Download certs from security repo (#650)

* Download certs from security repo

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove unused import

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Fix ci check

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Include setup-java step

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* getParent

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove markAsSystemContext

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Configure basic auth header

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove unused imports

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Update link to security repo

Signed-off-by: Craig Perkins <cwperx@amazon.com>

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>

Author: cwperks

.github/workflows/build.yml

@@ -82,6 +82,12 @@ jobs:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
 
     steps:
+      # This step uses the setup-java Github action: https://github.com/actions/setup-java
+      - name: Set Up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v3
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: ${{ matrix.java }}
       - name: Checkout Branch
         uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
@@ -90,9 +96,9 @@ jobs:
       - name: Pull and Run Docker for security tests
         run: |
           plugin=${{ needs.linux-build.outputs.build-test-linux }}
-          version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-3`
-          plugin_version=`echo $plugin|awk -F- '{print $3}'| cut -d. -f 1-4`
-          qualifier=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-1`
+          version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-3`
+          plugin_version=`echo $plugin|awk -F- '{print $4}'| cut -d. -f 1-4`
+          qualifier=`echo $plugin|awk -F- '{print $5}'| cut -d. -f 1-1`
 
           if [ -n "$qualifier" ] && [ "$qualifier" != "SNAPSHOT" ]; then
               qualifier=-${qualifier}

build.gradle

@@ -42,6 +42,7 @@ buildscript {
 //****************************************************************************/
 
 plugins {
+    id "de.undercouch.download" version "5.3.0"
     id 'com.netflix.nebula.ospackage' version "11.10.0"
     id 'checkstyle'
 }
@@ -79,6 +80,20 @@ ext {
     projectSubstitutions = [:]
     licenseFile = rootProject.file('LICENSE.txt')
     noticeFile = rootProject.file('NOTICE.txt')
+
+    ['sample.pem', 'test-kirk.jks'].forEach { file ->
+        File local = getLayout().getBuildDirectory().file(file).get().getAsFile()
+        download.run {
+            src "https://raw.githubusercontent.com/opensearch-project/security/refs/heads/main/bwc-test/src/test/resources/security/" + file
+            dest local
+            overwrite false
+        }
+    }
+
+    processResources {
+        from(getLayout().getBuildDirectory().file('sample.pem').get().getAsFile())
+        from(getLayout().getBuildDirectory().file('test-kirk.jks').get().getAsFile())
+    }
 }
 
 java {

src/main/java/org/opensearch/search/asynchronous/management/AsynchronousSearchManagementService.java

@@ -194,8 +194,6 @@ public void run() {
     public final void performCleanUp() {
         final ThreadContext threadContext = threadPool.getThreadContext();
         try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
-            // we have to execute under the system context so that if security is enabled the sync is authorized
-            threadContext.markAsSystemContext();
             final Map<String, DiscoveryNode> dataNodes = clusterService.state().nodes().getDataNodes();
             List<DiscoveryNode> nodes = Stream.of(dataNodes.values().toArray(new DiscoveryNode[0]))
                     .collect(Collectors.toList());

src/test/java/org/opensearch/search/asynchronous/SecurityEnabledRestTestCase.java

@@ -7,9 +7,6 @@
 
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.client5.http.auth.AuthScope;
-import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
-import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.Timeout;
@@ -36,8 +33,11 @@
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
+import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -95,7 +95,7 @@ protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOE
             if (Objects.nonNull(keystore)) {
                 URI uri = null;
                 try {
-                    uri = this.getClass().getClassLoader().getResource("security/sample.pem").toURI();
+                    uri = this.getClass().getClassLoader().getResource("sample.pem").toURI();
                 } catch (URISyntaxException e) {
                     throw new RuntimeException(e);
                 }
@@ -145,23 +145,22 @@ protected void wipeAllOSIndices() throws IOException {
     }
 
     protected static void configureHttpsClient(RestClientBuilder builder, Settings settings) throws IOException {
-        Map<String, String> headers = ThreadContext.buildDefaultHeaders(settings);
+        Map<String, String> headers = new HashMap<>(ThreadContext.buildDefaultHeaders(settings));
+        if (System.getProperty("user") != null && System.getProperty("password") != null) {
+            String userName = System.getProperty("user");
+            String password = System.getProperty("password");
+            headers.put(
+                "Authorization",
+                "Basic " + Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(StandardCharsets.UTF_8))
+            );
+        }
         Header[] defaultHeaders = new Header[headers.size()];
         int i = 0;
         for (Map.Entry<String, String> entry : headers.entrySet()) {
             defaultHeaders[i++] = new BasicHeader(entry.getKey(), entry.getValue());
         }
         builder.setDefaultHeaders(defaultHeaders);
         builder.setHttpClientConfigCallback(httpClientBuilder -> {
-            String userName = Optional
-                    .ofNullable(System.getProperty("user"))
-                    .orElseThrow(() -> new RuntimeException("user name is missing"));
-            String password = Optional
-                    .ofNullable(System.getProperty("password"))
-                    .orElseThrow(() -> new RuntimeException("password is missing"));
-            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
-            credentialsProvider.setCredentials(new AuthScope(new HttpHost("localhost", 9200)),
-                    new UsernamePasswordCredentials(userName, password.toCharArray()));
             try {
                 final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create()
                         .setSslContext(SSLContextBuilder.create().loadTrustMaterial(null, (chains, authType) -> true).build())
@@ -172,8 +171,7 @@ protected static void configureHttpsClient(RestClientBuilder builder, Settings s
                         .build();
 
                 return httpClientBuilder
-                        .setConnectionManager(connectionManager)
-                        .setDefaultCredentialsProvider(credentialsProvider);
+                        .setConnectionManager(connectionManager);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }