diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example index 3b4df645de..78f020780f 100644 --- a/config/opensearch.yml.example +++ b/config/opensearch.yml.example @@ -18,7 +18,7 @@ plugins.security.nodes_dn: # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to # manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured -# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs +# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_security/api/nodesdn APIs # which provide means to update/retrieve nodesdn dynamically. # # NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored diff --git a/src/integrationTest/java/org/opensearch/security/TlsTests.java b/src/integrationTest/java/org/opensearch/security/TlsTests.java index 515d448728..51a58b278d 100644 --- a/src/integrationTest/java/org/opensearch/security/TlsTests.java +++ b/src/integrationTest/java/org/opensearch/security/TlsTests.java @@ -53,7 +53,7 @@ public class TlsTests { public static final String SUPPORTED_CIPHER_SUIT = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; public static final String NOT_SUPPORTED_CIPHER_SUITE = "TLS_RSA_WITH_AES_128_CBC_SHA"; - public static final String AUTH_INFO_ENDPOINT = "/_opendistro/_security/authinfo?pretty"; + public static final String AUTH_INFO_ENDPOINT = "/_security/authinfo?pretty"; @ClassRule public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS) diff --git a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java index a69ca83378..caa59145de 100644 --- a/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/AbstractApiIntegrationTest.java @@ -55,7 +55,6 @@ import static org.hamcrest.Matchers.equalToIgnoringCase; import static org.hamcrest.Matchers.notNullValue; import static org.opensearch.security.CrossClusterSearchTests.PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; @@ -270,7 +269,7 @@ protected void withUser( } protected String apiPathPrefix() { - return randomFrom(List.of(LEGACY_OPENDISTRO_PREFIX, PLUGINS_PREFIX)); + return PLUGINS_PREFIX; } protected String securityPath(String... path) { diff --git a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java index 635d9ecff4..04488b7a01 100644 --- a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoTest.java @@ -11,8 +11,6 @@ package org.opensearch.security.api; -import java.util.List; - import org.junit.Test; import org.opensearch.test.framework.TestSecurityConfig; @@ -20,7 +18,6 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_MESSAGE; import static org.opensearch.security.rest.DashboardsInfoAction.DEFAULT_PASSWORD_REGEX; @@ -36,7 +33,7 @@ public class DashboardsInfoTest extends AbstractApiIntegrationTest { } private String apiPath() { - return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo")); + return PLUGINS_PREFIX + "/dashboardsinfo"; } @Test diff --git a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java index af8eeb2c8a..ba473c2994 100644 --- a/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/DashboardsInfoWithSettingsTest.java @@ -11,7 +11,6 @@ package org.opensearch.security.api; -import java.util.List; import java.util.Map; import org.junit.Test; @@ -22,7 +21,6 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public class DashboardsInfoWithSettingsTest extends AbstractApiIntegrationTest { @@ -49,7 +47,7 @@ protected Map getClusterSettings() { } private String apiPath() { - return randomFrom(List.of(PLUGINS_PREFIX + "/dashboardsinfo", LEGACY_OPENDISTRO_PREFIX + "/kibanainfo")); + return PLUGINS_PREFIX + "/dashboardsinfo"; } @Test diff --git a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java index 43a342dcfd..7b7c138dd5 100644 --- a/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java @@ -112,7 +112,7 @@ public void shouldAuthenticateWithJwtTokenInUrl_positive() { Map expectedParams = Map.of("token", "REDACTED", "verbose", "true"); auditLogsRule.assertExactlyOne( - userAuthenticated(ADMIN_USER).withRestRequest(GET, "/_opendistro/_security/authinfo").withRestParams(expectedParams) + userAuthenticated(ADMIN_USER).withRestRequest(GET, "/_security/authinfo").withRestParams(expectedParams) ); } } diff --git a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java index f560ef713f..a62331cd63 100644 --- a/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java +++ b/src/integrationTest/java/org/opensearch/test/framework/cluster/TestRestClient.java @@ -117,7 +117,7 @@ public HttpResponse getWithoutLeadingSlash(String path, Header... headers) { } public HttpResponse getAuthInfo(Header... headers) { - return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo?pretty"), headers); + return executeRequest(new HttpGet(getHttpServerUri() + "/_security/authinfo?pretty"), headers); } public HttpResponse securityHealth(Header... headers) { @@ -127,7 +127,7 @@ public HttpResponse securityHealth(Header... headers) { public HttpResponse getAuthInfo(Map urlParams, Header... headers) { String urlParamsString = "?" + urlParams.entrySet().stream().map(e -> e.getKey() + "=" + e.getValue()).collect(Collectors.joining("&")); - return executeRequest(new HttpGet(getHttpServerUri() + "/_opendistro/_security/authinfo" + urlParamsString), headers); + return executeRequest(new HttpGet(getHttpServerUri() + "/_security/authinfo" + urlParamsString), headers); } public void confirmCorrectCredentials(String expectedUserName) { diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java index 6abe934925..30bc679874 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java @@ -139,7 +139,7 @@ private AuthTokenProcessorAction.Response handleImpl( String acsEndpoint, Saml2Settings saml2Settings, String requestPath // the parameter will be removed in the future as soon as we will read of legacy paths aka - // /_opendistro/_security/... + // /_security/... ) { if (token_log.isDebugEnabled()) { try { diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index c0b9b5b1a9..f49a315cfe 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -73,7 +73,6 @@ import org.w3c.dom.Element; import org.xml.sax.SAXException; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable { @@ -85,7 +84,7 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable { public static final String API_AUTHTOKEN_SUFFIX = "api/authtoken"; private static final String AUTHINFO_SUFFIX = "authinfo"; - private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)"; + private static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)"; private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); private static boolean openSamlInitialized = false; diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java index 39496205d4..ba4286e5dc 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java @@ -221,9 +221,9 @@ private SingleLogoutService findSingleLogoutService(IDPSSODescriptor idpSsoDescr private String buildAssertionConsumerEndpoint(String dashboardsRoot) { if (dashboardsRoot.endsWith("/")) { - return dashboardsRoot + "_opendistro/_security/saml/acs"; + return dashboardsRoot + "_security/saml/acs"; } else { - return dashboardsRoot + "/_opendistro/_security/saml/acs"; + return dashboardsRoot + "_security/saml/acs"; } } diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 13d0f79330..5424380e5e 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -246,7 +246,6 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace"); private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(OpenSearchSecurityPlugin.class); - public static final String LEGACY_OPENDISTRO_PREFIX = "_opendistro/_security"; public static final String PLUGINS_PREFIX = "_plugins/_security"; private boolean sslCertReloadEnabled; diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 81695b702b..30a0b7a49e 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -56,7 +56,6 @@ import org.joda.time.format.DateTimeFormat; import org.joda.time.format.DateTimeFormatter; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public final class AuditMessage { @@ -68,9 +67,7 @@ public final class AuditMessage { private static final String SENSITIVE_KEY = "password"; private static final String SENSITIVE_REPLACEMENT_VALUE = "__SENSITIVE__"; - private static final Pattern SENSITIVE_PATHS = Pattern.compile( - "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/api/(account.*|internalusers.*|user.*)" - ); + private static final Pattern SENSITIVE_PATHS = Pattern.compile("/(" + PLUGINS_PREFIX + ")/api/(account.*|internalusers.*|user.*)"); @VisibleForTesting public static final String BCRYPT_REGEX = "\\$2[ayb]\\$.{56}"; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java index ad9aa656da..2bf9fb21d4 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java @@ -47,7 +47,7 @@ /** * Rest API action to fetch or update account details of the signed-in user. - * Currently this action serves GET and PUT request for /_opendistro/_security/api/account endpoint + * Currently this action serves GET and PUT request for /_security/api/account endpoint */ public class AccountApiAction extends AbstractApiAction { diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java index a5bf9c6b9b..ac1db80416 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AuditApiAction.java @@ -46,7 +46,7 @@ /** * Rest handler for fetching and updating audit configuration. * Supported REST endpoints - * GET _opendistro/_security/api/audit/ + * GET _security/api/audit/ * { * "config" : { * "audit" : { @@ -83,7 +83,7 @@ * } * } * - * PUT _opendistro/_security/api/audit/config + * PUT _security/api/audit/config * { * "audit":{ * "enable_rest":true, @@ -116,7 +116,7 @@ * } * } * - * PATCH _opendistro/_security/api/audit + * PATCH _security/api/audit * [{"op": "replace", "path": "/config/audit/enable_rest", "value": "true"}] * [{"op": "replace", "path": "/config/compliance/internal_config", "value": "true"}] */ diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java index fd71312910..732e731bde 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java @@ -36,23 +36,23 @@ * SuperAdmin certificate for the default superuser is stored as a kirk.pem file in config folder of OpenSearch *

* Example calling the PUT API as SuperAdmin using curl (if http basic auth is on): - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’ * { * "enabled" : false, - * "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]} + * "requests" : {"/_cat/nodes": ["GET"], "/_security/api/whitelist": ["GET"]} * } * * Example using the PATCH API to change the requests as SuperAdmin: - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’ * { * "op":"replace", * "path":"/config/requests", - * "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]} + * "value": {"/_cat/nodes": ["GET"], "/_security/api/whitelist": ["GET"]} * } * * To update enabled, use the "add" operation instead of the "replace" operation, since boolean variables are not recognized as valid paths when they are false. * eg: - * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’ + * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_security/api/whitelist -H "Content-Type: application/json" -d’ * { * "op":"add", * "path":"/config/enabled", diff --git a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java index 2e900169db..2f752c3751 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java +++ b/src/main/java/org/opensearch/security/dlic/rest/support/Utils.java @@ -51,19 +51,14 @@ import org.opensearch.security.user.User; import static org.opensearch.core.xcontent.DeprecationHandler.THROW_UNSUPPORTED_OPERATION; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public class Utils { public final static String PLUGIN_ROUTE_PREFIX = "/" + PLUGINS_PREFIX; - public final static String LEGACY_PLUGIN_ROUTE_PREFIX = "/" + LEGACY_OPENDISTRO_PREFIX; - public final static String PLUGIN_API_ROUTE_PREFIX = PLUGIN_ROUTE_PREFIX + "/api"; - public final static String LEGACY_PLUGIN_API_ROUTE_PREFIX = LEGACY_PLUGIN_ROUTE_PREFIX + "/api"; - private static final ObjectMapper internalMapper = new ObjectMapper(); public static Map convertJsonToxToStructuredMap(ToXContent jsonContent) { @@ -204,7 +199,7 @@ public static Set generateFieldResourcePaths(final Set fields, f *Total number of routes is expanded as twice as the number of routes passed in */ public static List addRoutesPrefix(List routes) { - return addRoutesPrefix(routes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX); + return addRoutesPrefix(routes, PLUGIN_API_ROUTE_PREFIX); } /** @@ -235,7 +230,7 @@ public static List addRoutesPrefix(List routes, final String... pr *Total number of routes is expanded as twice as the number of routes passed in */ public static List addDeprecatedRoutesPrefix(List deprecatedRoutes) { - return addDeprecatedRoutesPrefix(deprecatedRoutes, LEGACY_PLUGIN_API_ROUTE_PREFIX, PLUGIN_API_ROUTE_PREFIX); + return addDeprecatedRoutesPrefix(deprecatedRoutes, PLUGIN_API_ROUTE_PREFIX); } /** diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index 12dd68d1f8..f7f7a662ed 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -70,7 +70,6 @@ import org.greenrobot.eventbus.Subscribe; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; public class SecurityRestFilter { @@ -91,7 +90,7 @@ public class SecurityRestFilter { public static final String HEALTH_SUFFIX = "health"; public static final String WHO_AM_I_SUFFIX = "whoami"; - public static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)"; + public static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)"; public static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); public SecurityRestFilter( @@ -202,7 +201,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c * If allowlisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are allowlisted in {@link #requests} * For example: if allowlisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin * can only access "/_cat/nodes" - * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_opendistro/_security/api/whitelist is only accessible by SuperAdmin. + * Further note: Some APIs are only accessible by SuperAdmin, regardless of allowlisting. For example: /_security/api/whitelist is only accessible by SuperAdmin. * See {@link AllowlistApiAction} for the implementation of this API. * SuperAdmin is identified by credentials, which can be passed in the curl request. */ diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 111eff7a33..e796b0d282 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -46,14 +46,13 @@ import io.jsonwebtoken.JwtParserBuilder; import io.jsonwebtoken.security.WeakKeyException; -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; import static org.opensearch.security.util.AuthTokenUtils.isAccessToRestrictedEndpoints; public class OnBehalfOfAuthenticator implements HTTPAuthenticator { private static final int MINIMUM_SIGNING_KEY_BIT_LENGTH = 512; - private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)"; + private static final String REGEX_PATH_PREFIX = "/(" + PLUGINS_PREFIX + ")/" + "(.*)"; private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); protected final Logger log = LogManager.getLogger(this.getClass()); diff --git a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java index 3401ac71e8..30b3583858 100644 --- a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java @@ -50,7 +50,6 @@ import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.POST; -import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; @@ -60,9 +59,6 @@ public class DashboardsInfoAction extends BaseRestHandler { .addAll( addRoutesPrefix(ImmutableList.of(new Route(GET, "/dashboardsinfo"), new Route(POST, "/dashboardsinfo")), PLUGIN_ROUTE_PREFIX) ) - .addAll( - addRoutesPrefix(ImmutableList.of(new Route(GET, "/kibanainfo"), new Route(POST, "/kibanainfo")), LEGACY_PLUGIN_ROUTE_PREFIX) - ) .build(); private final Logger log = LogManager.getLogger(this.getClass()); diff --git a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java index 3c57773417..4797978477 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityHealthAction.java @@ -44,14 +44,12 @@ import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.POST; -import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; public class SecurityHealthAction extends BaseRestHandler { private static final List routes = addRoutesPrefix( ImmutableList.of(new Route(GET, "/health"), new Route(POST, "/health")), - LEGACY_PLUGIN_ROUTE_PREFIX, PLUGIN_ROUTE_PREFIX ); diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java index 64075d5d0e..8a39fa0adf 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java @@ -57,14 +57,12 @@ import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.POST; -import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; public class SecurityInfoAction extends BaseRestHandler { private static final List routes = addRoutesPrefix( ImmutableList.of(new Route(GET, "/authinfo"), new Route(POST, "/authinfo")), - LEGACY_PLUGIN_ROUTE_PREFIX, PLUGIN_ROUTE_PREFIX ); diff --git a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java index d7b3ef3d1f..14070a9ef4 100644 --- a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java @@ -61,14 +61,12 @@ import static org.opensearch.rest.RestRequest.Method.GET; import static org.opensearch.rest.RestRequest.Method.POST; -import static org.opensearch.security.dlic.rest.support.Utils.LEGACY_PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.PLUGIN_ROUTE_PREFIX; import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix; public class TenantInfoAction extends BaseRestHandler { private static final List routes = addRoutesPrefix( ImmutableList.of(new Route(GET, "/tenantinfo"), new Route(POST, "/tenantinfo")), - LEGACY_PLUGIN_ROUTE_PREFIX, PLUGIN_ROUTE_PREFIX ); diff --git a/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java index 2a25ad8795..9ab68456a1 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java @@ -106,8 +106,8 @@ private boolean requestIsAllowlisted(final SecurityRequest request) { * For SuperAdmin this function is bypassed. * In a future version, should add a regex check to improve the functionality. * Currently, each individual PUT/PATCH request needs to be allowlisted separately for the specific resource to be changed/added. - * This should be improved so that, for example if PUT /_opendistro/_security/api/rolesmapping is allowlisted, - * then all PUT /_opendistro/_security/api/rolesmapping/{resource_name} work. + * This should be improved so that, for example if PUT /_security/api/rolesmapping is allowlisted, + * then all PUT /_security/api/rolesmapping/{resource_name} work. * Currently, each resource_name has to be allowlisted separately */ public Optional checkRequestIsAllowed(final SecurityRequest request) { diff --git a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java b/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java index 4cc16a7f00..dffbaa9c86 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java @@ -103,8 +103,8 @@ private boolean requestIsWhitelisted(final SecurityRequest request) { * For SuperAdmin this function is bypassed. * In a future version, should add a regex check to improve the functionality. * Currently, each individual PUT/PATCH request needs to be whitelisted separately for the specific resource to be changed/added. - * This should be improved so that, for example if PUT /_opendistro/_security/api/rolesmapping is whitelisted, - * then all PUT /_opendistro/_security/api/rolesmapping/{resource_name} work. + * This should be improved so that, for example if PUT /_security/api/rolesmapping is whitelisted, + * then all PUT /_security/api/rolesmapping/{resource_name} work. * Currently, each resource_name has to be whitelisted separately */ @Override diff --git a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java index 203a0c7965..7cff23809b 100644 --- a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java +++ b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java @@ -49,7 +49,7 @@ import io.netty.handler.ssl.OpenSsl; public class SecuritySSLInfoAction extends BaseRestHandler { - private static final List routes = Collections.singletonList(new Route(Method.GET, "/_opendistro/_security/sslinfo")); + private static final List routes = Collections.singletonList(new Route(Method.GET, "/_security/sslinfo")); private final Logger log = LogManager.getLogger(this.getClass()); private final SslSettingsManager sslSettingsManager; diff --git a/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java index e7889aa825..e3eb5d2a6a 100644 --- a/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java +++ b/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java @@ -933,7 +933,7 @@ private RestRequest buildTokenExchangeRestRequest( + "\" }"; } - return new FakeRestRequest.Builder().withPath("/_opendistro/_security/api/authtoken") + return new FakeRestRequest.Builder().withPath("/_security/api/authtoken") .withMethod(Method.POST) .withContent(new BytesArray(authtokenPostJson)) .withHeaders(ImmutableMap.of("Content-Type", "application/json")) diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java index 863db60e82..56d77e806d 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java @@ -84,7 +84,7 @@ public void testAttributesWithImpersonation() throws Exception { HttpStatus.SC_OK, is( (res = rh.executeGetRequest( - "_opendistro/_security/authinfo", + "_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "jacksonm"), encodeBasicHeader("spock", "spocksecret") )).getStatusCode() diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java index 4eaa78392f..fed534fae8 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java @@ -84,7 +84,7 @@ public void testAttributesWithImpersonation() throws Exception { HttpStatus.SC_OK, is( (res = rh.executeGetRequest( - "_opendistro/_security/authinfo", + "_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "jacksonm"), encodeBasicHeader("spock", "spocksecret") )).getStatusCode() diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index 6eeed4ef02..64d7003f47 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -272,14 +272,14 @@ public void testRestImpersonation() throws Exception { HttpResponse resp; resp = rh.executeGetRequest( - "/_opendistro/_security/authinfo", + "/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "knuddel"), encodeBasicHeader("worf", "worf") ); assertThat(resp.getStatusCode(), is(HttpStatus.SC_FORBIDDEN)); resp = rh.executeGetRequest( - "/_opendistro/_security/authinfo", + "/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "knuddel"), encodeBasicHeader("spock", "spock") ); @@ -288,14 +288,14 @@ public void testRestImpersonation() throws Exception { Assert.assertFalse(resp.getBody().contains("spock")); resp = rh.executeGetRequest( - "/_opendistro/_security/authinfo", + "/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "userwhonotexists"), encodeBasicHeader("spock", "spock") ); assertThat(resp.getStatusCode(), is(HttpStatus.SC_FORBIDDEN)); resp = rh.executeGetRequest( - "/_opendistro/_security/authinfo", + "/_security/authinfo", new BasicHeader("opendistro_security_impersonate_as", "invalid"), encodeBasicHeader("spock", "spock") ); diff --git a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java index 90af959830..83381c0d8f 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminInvalidConfigsTests.java @@ -74,10 +74,10 @@ public void testSecurityAdminDuplicateKey() throws Exception { RestHelper rh = restHelper(); - assertThat((rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertThat( HttpStatus.SC_OK, - is(rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()) + is(rh.executeGetRequest("_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()) ); assertThat(HttpStatus.SC_OK, is(rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode())); } @@ -105,10 +105,10 @@ public void testSecurityAdminDuplicateKeyReload() throws Exception { RestHelper rh = restHelper(); - assertThat((rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertThat( HttpStatus.SC_OK, - is(rh.executeGetRequest("_opendistro/_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()) + is(rh.executeGetRequest("_security/authinfo?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode()) ); assertThat(HttpStatus.SC_OK, is(rh.executeGetRequest("*/_search?pretty", encodeBasicHeader("nagilum", "nagilum")).getStatusCode())); } diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index 45c5c0e2a1..2a4b68c934 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -78,7 +78,7 @@ public void testSecurityAdmin() throws Exception { RestHelper rh = restHelper(); - assertThat((rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); } @Test @@ -274,7 +274,7 @@ public void testSecurityAdminRegularUpdate() throws Exception { RestHelper rh = restHelper(); HttpResponse res; - assertThat((res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((res = rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertContains(res, "*UP*"); assertContains(res, "*strict*"); assertNotContains(res, "*DOWN*"); @@ -360,7 +360,7 @@ public void testSecurityAdminSingularV7Updates() throws Exception { RestHelper rh = restHelper(); HttpResponse res; - assertThat((res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((res = rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertContains(res, "*UP*"); assertContains(res, "*strict*"); assertNotContains(res, "*DOWN*"); @@ -406,7 +406,7 @@ public void testSecurityAdminInvalidYml() throws Exception { RestHelper rh = restHelper(); HttpResponse res; - assertThat((res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((res = rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertContains(res, "*UP*"); assertContains(res, "*strict*"); assertNotContains(res, "*DOWN*"); @@ -454,7 +454,7 @@ public void testSecurityAdminReloadInvalidConfig() throws Exception { HttpResponse res; - assertThat((res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); + assertThat((res = rh.executeGetRequest("_security/health?pretty")).getStatusCode(), is(HttpStatus.SC_OK)); assertContains(res, "*UP*"); assertContains(res, "*strict*"); assertNotContains(res, "*DOWN*"); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java index e07ff5e113..c31196d7de 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java @@ -222,15 +222,15 @@ public void testBCryptHashRedaction() throws Exception { rh.keystore = "kirk-keystore.jks"; // read internal users and verify no BCrypt hash is present in audit logs - final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers"); - }); + final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage( + () -> { rh.executeGetRequest("/_security/api/internalusers"); } + ); Assert.assertFalse(AuditMessage.HASH_REGEX_PATTERN.matcher(message1.toString()).matches()); // read internal user worf and verify no BCrypt hash is present in audit logs final AuditMessage message2 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers/worf"); + rh.executeGetRequest("/_security/api/internalusers/worf"); Assert.assertFalse(AuditMessage.HASH_REGEX_PATTERN.matcher(TestAuditlogImpl.sb.toString()).matches()); }); @@ -238,7 +238,7 @@ public void testBCryptHashRedaction() throws Exception { // create internal user and verify no BCrypt hash is present in audit logs final AuditMessage message3 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executePutRequest("/_opendistro/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); + rh.executePutRequest("/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); }); Assert.assertFalse(AuditMessage.HASH_REGEX_PATTERN.matcher(message3.toString()).matches()); @@ -261,9 +261,9 @@ public void testPBKDF2HashRedaction() { rh.keystore = "kirk-keystore.jks"; // read internal users and verify no PBKDF2 hash is present in audit logs - final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers"); - }); + final AuditMessage message1 = TestAuditlogImpl.doThenWaitForMessage( + () -> { rh.executeGetRequest("/_security/api/internalusers"); } + ); Assert.assertFalse( message1.toString() @@ -274,9 +274,9 @@ public void testPBKDF2HashRedaction() { Assert.assertTrue(message1.toString().contains("__HASH__")); // read internal user and verify no PBKDF2 hash is present in audit logs - final AuditMessage message2 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers/user1"); - }); + final AuditMessage message2 = TestAuditlogImpl.doThenWaitForMessage( + () -> { rh.executeGetRequest("/_security/api/internalusers/user1"); } + ); Assert.assertFalse( message2.toString() @@ -288,7 +288,7 @@ public void testPBKDF2HashRedaction() { // create internal user and verify no PBKDF2 hash is present in audit logs final AuditMessage message3 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executePutRequest("/_opendistro/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); + rh.executePutRequest("/_security/api/internalusers/test", "{ \"password\":\"some new user password\"}"); }); Assert.assertFalse( @@ -301,7 +301,7 @@ public void testPBKDF2HashRedaction() { // test with various users and different PBKDF2 hash formats to make sure they all get redacted final AuditMessage message4 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers", encodeBasicHeader("user1", "user1")); + rh.executeGetRequest("/_security/api/internalusers", encodeBasicHeader("user1", "user1")); }); Assert.assertFalse( @@ -313,7 +313,7 @@ public void testPBKDF2HashRedaction() { Assert.assertTrue(message4.toString().contains("__HASH__")); final AuditMessage message5 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers", encodeBasicHeader("user2", "user2")); + rh.executeGetRequest("/_security/api/internalusers", encodeBasicHeader("user2", "user2")); }); Assert.assertFalse( @@ -325,7 +325,7 @@ public void testPBKDF2HashRedaction() { Assert.assertTrue(message5.toString().contains("__HASH__")); final AuditMessage message6 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers", encodeBasicHeader("user3", "user3")); + rh.executeGetRequest("/_security/api/internalusers", encodeBasicHeader("user3", "user3")); }); Assert.assertFalse( @@ -337,7 +337,7 @@ public void testPBKDF2HashRedaction() { Assert.assertTrue(message6.toString().contains("__HASH__")); final AuditMessage message7 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers", encodeBasicHeader("user4", "user4")); + rh.executeGetRequest("/_security/api/internalusers", encodeBasicHeader("user4", "user4")); }); Assert.assertFalse( @@ -349,7 +349,7 @@ public void testPBKDF2HashRedaction() { Assert.assertTrue(message7.toString().contains("__HASH__")); final AuditMessage message8 = TestAuditlogImpl.doThenWaitForMessage(() -> { - rh.executeGetRequest("/_opendistro/_security/api/internalusers", encodeBasicHeader("user5", "user5")); + rh.executeGetRequest("/_security/api/internalusers", encodeBasicHeader("user5", "user5")); }); Assert.assertFalse( diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index 5420793789..2881cd593d 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -227,7 +227,7 @@ public void testGrantedPrivilegesRest() throws Exception { setup(additionalSettings); setupStarfleetIndex(); - testPrivilegeRest(HttpStatus.SC_OK, "/_opendistro/_security/api/roles", AuditCategory.GRANTED_PRIVILEGES); + testPrivilegeRest(HttpStatus.SC_OK, "/_security/api/roles", AuditCategory.GRANTED_PRIVILEGES); } @Test @@ -240,7 +240,7 @@ public void testMissingPrivilegesRest() throws Exception { setup(additionalSettings); setupStarfleetIndex(); - testPrivilegeRest(HttpStatus.SC_FORBIDDEN, "/_opendistro/_security/api/roles", AuditCategory.MISSING_PRIVILEGES); + testPrivilegeRest(HttpStatus.SC_FORBIDDEN, "/_security/api/roles", AuditCategory.MISSING_PRIVILEGES); } private void testPrivilegeRest(final int expectedStatus, final String endpoint, final AuditCategory category) throws Exception { @@ -916,15 +916,12 @@ public void testRestMethod() throws Exception { assertThat(messages.get(0).getRequestMethod(), is(POST)); // test PATCH - messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePatchRequest("/_opendistro/_security/api/audit", "[]"); }, 1); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePatchRequest("/_security/api/audit", "[]"); }, 1); assertThat(messages.get(0).getRequestMethod(), is(PATCH)); // test MISSING_PRIVILEGES // admin does not have REST role here - messages = TestAuditlogImpl.doThenWaitForMessages( - () -> { rh.executePatchRequest("/_opendistro/_security/api/audit", "[]", adminHeader); }, - 2 - ); + messages = TestAuditlogImpl.doThenWaitForMessages(() -> { rh.executePatchRequest("/_security/api/audit", "[]", adminHeader); }, 2); // The intital request is authenicated assertThat(messages.get(0).getRequestMethod(), is(PATCH)); assertThat(messages.get(0).getCategory(), is(AuditCategory.AUTHENTICATED)); @@ -967,23 +964,20 @@ public void testSensitiveMethodRedaction() throws Exception { // test PUT accounts API TestAuditlogImpl.clear(); - rh.executePutRequest("/_opendistro/_security/api/account", "{\"password\":\"new-pass\", \"current_password\":\"curr-passs\"}"); + rh.executePutRequest("/_security/api/account", "{\"password\":\"new-pass\", \"current_password\":\"curr-passs\"}"); assertThat(TestAuditlogImpl.messages.size(), is(1)); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); // test PUT internal users API TestAuditlogImpl.clear(); - rh.executePutRequest( - "/_opendistro/_security/api/internalusers/test1", - "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}" - ); + rh.executePutRequest("/_security/api/internalusers/test1", "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}"); assertThat(TestAuditlogImpl.messages.size(), is(1)); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); // test PATCH internal users API TestAuditlogImpl.clear(); rh.executePatchRequest( - "/_opendistro/_security/api/internalusers/test1", + "/_security/api/internalusers/test1", "[{\"op\":\"add\", \"path\":\"/password\", \"value\": \"test-pass\"}]" ); assertThat(TestAuditlogImpl.messages.size(), is(1)); @@ -991,10 +985,7 @@ public void testSensitiveMethodRedaction() throws Exception { // test PUT users API TestAuditlogImpl.clear(); - rh.executePutRequest( - "/_opendistro/_security/api/user/test2", - "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}" - ); + rh.executePutRequest("/_security/api/user/test2", "{\"password\":\"new-pass\", \"backend_roles\":[], \"attributes\": {}}"); assertThat(TestAuditlogImpl.messages.size(), is(1)); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(expectedRequestBody)); } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java index 989e9933e9..92ea9a67ff 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java @@ -116,7 +116,7 @@ protected Settings rolesSettings() { protected void deleteUser(String username) throws Exception { boolean sendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = true; - HttpResponse response = rh.executeDeleteRequest("/_opendistro/_security/api/internalusers/" + username, new Header[0]); + HttpResponse response = rh.executeDeleteRequest("/_security/api/internalusers/" + username, new Header[0]); assertThat(response.getStatusCode(), is(HttpStatus.SC_OK)); rh.sendAdminCertificate = sendAdminCertificate; } @@ -129,7 +129,7 @@ protected void addUserWithPassword(String username, String password, int status, boolean sendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = true; HttpResponse response = rh.executePutRequest( - "/_opendistro/_security/api/internalusers/" + username, + "/_security/api/internalusers/" + username, "{\"password\": \"" + password + "\"}", new Header[0] ); @@ -151,7 +151,7 @@ protected void addUserWithPassword(String username, String password, String[] ro } } payload += "]}"; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); + HttpResponse response = rh.executePutRequest("/_security/api/internalusers/" + username, payload, new Header[0]); assertThat(response.getStatusCode(), is(status)); rh.sendAdminCertificate = sendAdminCertificate; } @@ -167,7 +167,7 @@ protected void addUserWithoutPasswordOrHash(String username, String[] roles, int } } payload += "]}"; - HttpResponse response = rh.executePutRequest("/_opendistro/_security/api/internalusers/" + username, payload, new Header[0]); + HttpResponse response = rh.executePutRequest("/_security/api/internalusers/" + username, payload, new Header[0]); assertThat(response.getStatusCode(), is(status)); rh.sendAdminCertificate = sendAdminCertificate; } @@ -180,7 +180,7 @@ protected void addUserWithHash(String username, String hash, int status) throws boolean sendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = true; HttpResponse response = rh.executePutRequest( - "/_opendistro/_security/api/internalusers/" + username, + "/_security/api/internalusers/" + username, "{\"hash\": \"" + hash + "\"}", new Header[0] ); @@ -192,7 +192,7 @@ protected void addUserWithPasswordAndHash(String username, String password, Stri boolean sendAdminCertificate = rh.sendAdminCertificate; rh.sendAdminCertificate = true; HttpResponse response = rh.executePutRequest( - "/_opendistro/_security/api/internalusers/" + username, + "/_security/api/internalusers/" + username, "{\"hash\": \"" + hash + "\", \"password\": \"" + password + "\"}", new Header[0] ); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java deleted file mode 100644 index fbde68e911..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyAuditApiActionTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.AuditApiActionTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyAuditApiActionTests extends AuditApiActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java deleted file mode 100644 index 07983bad0d..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyGetConfigurationApiTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.GetConfigurationApiTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyGetConfigurationApiTests extends GetConfigurationApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java deleted file mode 100644 index fef436f4d7..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyIndexMissingTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.IndexMissingTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyIndexMissingTests extends IndexMissingTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java deleted file mode 100644 index a316785f02..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyNodesDnApiTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.NodesDnApiTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyNodesDnApiTests extends NodesDnApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java deleted file mode 100644 index 329404dfe7..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyRoleBasedAccessTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.RoleBasedAccessTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyRoleBasedAccessTests extends RoleBasedAccessTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java deleted file mode 100644 index 85428d645d..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacySecurityApiAccessTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.SecurityApiAccessTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacySecurityApiAccessTests extends SecurityApiAccessTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java deleted file mode 100644 index 49963d7d55..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyTenantInfoActionTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.TenantInfoActionTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyTenantInfoActionTests extends TenantInfoActionTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java deleted file mode 100644 index 689981aa2a..0000000000 --- a/src/test/java/org/opensearch/security/dlic/rest/api/legacy/LegacyWhitelistApiTests.java +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.dlic.rest.api.legacy; - -import org.opensearch.security.dlic.rest.api.WhitelistApiTest; - -import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; - -public class LegacyWhitelistApiTests extends WhitelistApiTest { - @Override - protected String getEndpointPrefix() { - return LEGACY_OPENDISTRO_PREFIX; - } -} diff --git a/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java b/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java index d1422e61eb..eb6e65afc7 100644 --- a/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java +++ b/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java @@ -729,7 +729,7 @@ private static void verifyTenantActions( ); assertThat(adminIndexDocToCreateTenant.getBody(), adminIndexDocToCreateTenant.getStatusCode(), equalTo(HttpStatus.SC_CREATED)); - final HttpResponse authInfo = rh.executeGetRequest("/_opendistro/_security/authinfo?pretty", inTenant, asUser); + final HttpResponse authInfo = rh.executeGetRequest("/_security/authinfo?pretty", inTenant, asUser); assertThat(authInfo.getBody(), authInfo.findValueInJson("tenants." + tenant), equalTo(tenantExpectation.isTenantWritable)); final HttpResponse search = rh.executeGetRequest(".kibana/_search", inTenant, asUser);