
+        CharacterRule uppercaseCharacterRule = new CharacterRule(EnglishCharacterData.UpperCase, 1);
+        CharacterRule numericCharacterRule = new CharacterRule(EnglishCharacterData.Digit, 1);
+        CharacterRule specialCharacterRule = new CharacterRule(EnglishCharacterData.Special, 1);
+
+        List<CharacterRule> rules = Arrays.asList(
+            lowercaseCharacterRule,
+            uppercaseCharacterRule,
+            numericCharacterRule,
+            specialCharacterRule
+        );
+        PasswordGenerator passwordGenerator = new PasswordGenerator();
+
+        Random random = Randomness.get();
+
+        return passwordGenerator.generatePassword(random.nextInt(8) + 8, rules);
     }
 
     /**
diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
index 707dbe614e..659074f216 100644
--- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
+++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java
@@ -29,10 +29,17 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.test.helper.file.FileHelper;
 import org.opensearch.security.test.helper.rest.RestHelper.HttpResponse;
+import org.opensearch.security.user.UserService;
+import org.passay.CharacterCharacteristicsRule;
+import org.passay.CharacterRule;
+import org.passay.EnglishCharacterData;
+import org.passay.LengthRule;
+import org.passay.PasswordData;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.junit.Assert.assertNotEquals;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
 import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.RESTRICTED_FROM_USERNAME;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
@@ -1004,4 +1011,30 @@ public void checkNullElementsInArray() throws Exception {
         Assert.assertEquals(RequestContentValidator.ValidationError.NULL_ARRAY_ELEMENT.message(), settings.get("reason"));
     }
 
+    @Test
+    public void testGeneratedPasswordContents() {
+        String password = UserService.generatePassword();
+        PasswordData data = new PasswordData(password);
+
+        LengthRule lengthRule = new LengthRule(8, 16);
+
+        CharacterCharacteristicsRule characteristicsRule = new CharacterCharacteristicsRule();
+
+        // Define M (3 in this case)
+        characteristicsRule.setNumberOfCharacteristics(3);
+
+        // Define elements of N (upper, lower, digit, symbol)
+        characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.UpperCase, 1));
+        characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.LowerCase, 1));
+        characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Digit, 1));
+        characteristicsRule.getRules().add(new CharacterRule(EnglishCharacterData.Special, 1));
+
+        org.passay.PasswordValidator validator = new org.passay.PasswordValidator(lengthRule, characteristicsRule);
+        validator.validate(data);
+
+        String password2 = UserService.generatePassword();
+        PasswordData data2 = new PasswordData(password2);
+        assertNotEquals(password, password2);
+        assertNotEquals(data, data2);
+    }
 }