diff --git a/build.gradle b/build.gradle index 813abd6f4f..904559cb48 100644 --- a/build.gradle +++ b/build.gradle @@ -496,7 +496,7 @@ dependencies { implementation "io.jsonwebtoken:jjwt-impl:${jjwt_version}" implementation "io.jsonwebtoken:jjwt-jackson:${jjwt_version}" // JSON flattener - implementation ("com.github.wnameless.json:json-base:2.4.0") { + implementation ("com.github.wnameless.json:json-base:2.4.1") { exclude group: "org.glassfish", module: "jakarta.json" exclude group: "com.google.code.gson", module: "gson" exclude group: "org.json", module: "json" @@ -524,7 +524,7 @@ dependencies { runtimeOnly 'com.sun.activation:jakarta.activation:1.2.2' runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5' runtimeOnly 'commons-codec:commons-codec:1.16.0' - runtimeOnly 'org.cryptacular:cryptacular:1.2.4' + runtimeOnly 'org.cryptacular:cryptacular:1.2.5' runtimeOnly 'com.google.errorprone:error_prone_annotations:2.20.0' runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0' runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0' diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 1dbc787b74..e46a04f81f 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -212,7 +212,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin private volatile ConfigurationRepository cr; private volatile AdminDNs adminDns; private volatile ClusterService cs; - private static volatile DiscoveryNode localNode; + private volatile AtomicReference localNode = new AtomicReference<>(); private volatile AuditLog auditLog; private volatile BackendRegistry backendRegistry; private volatile SslExceptionHandler sslExceptionHandler; @@ -776,7 +776,7 @@ public void sendRequest( TransportRequestOptions options, TransportResponseHandler handler ) { - si.sendRequestDecorate(sender, connection, action, request, options, handler); + si.sendRequestDecorate(sender, connection, action, request, options, handler, localNode.get()); } }; } @@ -1806,7 +1806,7 @@ public void onNodeStarted(DiscoveryNode localNode) { if (!SSLConfig.isSslOnlyMode() && !client && !disabled) { cr.initOnNodeStart(); } - this.localNode = localNode; + this.localNode.set(localNode); final Set securityModules = ReflectionHelper.getModulesLoaded(); log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules); } @@ -1886,14 +1886,6 @@ private static String handleKeyword(final String field) { return field; } - public static DiscoveryNode getLocalNode() { - return localNode; - } - - public static void setLocalNode(DiscoveryNode node) { - localNode = node; - } - public static class GuiceHolder implements LifecycleComponent { private static RepositoriesService repositoriesService; diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java index 508c3dd9b4..0966a3f3ac 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java @@ -46,6 +46,7 @@ import org.apache.lucene.index.SortedNumericDocValues; import org.apache.lucene.index.SortedSetDocValues; import org.apache.lucene.index.StoredFieldVisitor; +import org.apache.lucene.index.StoredFields; import org.apache.lucene.index.TermState; import org.apache.lucene.index.Terms; import org.apache.lucene.index.TermsEnum; @@ -473,6 +474,24 @@ public void close() throws IOException { } } + private class DlsFlsStoredFields extends StoredFields { + private final StoredFields in; + + public DlsFlsStoredFields(StoredFields storedFields) { + this.in = storedFields; + } + + @Override + public void document(final int docID, StoredFieldVisitor visitor) throws IOException { + visitor = getDlsFlsVisitor(visitor); + try { + in.document(docID, visitor); + } finally { + finishVisitor(visitor); + } + } + } + @Override protected StoredFieldsReader doGetSequentialStoredFieldsReader(final StoredFieldsReader reader) { return new DlsFlsStoredFieldsReader(reader); @@ -1284,6 +1303,12 @@ public TermState termState() throws IOException { } + @Override + public StoredFields storedFields() throws IOException { + ensureOpen(); + return new DlsFlsStoredFields(in.storedFields()); + } + private String getRuntimeActionName() { return (String) threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ACTION_NAME); } diff --git a/src/main/java/org/opensearch/security/support/ConfigHelper.java b/src/main/java/org/opensearch/security/support/ConfigHelper.java index 92bf069028..434a8a02fa 100644 --- a/src/main/java/org/opensearch/security/support/ConfigHelper.java +++ b/src/main/java/org/opensearch/security/support/ConfigHelper.java @@ -141,7 +141,7 @@ public static BytesReference readXContent(final Reader reader, final MediaType m BytesReference retVal; XContentParser parser = null; try { - parser = XContentFactory.xContent(mediaType).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, reader); + parser = mediaType.xContent().createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, reader); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); builder.copyCurrentStructure(parser); diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index d2dc85f9d2..7d8a8a7b0b 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -1202,7 +1202,7 @@ private static BytesReference readXContent(final String content, final MediaType BytesReference retVal; XContentParser parser = null; try { - parser = XContentFactory.xContent(mediaType).createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, content); + parser = mediaType.xContent().createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, content); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); builder.copyCurrentStructure(parser); diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java index 015704e087..5bb4b1d1e3 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java +++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java @@ -130,7 +130,8 @@ public void sendRequestDecorate( String action, TransportRequest request, TransportRequestOptions options, - TransportResponseHandler handler + TransportResponseHandler handler, + DiscoveryNode localNode ) { final Map origHeaders0 = getThreadContext().getHeaders(); final User user0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); @@ -146,8 +147,7 @@ public void sendRequestDecorate( final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS); final boolean isDebugEnabled = log.isDebugEnabled(); - final DiscoveryNode localNode = OpenSearchSecurityPlugin.getLocalNode(); - boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode()); + final boolean isSameNodeRequest = localNode != null && localNode.equals(connection.getNode()); try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) { final TransportResponseHandler restoringHandler = new RestoringTransportResponseHandler(handler, stashedContext); diff --git a/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java b/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java index ee98d2a10b..55b8664188 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/validation/RequestContentValidatorTest.java @@ -24,7 +24,6 @@ import org.opensearch.common.Strings; import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.common.bytes.BytesArray; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; @@ -300,7 +299,7 @@ public Map allowedKeys() { } private JsonNode xContentToJsonNode(final ToXContent toXContent) throws IOException { - try (final var xContentBuilder = XContentFactory.contentBuilder(XContentType.JSON)) { + try (final var xContentBuilder = XContentFactory.jsonBuilder()) { toXContent.toXContent(xContentBuilder, ToXContent.EMPTY_PARAMS); return DefaultObjectMapper.readTree(Strings.toString(xContentBuilder)); } diff --git a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java index 90adca6a91..df1495ed10 100644 --- a/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/file/FileHelper.java @@ -110,7 +110,7 @@ public static BytesReference readYamlContent(final String file) { XContentParser parser = null; try { - parser = XContentFactory.xContent(XContentType.YAML) + parser = XContentType.YAML.xContent() .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(loadFile(file))); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); @@ -133,7 +133,7 @@ public static BytesReference readYamlContentFromString(final String yaml) { XContentParser parser = null; try { - parser = XContentFactory.xContent(XContentType.YAML) + parser = XContentType.YAML.xContent() .createParser(NamedXContentRegistry.EMPTY, THROW_UNSUPPORTED_OPERATION, new StringReader(yaml)); parser.nextToken(); final XContentBuilder builder = XContentFactory.jsonBuilder(); diff --git a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java index 7291050d6e..6c16e0cdbd 100644 --- a/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java +++ b/src/test/java/org/opensearch/security/transport/SecurityInterceptorTests.java @@ -147,11 +147,8 @@ public void testSendRequestDecorate() { DiscoveryNode otherNode = new DiscoveryNode("local-node", OpenSearchTestCase.buildNewFakeTransportAddress(), Version.CURRENT); Connection connection2 = transportService.getConnection(otherNode); - // setting localNode value explicitly - OpenSearchSecurityPlugin.setLocalNode(localNode); - // isSameNodeRequest = true - securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler); + securityInterceptor.sendRequestDecorate(sender, connection1, action, request, options, handler, localNode); // from thread context inside sendRequestDecorate doAnswer(i -> { User transientUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); @@ -165,7 +162,7 @@ public void testSendRequestDecorate() { assertEquals(threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER), null); // isSameNodeRequest = false - securityInterceptor.sendRequestDecorate(sender, connection2, action, request, options, handler); + securityInterceptor.sendRequestDecorate(sender, connection2, action, request, options, handler, otherNode); // checking thread context inside sendRequestDecorate doAnswer(i -> { String serializedUserHeader = threadPool.getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);