[DRAFT] Add a base setup for resource access evaluation and adds a sample plugin

.github/workflows/ci.yml

@@ -81,7 +81,7 @@ jobs:
         working-directory: downloaded-artifacts
 
       - name: Upload Coverage with retry
-        uses: Wandalen/[email protected].2
+        uses: Wandalen/[email protected].3
         with:
           attempt_limit: 5
           attempt_delay: 2000

.gitignore

@@ -43,7 +43,3 @@ out/
 build/
 gradle-build/
 .gradle/
-
-# nodejs
-node_modules/
-package-lock.json

build.gradle

@@ -489,16 +489,16 @@ configurations {
             force "org.apache.commons:commons-lang3:${versions.commonslang}"
 
             // for spotless transitive dependency CVE
-            force "org.eclipse.platform:org.eclipse.core.runtime:3.31.100"
-            force "org.eclipse.platform:org.eclipse.equinox.common:3.19.100"
+            force "org.eclipse.platform:org.eclipse.core.runtime:3.32.0"
+            force "org.eclipse.platform:org.eclipse.equinox.common:3.19.200"
 
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.35.1"
-            force "org.checkerframework:checker-qual:3.48.2"
+            force "com.google.errorprone:error_prone_annotations:2.36.0"
+            force "org.checkerframework:checker-qual:3.48.3"
             force "ch.qos.logback:logback-classic:1.5.12"
-            force "commons-io:commons-io:2.17.0"
+            force "commons-io:commons-io:2.18.0"
         }
     }
 
@@ -611,7 +611,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.17.1'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.35.1'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.36.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
     runtimeOnly 'org.ow2.asm:asm:9.7.1'
@@ -620,7 +620,7 @@ dependencies {
 
     //OpenSAML
     implementation 'net.shibboleth.utilities:java-support:8.4.2'
-    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.28"
+    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.29"
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
     implementation "org.opensaml:opensaml-core:${open_saml_version}"
@@ -641,7 +641,7 @@ dependencies {
     implementation "com.nulab-inc:zxcvbn:1.9.0"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.2'
-    runtimeOnly 'org.apache.commons:commons-text:1.12.0'
+    runtimeOnly 'org.apache.commons:commons-text:1.13.0'
     runtimeOnly "org.glassfish.jaxb:jaxb-runtime:${jaxb_version}"
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
@@ -655,7 +655,7 @@ dependencies {
     runtimeOnly 'org.apache.ws.xmlschema:xmlschema-core:2.3.1'
     runtimeOnly 'org.apache.santuario:xmlsec:2.3.4'
     runtimeOnly "com.github.luben:zstd-jni:${versions.zstd}"
-    runtimeOnly 'org.checkerframework:checker-qual:3.48.2'
+    runtimeOnly 'org.checkerframework:checker-qual:3.48.3'
     runtimeOnly "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     runtimeOnly 'org.scala-lang.modules:scala-java8-compat_3:1.0.2'
 
@@ -686,7 +686,7 @@ dependencies {
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}:test"
     testImplementation "org.apache.kafka:kafka-clients:${kafka_version}:test"
     testImplementation 'commons-validator:commons-validator:1.9.0'
-    testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.13'
+    testImplementation 'org.springframework.kafka:spring-kafka-test:3.3.0'
     testImplementation "org.springframework:spring-beans:${spring_version}"
     testImplementation 'org.junit.jupiter:junit-jupiter:5.11.3'
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.3'
@@ -724,13 +724,13 @@ dependencies {
     compileOnly "org.opensearch:opensearch:${opensearch_version}"
 
     //integration test framework:
-    integrationTestImplementation('com.carrotsearch.randomizedtesting:randomizedtesting-runner:2.8.1') {
+    integrationTestImplementation('com.carrotsearch.randomizedtesting:randomizedtesting-runner:2.8.2') {
         exclude(group: 'junit', module: 'junit')
     }
     integrationTestImplementation 'junit:junit:4.13.2'
     integrationTestImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
     integrationTestImplementation "org.opensearch.plugin:percolator-client:${opensearch_version}"
-    integrationTestImplementation 'commons-io:commons-io:2.17.0'
+    integrationTestImplementation 'commons-io:commons-io:2.18.0'
     integrationTestImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
     integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
@@ -749,7 +749,7 @@ dependencies {
     integrationTestImplementation "org.mockito:mockito-core:5.14.2"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.24.0') {
+    implementation('com.google.googlejavaformat:google-java-format:1.25.2') {
         exclude group: 'com.google.guava'
     }
 }

gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

release-notes/opensearch-security.release-notes-1.3.20.0.md

@@ -0,0 +1,8 @@
+## Version 1.3.20.0
+
+Compatible with OpenSearch 1.3.20
+
+### Maintenance
+
+* Update commons-io to 2.18.0 ([#4944](https://github.com/opensearch-project/security/pull/4944))
+* Bump spring-framework dependency to 2.9.13 ([#4947](https://github.com/opensearch-project/security/pull/4947))

src/integrationTest/java/org/opensearch/security/ThreadPoolTests.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.security.http.ExampleSystemIndexPlugin;
+import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain;
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.not;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
+import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
+import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class ThreadPoolTests {
+
+    public static final AuthcDomain AUTHC_DOMAIN = new AuthcDomain("basic", 0).httpAuthenticatorWithChallenge("basic").backend("internal");
+
+    @ClassRule
+    public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .anonymousAuth(false)
+        .authc(AUTHC_DOMAIN)
+        .users(USER_ADMIN)
+        .plugin(ExampleSystemIndexPlugin.class)
+        .nodeSettings(Map.of(SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_" + USER_ADMIN.getName() + "__" + ALL_ACCESS.getName())))
+        .build();
+
+    @Test
+    public void testEnsureNoThreadLeftRunningInGenericThreadPool() throws IOException, InterruptedException {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            client.put("test-index");
+
+            XContentBuilder builder = XContentFactory.jsonBuilder();
+            builder.startObject();
+            builder.field("field1", "foo");
+            builder.endObject();
+
+            HttpResponse indexDocResponse = client.putJson("test-index/_doc/1", builder.toString());
+
+            assertThat(indexDocResponse.getStatusCode(), equalTo(RestStatus.CREATED.getStatus()));
+
+            XContentBuilder updateBuilder = XContentFactory.jsonBuilder();
+            updateBuilder.startObject();
+            updateBuilder.startObject("doc");
+            updateBuilder.field("field1", "bar");
+            updateBuilder.endObject();
+            updateBuilder.endObject();
+
+            HttpResponse updateDocResponse = client.postJson("test-index/_update/1", updateBuilder.toString());
+
+            assertThat(updateDocResponse.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+
+            client.delete("test-index");
+
+            Thread.sleep(2000);
+
+            HttpResponse hotThreadsResponse = client.get("_nodes/hot_threads");
+
+            assertThat(hotThreadsResponse.getBody(), not(containsString("ClusterStateMetadataDependentPrivileges")));
+        }
+    }
+}

src/main/java/org/opensearch/security/DefaultObjectMapper.java

@@ -287,12 +287,26 @@ public static TypeFactory getTypeFactory() {
         return objectMapper.getTypeFactory();
     }
 
+    @SuppressWarnings("removal")
     public static Set<String> getFields(Class<?> cls) {
-        return objectMapper.getSerializationConfig()
-            .introspect(getTypeFactory().constructType(cls))
-            .findProperties()
-            .stream()
-            .map(BeanPropertyDefinition::getName)
-            .collect(ImmutableSet.toImmutableSet());
+        final SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+
+        try {
+            return AccessController.doPrivileged(
+                (PrivilegedExceptionAction<Set<String>>) () -> objectMapper.getSerializationConfig()
+                    .introspect(getTypeFactory().constructType(cls))
+                    .findProperties()
+                    .stream()
+                    .map(BeanPropertyDefinition::getName)
+                    .collect(ImmutableSet.toImmutableSet())
+            );
+        } catch (final PrivilegedActionException e) {
+            throw (RuntimeException) e.getCause();
+        }
+
     }
 }