From 3fb4137bd54a4b245a6bf42471b354e3bf040b8b Mon Sep 17 00:00:00 2001 From: Derek Ho Date: Fri, 13 Dec 2024 16:44:42 -0500 Subject: [PATCH] Put in hacks to create audit log entries for now Signed-off-by: Derek Ho --- .../apitokens/ApiTokenIndexHandler.java | 19 +++++++++++++++++++ .../security/compliance/ComplianceConfig.java | 6 +++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java b/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java index 8ec2d7204f..8ef3f63571 100644 --- a/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java +++ b/src/main/java/org/opensearch/security/action/apitokens/ApiTokenIndexHandler.java @@ -41,6 +41,7 @@ import org.opensearch.index.reindex.DeleteByQueryRequest; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; +import org.opensearch.security.dlic.rest.support.Utils; import org.opensearch.security.support.ConfigConstants; import static org.opensearch.security.action.apitokens.ApiToken.NAME_FIELD; @@ -57,7 +58,13 @@ public ApiTokenIndexHandler(Client client, ClusterService clusterService) { } public String indexTokenMetadata(ApiToken token) { + // TODO: move this out of index handler class, potentially create a layer in between baseresthandler and abstractapiaction which can + // abstract this complexity away + final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext()); try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) { + client.threadPool() + .getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft()); XContentBuilder builder = XContentFactory.jsonBuilder(); String jsonString = token.toXContent(builder, ToXContent.EMPTY_PARAMS).toString(); @@ -81,7 +88,11 @@ public String indexTokenMetadata(ApiToken token) { } public void deleteToken(String name) throws ApiTokenException { + final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext()); try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) { + client.threadPool() + .getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft()); DeleteByQueryRequest request = new DeleteByQueryRequest(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX).setQuery( QueryBuilders.matchQuery(NAME_FIELD, name) ).setRefresh(true); @@ -98,7 +109,11 @@ public void deleteToken(String name) throws ApiTokenException { } public Map getTokenMetadatas() { + final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext()); try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) { + client.threadPool() + .getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft()); SearchRequest searchRequest = new SearchRequest(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX); searchRequest.source(new SearchSourceBuilder()); @@ -131,7 +146,11 @@ public Boolean apiTokenIndexExists() { public void createApiTokenIndexIfAbsent() { if (!apiTokenIndexExists()) { + final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext()); try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) { + client.threadPool() + .getThreadContext() + .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft()); final Map indexSettings = ImmutableMap.of( "index.number_of_shards", 1, diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java index b2bbd1cb73..dac98798c0 100644 --- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java +++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java @@ -509,7 +509,7 @@ public boolean writeHistoryEnabledForIndex(String index) { } // if security index (internal index) check if internal config logging is enabled // TODO: Add support for custom api token index? - if (securityIndex.equals(index) || securityIndex.equals(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX)) { + if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) { return logInternalConfig; } // if the index is used for audit logging, return false @@ -537,7 +537,7 @@ public boolean readHistoryEnabledForIndex(String index) { return false; } // if security index (internal index) check if internal config logging is enabled - if (securityIndex.equals(index)) { + if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) { return logInternalConfig; } try { @@ -559,7 +559,7 @@ public boolean readHistoryEnabledForField(String index, String field) { return false; } // if security index (internal index) check if internal config logging is enabled - if (securityIndex.equals(index)) { + if (securityIndex.equals(index) || ConfigConstants.OPENSEARCH_API_TOKENS_INDEX.equals(index)) { return logInternalConfig; } WildcardMatcher matcher;