Support security demo script changes (#4304)

Signed-off-by: Rishabh Singh <sngri@amazon.com>

Pipfile

@@ -39,6 +39,7 @@ zipp = "~=3.8.1"
 importlib-metadata = "~=4.12.0"
 ruamel-yaml = "~=0.17.21"
 mistune = "~=3.0.1"
+semver = ">=3,<4"
 
 [dev-packages]
 

src/test_workflow/benchmark_test/benchmark_test_cluster.py

@@ -14,6 +14,7 @@
 from typing import Any, Generator, Union
 
 import requests
+import semver
 from requests.auth import HTTPBasicAuth
 from retry.api import retry_call  # type: ignore
 
@@ -121,6 +122,7 @@ def wait_for_processing(self, tries: int = 3, delay: int = 15, backoff: int = 2)
 
     def setup_cdk_params(self, config: dict) -> dict:
         suffix = ''
+        need_strong_password = False
         if self.args.stack_suffix and self.manifest:
             suffix = self.args.stack_suffix + '-' + self.manifest.build.id + '-' + self.manifest.build.architecture
         elif self.manifest:
@@ -132,8 +134,12 @@ def setup_cdk_params(self, config: dict) -> dict:
             artifact_url = self.manifest.build.location if isinstance(self.manifest, BundleManifest) else \
                 f"https://artifacts.opensearch.org/snapshots/core/opensearch/{self.manifest.build.version}/opensearch-min-" \
                 f"{self.manifest.build.version}-linux-{self.manifest.build.architecture}-latest.tar.gz"
+            if not self.args.insecure and semver.compare(self.manifest.build.version, '2.12.0') != -1:
+                need_strong_password = True
         else:
             artifact_url = self.args.distribution_url.strip()
+            if not self.args.insecure and semver.compare(self.args.distribution_version, '2.12.0') != -1:
+                need_strong_password = True
 
         return {
             "distributionUrl": artifact_url,
@@ -142,6 +148,7 @@ def setup_cdk_params(self, config: dict) -> dict:
             "region": config["Constants"]["Region"],
             "suffix": suffix,
             "securityDisabled": str(self.args.insecure).lower(),
+            "adminPassword": 'myStrongPassword123!' if need_strong_password else None,
             "cpuArch": self.manifest.build.architecture if self.manifest else 'x64',
             "singleNodeCluster": str(self.args.single_node).lower(),
             "distVersion": self.manifest.build.version if self.manifest else self.args.distribution_version,

src/test_workflow/benchmark_test/benchmark_test_runner.py

@@ -53,3 +53,10 @@ def get_git_ref(self) -> str:
                 return 'main'
             else:
                 return '1.x'
+
+    def get_distribution_version(self) -> str:
+        os_version_float: float
+        if self.test_manifest:
+            return self.test_manifest.build.version
+        else:
+            return self.args.distribution_version

src/test_workflow/benchmark_test/benchmark_test_runner_opensearch.py

@@ -44,5 +44,5 @@ def run_tests(self) -> None:
             with GitRepository(self.get_cluster_repo_url(), self.get_git_ref(), current_workspace):
                 with WorkingDirectory(current_workspace):
                     with BenchmarkTestCluster.create(self.test_manifest, config, self.args, current_workspace) as test_cluster:
-                        benchmark_test_suite = BenchmarkTestSuite(test_cluster.endpoint_with_port, self.security, self.args)
+                        benchmark_test_suite = BenchmarkTestSuite(test_cluster.endpoint_with_port, self.security, self.get_distribution_version(), self.args)
                         retry_call(benchmark_test_suite.execute, tries=3, delay=60, backoff=2)

src/test_workflow/benchmark_test/benchmark_test_suite.py

@@ -10,6 +10,8 @@
 import subprocess
 from typing import Any
 
+import semver
+
 from test_workflow.benchmark_test.benchmark_args import BenchmarkArgs
 
 
@@ -19,6 +21,7 @@ class BenchmarkTestSuite:
     current_workspace: str
     args: BenchmarkArgs
     command: str
+    distribution_version: str
 
     """
     Represents a performance test suite. This class runs rally test on the deployed cluster with the provided IP.
@@ -28,11 +31,13 @@ def __init__(
             self,
             endpoint: Any,
             security: bool,
+            distribution_version: str,
             args: BenchmarkArgs,
     ) -> None:
         self.endpoint = endpoint
         self.security = security
         self.args = args
+        self.distribution_version = distribution_version
         # Pass the cluster endpoints with -t for multi-cluster use cases(e.g. cross-cluster-replication)
         self.command = 'docker run --rm'
         if self.args.benchmark_config:
@@ -65,8 +70,11 @@ def __init__(
                 self.command += f" --telemetry-params '{self.args.telemetry_params}'"
 
     def execute(self) -> None:
+        password: str = 'admin'
         if self.security:
-            self.command += ' --client-options="timeout:300,use_ssl:true,verify_certs:false,basic_auth_user:\'admin\',basic_auth_password:\'admin\'"'
+            if semver.compare(self.distribution_version, '2.12.0') != -1:
+                password = 'myStrongPassword123!'
+            self.command += f' --client-options="timeout:300,use_ssl:true,verify_certs:false,basic_auth_user:\'admin\',basic_auth_password:\'{password}\'"'
         else:
             self.command += ' --client-options="timeout:300"'
         logging.info(f"Executing {self.command}")

tests/tests_test_workflow/test_benchmark_workflow/benchmark_test/test_benchmark_test_cluster.py

@@ -48,6 +48,7 @@ def test_create_single_node_secure(self, mock_wait_for_processing: Optional[Mock
         self.assertEqual(self.benchmark_test_cluster.port, 443)
         self.assertTrue("opensearch-infra-stack-test-suffix-007-x64" in self.benchmark_test_cluster.stack_name)
         self.assertTrue("securityDisabled=false" in self.benchmark_test_cluster.params)
+        self.assertTrue("adminPassword" not in self.benchmark_test_cluster.params)
         self.assertTrue("singleNodeCluster=true" in self.benchmark_test_cluster.params)
         self.assertTrue("isInternal=true" in self.benchmark_test_cluster.params)
         self.assertTrue("distributionUrl=https://artifacts.opensearch.org/bundles/1.0.0/41d5ae25183d4e699e92debfbe3f83bd/opensearch-1.0.0-linux-x64.tar.gz" in self.benchmark_test_cluster.params)
@@ -100,7 +101,8 @@ def test_create_multi_node(self, mock_wait_for_processing: Optional[Mock]) -> No
     @patch("test_workflow.benchmark_test.benchmark_test_cluster.BenchmarkTestCluster.wait_for_processing")
     def test_create_multi_node_without_manifest(self, mock_wait_for_processing: Optional[Mock]) -> None:
         self.args.distribution_url = "https://artifacts.opensearch.org/2.10.0/opensearch.tar.gz"
-        self.args.distribution_version = '2.10.0'
+        self.args.distribution_version = '2.12.0'
+        self.args.insecure = False
         TestBenchmarkTestCluster.setUp(self, self.args, False)
         mock_file = MagicMock(side_effect=[{"opensearch-infra-stack-test-suffix": {"loadbalancerurl": "www.example.com"}}])
         with patch("subprocess.check_call") as mock_check_call:
@@ -110,5 +112,7 @@ def test_create_multi_node_without_manifest(self, mock_wait_for_processing: Opti
                     self.assertEqual(mock_check_call.call_count, 1)
         self.assertTrue("opensearch-infra-stack-test-suffix" in self.benchmark_test_cluster.stack_name)
         self.assertTrue("cpuArch=x64" in self.benchmark_test_cluster.params)
-        self.assertTrue("distVersion=2.10.0" in self.benchmark_test_cluster.params)
+        self.assertTrue("distVersion=2.12.0" in self.benchmark_test_cluster.params)
+        self.assertTrue("securityDisabled=false" in self.benchmark_test_cluster.params)
+        self.assertTrue("adminPassword=myStrongPassword123!" in self.benchmark_test_cluster.params)
         self.assertTrue("distributionUrl=https://artifacts.opensearch.org/2.10.0/opensearch.tar.gz" in self.benchmark_test_cluster.params)

tests/tests_test_workflow/test_benchmark_workflow/benchmark_test/test_benchmark_test_runner_opensearch.py

@@ -49,7 +49,7 @@ def test_run(self, mock_suite: Mock, mock_cluster: Mock, mock_git: Mock, mock_te
                                   "--distribution-url",
                                   "https://artifacts.opensearch.org/2.10.0/opensearch.tar.gz",
                                   "--distribution-version",
-                                  "2.10.0",
+                                  "2.3.0",
                                   "--config", os.path.join(os.path.dirname(__file__), "data", "test-config.yml"),
                                   "--workload", "test",
                                   "--suffix", "test"])
@@ -67,7 +67,6 @@ def test_run_with_dist_url_and_version(self, mock_suite: Mock, mock_cluster: Moc
         benchmark_args = BenchmarkArgs()
         runner = BenchmarkTestRunners.from_args(benchmark_args)
         runner.run()
-
         mock_git.assert_called_with("https://github.com/opensearch-project/opensearch-cluster-cdk.git", "main",
                                     os.path.join(tempfile.gettempdir(), "opensearch-cluster-cdk"))
         self.assertEqual(mock_suite.call_count, 1)

tests/tests_test_workflow/test_benchmark_workflow/benchmark_test/test_benchmark_test_suite.py

@@ -25,7 +25,7 @@ def setUp(self, **kwargs: Any) -> None:
         self.args.exclude_tasks = kwargs['exclude_tasks'] if 'exclude_tasks' in kwargs else None
         self.args.include_tasks = kwargs['include_tasks'] if 'include_tasks' in kwargs else None
         self.endpoint = "abc.com"
-        self.benchmark_test_suite = BenchmarkTestSuite(endpoint=self.endpoint, security=False, args=self.args)
+        self.benchmark_test_suite = BenchmarkTestSuite(endpoint=self.endpoint, security=False, distribution_version='2.3.0', args=self.args)
 
     def test_execute_default(self) -> None:
         with patch("subprocess.check_call") as mock_check_call:
@@ -35,8 +35,19 @@ def test_execute_default(self) -> None:
                              'docker run --rm opensearchproject/opensearch-benchmark:latest execute-test --workload=nyc_taxis '
                              '--pipeline=benchmark-only --target-hosts=abc.com --client-options="timeout:300"')
 
+    def test_execute_security_enabled_version_212_or_greater(self) -> None:
+        benchmark_test_suite = BenchmarkTestSuite(endpoint=self.endpoint, security=True, distribution_version='2.12.0', args=self.args)
+        with patch("subprocess.check_call") as mock_check_call:
+            benchmark_test_suite.execute()
+            self.assertEqual(mock_check_call.call_count, 1)
+            self.assertEqual(benchmark_test_suite.command,
+                             'docker run --rm opensearchproject/opensearch-benchmark:latest execute-test '
+                             '--workload=nyc_taxis --pipeline=benchmark-only '
+                             '--target-hosts=abc.com --client-options="timeout:300,use_ssl:true,'
+                             'verify_certs:false,basic_auth_user:\'admin\',basic_auth_password:\'myStrongPassword123!\'"')
+
     def test_execute_security_enabled(self) -> None:
-        benchmark_test_suite = BenchmarkTestSuite(endpoint=self.endpoint, security=True, args=self.args)
+        benchmark_test_suite = BenchmarkTestSuite(endpoint=self.endpoint, security=True, distribution_version='2.3.0', args=self.args)
         with patch("subprocess.check_call") as mock_check_call:
             benchmark_test_suite.execute()
             self.assertEqual(mock_check_call.call_count, 1)