Support integTestRemote with security enabled endpoint

opensearch-observability/src/test/kotlin/org/opensearch/observability/PluginRestTestCase.kt

@@ -6,17 +6,7 @@
 package org.opensearch.observability
 
 import com.google.gson.JsonObject
-import org.apache.http.Header
 import org.apache.http.HttpHost
-import org.apache.http.auth.AuthScope
-import org.apache.http.auth.UsernamePasswordCredentials
-import org.apache.http.client.CredentialsProvider
-import org.apache.http.client.config.RequestConfig
-import org.apache.http.conn.ssl.NoopHostnameVerifier
-import org.apache.http.impl.client.BasicCredentialsProvider
-import org.apache.http.impl.nio.client.HttpAsyncClientBuilder
-import org.apache.http.message.BasicHeader
-import org.apache.http.ssl.SSLContextBuilder
 import org.junit.After
 import org.junit.AfterClass
 import org.junit.Before
@@ -25,21 +15,21 @@ import org.opensearch.client.RequestOptions
 import org.opensearch.client.Response
 import org.opensearch.client.ResponseException
 import org.opensearch.client.RestClient
-import org.opensearch.client.RestClientBuilder
+import org.opensearch.client.WarningsHandler
+import org.opensearch.common.io.PathUtils
 import org.opensearch.common.settings.Settings
-import org.opensearch.common.unit.TimeValue
-import org.opensearch.common.util.concurrent.ThreadContext
 import org.opensearch.common.xcontent.DeprecationHandler
 import org.opensearch.common.xcontent.NamedXContentRegistry
 import org.opensearch.common.xcontent.XContentType
+import org.opensearch.commons.ConfigConstants
+import org.opensearch.commons.rest.SecureRestClientBuilder
 import org.opensearch.test.rest.OpenSearchRestTestCase
 import java.io.BufferedReader
 import java.io.IOException
 import java.io.InputStreamReader
 import java.nio.charset.StandardCharsets
 import java.nio.file.Files
 import java.nio.file.Path
-import java.security.cert.X509Certificate
 import javax.management.MBeanServerInvocationHandler
 import javax.management.ObjectName
 import javax.management.remote.JMXConnectorFactory
@@ -79,63 +69,56 @@ abstract class PluginRestTestCase : OpenSearchRestTestCase() {
                 val jsonObject: Map<*, *> = index as java.util.HashMap<*, *>
                 val indexName: String = jsonObject["index"] as String
                 // .opendistro_security isn't allowed to delete from cluster
-                if (indexName != ".opendistro_security") {
-                    client().performRequest(Request("DELETE", "/$indexName"))
+                if (".opendistro_security" != indexName) {
+                    val request = Request("DELETE", "/$indexName")
+                    // TODO: remove PERMISSIVE option after moving system index access to REST API call
+                    val options = RequestOptions.DEFAULT.toBuilder()
+                    options.setWarningsHandler(WarningsHandler.PERMISSIVE)
+                    request.options = options.build()
+                    adminClient().performRequest(request)
                 }
             }
         }
     }
 
+    /**
+     * Returns the REST client settings used for super-admin actions like cleaning up after the test has completed.
+     */
+    override fun restAdminSettings(): Settings {
+        return Settings
+            .builder()
+            .put("http.port", 9200)
+            .put(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_ENABLED, isHttps())
+            .put(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, "sample.pem")
+            .put(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, "test-kirk.jks")
+            .put(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, "changeit")
+            .put(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit")
+            .build()
+    }
+
     @Throws(IOException::class)
     override fun buildClient(settings: Settings, hosts: Array<HttpHost>): RestClient {
-        val builder = RestClient.builder(*hosts)
         if (isHttps()) {
-            configureHttpsClient(builder, settings)
+            val keystore = settings.get(ConfigConstants.OPENSEARCH_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH)
+            return when (keystore != null) {
+                true -> {
+                    // create adminDN (super-admin) client
+                    val uri = javaClass.classLoader.getResource("security/sample.pem").toURI()
+                    val configPath = PathUtils.get(uri).parent.toAbsolutePath()
+                    SecureRestClientBuilder(settings, configPath).setSocketTimeout(60000).build()
+                }
+                false -> {
+                    // create client with passed user
+                    val userName = System.getProperty("user")
+                    val password = System.getProperty("password")
+                    SecureRestClientBuilder(hosts, isHttps(), userName, password).setSocketTimeout(60000).build()
+                }
+            }
         } else {
+            val builder = RestClient.builder(*hosts)
             configureClient(builder, settings)
-        }
-        builder.setStrictDeprecationMode(true)
-        return builder.build()
-    }
-
-    @Throws(IOException::class)
-    protected open fun configureHttpsClient(builder: RestClientBuilder, settings: Settings) {
-        val headers = ThreadContext.buildDefaultHeaders(settings)
-        val defaultHeaders = arrayOfNulls<Header>(headers.size)
-        var i = 0
-        for ((key, value) in headers) {
-            defaultHeaders[i++] = BasicHeader(key, value)
-        }
-        builder.setDefaultHeaders(defaultHeaders)
-        builder.setHttpClientConfigCallback { httpClientBuilder: HttpAsyncClientBuilder ->
-            val userName = System.getProperty("user")
-            val password = System.getProperty("password")
-            val credentialsProvider: CredentialsProvider = BasicCredentialsProvider()
-            credentialsProvider.setCredentials(AuthScope.ANY, UsernamePasswordCredentials(userName, password))
-            try {
-                return@setHttpClientConfigCallback httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider)
-                    // disable the certificate since our testing cluster just uses the default security configuration
-                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
-                    .setSSLContext(
-                        SSLContextBuilder.create()
-                            .loadTrustMaterial(null) { _: Array<X509Certificate?>?, _: String? -> true }
-                            .build()
-                    )
-            } catch (e: Exception) {
-                throw RuntimeException(e)
-            }
-        }
-        val socketTimeoutString = settings[CLIENT_SOCKET_TIMEOUT]
-        val socketTimeout = TimeValue.parseTimeValue(socketTimeoutString ?: "60s", CLIENT_SOCKET_TIMEOUT)
-        builder.setRequestConfigCallback { conf: RequestConfig.Builder ->
-            conf.setSocketTimeout(
-                Math.toIntExact(
-                    socketTimeout.millis
-                )
-            )
-        }
-        if (settings.hasValue(CLIENT_PATH_PREFIX)) {
-            builder.setPathPrefix(settings[CLIENT_PATH_PREFIX])
+            builder.setStrictDeprecationMode(true)
+            return builder.build()
         }
     }
 

opensearch-observability/src/test/resources/security/sample.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEyTCCA7GgAwIBAgIGAWLrc1O2MA0GCSqGSIb3DQEBCwUAMIGPMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
+IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwHhcNMTgwNDIy
+MDM0MzQ3WhcNMjgwNDE5MDM0MzQ3WjBeMRIwEAYKCZImiZPyLGQBGRYCZGUxDTAL
+BgNVBAcMBHRlc3QxDTALBgNVBAoMBG5vZGUxDTALBgNVBAsMBG5vZGUxGzAZBgNV
+BAMMEm5vZGUtMC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAJa+f476vLB+AwK53biYByUwN+40D8jMIovGXm6wgT8+9Sbs899dDXgt
+9CE1Beo65oP1+JUz4c7UHMrCY3ePiDt4cidHVzEQ2g0YoVrQWv0RedS/yx/DKhs8
+Pw1O715oftP53p/2ijD5DifFv1eKfkhFH+lwny/vMSNxellpl6NxJTiJVnQ9HYOL
+gf2t971ITJHnAuuxUF48HcuNovW4rhtkXef8kaAN7cE3LU+A9T474ULNCKkEFPIl
+ZAKN3iJNFdVsxrTU+CUBHzk73Do1cCkEvJZ0ZFjp0Z3y8wLY/gqWGfGVyA9l2CUq
+eIZNf55PNPtGzOrvvONiui48vBKH1LsCAwEAAaOCAVkwggFVMIG8BgNVHSMEgbQw
+gbGAFJI1DOAPHitF9k0583tfouYSl0BzoYGVpIGSMIGPMRMwEQYKCZImiZPyLGQB
+GRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQRXhhbXBs
+ZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290IENBMSEw
+HwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0GCAQEwHQYDVR0OBBYEFKyv
+78ZmFjVKM9g7pMConYH7FVBHMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
+MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA1BgNVHREELjAsiAUq
+AwQFBYISbm9kZS0wLmV4YW1wbGUuY29tgglsb2NhbGhvc3SHBH8AAAEwDQYJKoZI
+hvcNAQELBQADggEBAIOKuyXsFfGv1hI/Lkpd/73QNqjqJdxQclX57GOMWNbOM5H0
+5/9AOIZ5JQsWULNKN77aHjLRr4owq2jGbpc/Z6kAd+eiatkcpnbtbGrhKpOtoEZy
+8KuslwkeixpzLDNISSbkeLpXz4xJI1ETMN/VG8ZZP1bjzlHziHHDu0JNZ6TnNzKr
+XzCGMCohFfem8vnKNnKUneMQMvXd3rzUaAgvtf7Hc2LTBlf4fZzZF1EkwdSXhaMA
+1lkfHiqOBxtgeDLxCHESZ2fqgVqsWX+t3qHQfivcPW6txtDyrFPRdJOGhiMGzT/t
+e/9kkAtQRgpTb3skYdIOOUOV0WGQ60kJlFhAzIs=
+-----END CERTIFICATE-----