Merge branch '2.x' into security-subject-2.x-legacy-authz

cwperks · Jan 17, 2025 · 49dc4c0 · 49dc4c0
2 parents c5b9902 + 376fd16
commit 49dc4c0
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java b/src/integrationTest/java/org/opensearch/security/DoNotFailOnForbiddenTests.java
@@ -12,6 +12,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -463,8 +464,9 @@ public void shouldPerformCatIndices_positive() throws IOException {
             Request getIndicesRequest = new Request("GET", "/_cat/indices");
             // High level client doesn't support _cat/_indices API
             Response getIndicesResponse = restHighLevelClient.getLowLevelClient().performRequest(getIndicesRequest);
-            List<String> indexes = new BufferedReader(new InputStreamReader(getIndicesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> indexes = new BufferedReader(
+                new InputStreamReader(getIndicesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             assertThat(indexes.size(), equalTo(1));
             assertThat(indexes.get(0), containsString("marvelous_songs"));
@@ -477,8 +479,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(LIMITED_USER)) {
             Request getAliasesRequest = new Request("GET", "/_cat/aliases");
             Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
-            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> aliases = new BufferedReader(
+                new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             // Does not fail on forbidden, but alias response only contains index which user has access to
             assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));
@@ -491,8 +494,9 @@ public void shouldPerformCatAliases_positive() throws IOException {
         try (RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ADMIN_USER)) {
             Request getAliasesRequest = new Request("GET", "/_cat/aliases");
             Response getAliasesResponse = restHighLevelClient.getLowLevelClient().performRequest(getAliasesRequest);
-            List<String> aliases = new BufferedReader(new InputStreamReader(getAliasesResponse.getEntity().getContent())).lines()
-                .collect(Collectors.toList());
+            List<String> aliases = new BufferedReader(
+                new InputStreamReader(getAliasesResponse.getEntity().getContent(), StandardCharsets.UTF_8)
+            ).lines().collect(Collectors.toList());
 
             // Admin has access to all
             assertThat(getAliasesResponse.getStatusLine().getStatusCode(), equalTo(200));

diff --git a/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java b/src/main/java/org/opensearch/security/ssl/config/SslCertificatesLoader.java
@@ -63,6 +63,7 @@ public Tuple<TrustStoreConfiguration, KeyStoreConfiguration> loadConfiguration(f
         final var settings = environment.settings();
         final var sslConfigSettings = settings.getByPrefix(fullSslConfigSuffix);
         if (settings.hasValue(sslConfigSuffix + KEYSTORE_FILEPATH)) {
+            final var keyStorePassword = resolvePassword(sslConfigSuffix + KEYSTORE_PASSWORD, settings, DEFAULT_STORE_PASSWORD);
             return Tuple.tuple(
                 environment.settings().hasValue(sslConfigSuffix + TRUSTSTORE_FILEPATH)
                     ? buildJdkTrustStoreConfiguration(
@@ -74,8 +75,12 @@ public Tuple<TrustStoreConfiguration, KeyStoreConfiguration> loadConfiguration(f
                 buildJdkKeyStoreConfiguration(
                     sslConfigSettings,
                     environment,
-                    resolvePassword(sslConfigSuffix + KEYSTORE_PASSWORD, settings, DEFAULT_STORE_PASSWORD),
-                    resolvePassword(fullSslConfigSuffix + KEYSTORE_KEY_PASSWORD, settings, DEFAULT_STORE_PASSWORD)
+                    keyStorePassword,
+                    resolvePassword(
+                        fullSslConfigSuffix + KEYSTORE_KEY_PASSWORD,
+                        settings,
+                        keyStorePassword != null ? String.valueOf(keyStorePassword) : null
+                    )
                 )
             );
         } else {

diff --git a/src/test/java/org/opensearch/security/support/SafeSerializationUtilsTest.java b/src/test/java/org/opensearch/security/support/SafeSerializationUtilsTest.java
@@ -17,6 +17,7 @@
 import java.util.HashMap;
 import java.util.regex.Pattern;
 
+import org.junit.After;
 import org.junit.Test;
 
 import org.opensearch.security.auth.UserInjector;
@@ -35,6 +36,11 @@
 
 public class SafeSerializationUtilsTest {
 
+    @After
+    public void clearCache() {
+        SafeSerializationUtils.safeClassCache.clear();
+    }
+
     @Test
     public void testSafeClasses() {
         assertTrue(SafeSerializationUtils.isSafeClass(String.class));