Adds tests for resource sharing flow and add a CI job to run resource-sharing tests

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

Author: DarshitChanpura

.github/workflows/test_security.yml

@@ -20,6 +20,7 @@ jobs:
     strategy:
       matrix:
         java: [21]
+        resource_sharing_flag: [ "", "-Dresource_sharing.enabled=true" ]
 
     name: Run Security Integration Tests on Linux
     runs-on: ubuntu-latest
@@ -45,4 +46,8 @@ jobs:
         # switching the user, as OpenSearch cluster can only be started as root/Administrator on linux-deb/linux-rpm/windows-zip.
         run: |
           chown -R 1000:1000 `pwd`
-          su `id -un 1000` -c "whoami && java -version && ./gradlew integTest -Dsecurity.enabled=true"
+          su `id -un 1000` -c "whoami && java -version && ./gradlew integTest \
+            -Dsecurity.enabled=true \
+            -Dhttps=true \
+            ${{ matrix.resource_sharing_flag }} \
+            --tests '*IT'"

build.gradle

@@ -256,6 +256,8 @@ dependencies {
     testImplementation("org.junit.jupiter:junit-jupiter:${junitJupiterVersion}")
     testImplementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${versions.jackson_databind}")
 
+    testImplementation 'org.awaitility:awaitility:4.3.0'
+
     // ZipArchive dependencies used for integration tests
     zipArchive("org.opensearch.plugin:opensearch-job-scheduler:${opensearch_build}")
     zipArchive("org.opensearch.plugin:opensearch-ml-plugin:${opensearch_build}")
@@ -351,6 +353,8 @@ integTest {
     systemProperty('user', user)
     systemProperty('password', password)
 
+    systemProperty "resource_sharing.enabled", System.getProperty("resource_sharing.enabled")
+
     // Only tenant aware test if set
     if (System.getProperty("tests.rest.tenantaware") == "true") {
         filter {
@@ -510,6 +514,10 @@ testClusters.integTest {
                 '".plugins-flow-framework-state"' +
                 ']'
         )
+        if (System.getProperty("resource_sharing.enabled") == "true") {
+            setting("plugins.security.experimental.resource_sharing.enabled", "true")
+            setting("plugins.security.experimental.resource_sharing.protected_types", "[\"workflow\", \"workflow_state\"]")
+        }
         setSecure(true)
     }
 
@@ -542,7 +550,13 @@ testClusters.integTest {
     if (System.getProperty("opensearch.debug") != null) {
         def debugPort = 5005
         nodes.forEach { node ->
-            node.jvmArgs("-agentlib:jdwp=transport=dt_socket,server=n,suspend=y,address=*:${debugPort}")
+            // server=n,suspend=y -> node tries to connect to a debugger and hence test runs fails with
+            //            Exec output and error:
+            //            | Output for ./bin/opensearch-plugin:ERROR: transport error 202: connect failed: Connection refused
+            //            | ERROR: JDWP Transport dt_socket failed to initialize, TRANSPORT_INIT(510)
+            //                    | JDWP exit error AGENT_ERROR_TRANSPORT_INIT(197): No transports initialized [src/jdk.jdwp.agent/share/native/libjdwp/debugInit.c:700].
+            // So instead, we listen to a debugger by saying server=y and suspend=n
+            node.jvmArgs("-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:${debugPort}")
             debugPort += 1
         }
     }

src/test/java/org/opensearch/flowframework/FlowFrameworkRestTestCase.java

@@ -9,7 +9,6 @@
 package org.opensearch.flowframework;
 
 import com.google.gson.JsonArray;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.hc.client5.http.auth.AuthScope;
 import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
 import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
@@ -26,6 +25,7 @@
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.Timeout;
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.ingest.GetPipelineResponse;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.client.Request;
@@ -37,11 +37,14 @@
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
+import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.DeprecationHandler;
 import org.opensearch.core.xcontent.MediaType;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.flowframework.common.CommonValue;
 import org.opensearch.flowframework.model.ProvisioningProgress;
@@ -51,20 +54,26 @@
 import org.opensearch.flowframework.model.WorkflowState;
 import org.opensearch.flowframework.util.ParseUtils;
 import org.opensearch.ml.repackage.com.google.common.collect.ImmutableList;
+import org.opensearch.security.spi.resources.sharing.Recipients;
 import org.opensearch.test.rest.OpenSearchRestTestCase;
 import org.junit.After;
 import org.junit.Before;
 
 import java.io.IOException;
+import java.security.SecureRandom;
+import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
+import org.awaitility.Awaitility;
+
 import static org.opensearch.core.xcontent.XContentParserUtils.ensureExpectedToken;
 import static org.opensearch.flowframework.common.CommonValue.WORKFLOW_URI;
 
@@ -73,6 +82,8 @@
  */
 public abstract class FlowFrameworkRestTestCase extends OpenSearchRestTestCase {
 
+    public static final String SHARE_WORKFLOW_URI = "/_plugins/_security/api/resource/share";
+
     @Before
     protected void setUpSettings() throws Exception {
 
@@ -296,11 +307,42 @@ protected boolean preserveClusterSettings() {
     }
 
     /**
-     * Create an unique password. Simple password are weak due to https://tinyurl.com/383em9zk
+     * Create an unguessable password. Simple password are weak due to https://tinyurl.com/383em9zk
      * @return a random password.
      */
     public static String generatePassword(String username) {
-        return RandomStringUtils.random(15, true, true);
+        String upperCase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        String lowerCase = "abcdefghijklmnopqrstuvwxyz";
+        String digits = "0123456789";
+        String special = "_";
+        String characters = upperCase + lowerCase + digits + special;
+
+        SecureRandom rng = new SecureRandom();
+
+        // Ensure password includes at least one character from each set
+        char[] password = new char[15];
+        password[0] = upperCase.charAt(rng.nextInt(upperCase.length()));
+        password[1] = lowerCase.charAt(rng.nextInt(lowerCase.length()));
+        password[2] = digits.charAt(rng.nextInt(digits.length()));
+        password[3] = special.charAt(rng.nextInt(special.length()));
+
+        for (int i = 4; i < 15; i++) {
+            char nextChar;
+            do {
+                nextChar = characters.charAt(rng.nextInt(characters.length()));
+            } while (username.indexOf(nextChar) > -1);
+            password[i] = nextChar;
+        }
+
+        // Shuffle the array to ensure the first 4 characters are not always in the same position
+        for (int i = password.length - 1; i > 0; i--) {
+            int index = rng.nextInt(i + 1);
+            char temp = password[index];
+            password[index] = password[i];
+            password[i] = temp;
+        }
+
+        return new String(password);
     }
 
     /**
@@ -485,7 +527,7 @@ protected Response createWorkflowValidation(RestClient client, Template template
      * Helper method to invoke the Reprovision Workflow API
      * @param client the rest client
      * @param workflowId the document id
-     * @param templateFields the template to reprovision
+     * @param template the template to reprovision
      * @throws Exception if the request fails
      * @return a rest response
      */
@@ -985,4 +1027,159 @@ protected List<String> catPlugins() throws IOException {
         ).list();
         return pluginsList.stream().map(o -> ((Map<String, Object>) o).get("component").toString()).collect(Collectors.toList());
     }
+
+    protected boolean isResourceSharingFeatureEnabled() {
+        return Optional.ofNullable(System.getProperty("resource_sharing.enabled")).map("true"::equalsIgnoreCase).orElse(false);
+    }
+
+    public static Response shareConfig(RestClient client, Map<String, String> params, String payload) throws IOException {
+        return TestHelpers.makeRequest(client, "PUT", SHARE_WORKFLOW_URI, params, payload, null);
+    }
+
+    public static Response patchSharingInfo(RestClient client, Map<String, String> params, String payload) throws IOException {
+        return TestHelpers.makeRequest(client, "PATCH", SHARE_WORKFLOW_URI, params, payload, null);
+    }
+
+    public static String shareWithUserPayload(String resourceId, String resourceIndex, String accessLevel, String user) {
+        return String.format(Locale.ROOT, """
+            {
+              "resource_id": "%s",
+              "resource_type": "%s",
+              "share_with": {
+                "%s" : {
+                    "users": ["%s"]
+                }
+              }
+            }
+            """, resourceId, resourceIndex, accessLevel, user);
+    }
+
+    public static class PatchSharingInfoPayloadBuilder {
+        private String configId;
+        private String configType;
+        private final Map<String, Recipients> share = new HashMap<>();
+        private final Map<String, Recipients> revoke = new HashMap<>();
+
+        public PatchSharingInfoPayloadBuilder configId(String resourceId) {
+            this.configId = resourceId;
+            return this;
+        }
+
+        public PatchSharingInfoPayloadBuilder configType(String resourceType) {
+            this.configType = resourceType;
+            return this;
+        }
+
+        public void share(Recipients recipients, String accessLevel) {
+            Recipients existing = share.getOrDefault(accessLevel, new Recipients(new HashMap<>()));
+            existing.share(recipients);
+            share.put(accessLevel, existing);
+        }
+
+        public void revoke(Recipients recipients, String accessLevel) {
+            Recipients existing = revoke.getOrDefault(accessLevel, new Recipients(new HashMap<>()));
+            // intentionally share() is called here since we are building a shareWith object, this final object will be used to remove
+            // access
+            // think of it as currentShareWith.removeAll(revokeShareWith)
+            existing.share(recipients);
+            revoke.put(accessLevel, existing);
+        }
+
+        private String buildJsonString(Map<String, Recipients> input) {
+
+            List<String> output = new ArrayList<>();
+            for (Map.Entry<String, Recipients> entry : input.entrySet()) {
+                try {
+                    XContentBuilder builder = XContentFactory.jsonBuilder();
+                    entry.getValue().toXContent(builder, ToXContent.EMPTY_PARAMS);
+                    String recipJson = builder.toString();
+                    output.add(String.format(Locale.ROOT, "\"%s\" : %s", entry.getKey(), recipJson));
+                } catch (IOException e) {
+                    throw new RuntimeException(e);
+                }
+
+            }
+
+            return String.join(",", output);
+
+        }
+
+        public String build() {
+            String allShares = buildJsonString(share);
+            String allRevokes = buildJsonString(revoke);
+            return String.format(Locale.ROOT, """
+                {
+                  "resource_id": "%s",
+                  "resource_type": "%s",
+                  "add": {
+                    %s
+                  },
+                  "revoke": {
+                    %s
+                  }
+                }
+                """, configId, configType, allShares, allRevokes);
+        }
+    }
+
+    public static boolean isForbidden(Exception e) {
+        if (e instanceof OpenSearchStatusException) {
+            return ((OpenSearchStatusException) e).status() == RestStatus.FORBIDDEN;
+        }
+        if (e instanceof ResponseException) {
+            return ((ResponseException) e).getResponse().getStatusLine().getStatusCode() == 403;
+        }
+        return false;
+    }
+
+    private static final Duration RS_WAIT_TIMEOUT = Duration.ofSeconds(30);
+    private static final Duration RS_POLL_INTERVAL = Duration.ofMillis(200);
+
+    // Core waiter: visible when the callable returns 200 OK; 403 means "not yet", anything else fails fast.
+    private void waitUntilVisible(java.util.concurrent.Callable<Response> op) {
+        Awaitility.await().atMost(RS_WAIT_TIMEOUT).pollInterval(RS_POLL_INTERVAL).until(() -> {
+            try {
+                Response r = op.call();
+                return TestHelpers.restStatus(r) == RestStatus.OK;
+            } catch (Exception e) {
+                if (isForbidden(e)) {
+                    // eventual consistency: not visible yet
+                    return false;
+                }
+                // unexpected error: fail fast
+                throw e;
+            }
+        });
+    }
+
+    // Core waiter: non-visible when the callable throws 403; 200 means "still visible", anything else fails fast.
+    private void waitUntilForbidden(java.util.concurrent.Callable<Response> op) {
+        Awaitility.await().atMost(RS_WAIT_TIMEOUT).pollInterval(RS_POLL_INTERVAL).until(() -> {
+            try {
+                op.call(); // 200 => still visible
+                return false;
+            } catch (Exception e) {
+                if (isForbidden(e)) {
+                    return true; // forbidden now
+                }
+                throw e; // unexpected error: fail fast
+            }
+        });
+    }
+
+    protected void waitForWorkflowSharingVisibility(String workflowId, RestClient client) {
+        waitUntilVisible(() -> getWorkflow(client, workflowId));
+    }
+
+    protected void waitForWorkflowRevokeNonVisibility(String workflowId, RestClient client) {
+        waitUntilForbidden(() -> getWorkflow(client, workflowId));
+    }
+
+    protected void waitForWorkflowStateSharingVisibility(String workflowId, RestClient client) {
+        waitUntilVisible(() -> getWorkflowStatus(client, workflowId, false));
+    }
+
+    protected void waitForWorkflowStateRevokeNonVisibility(String workflowId, RestClient client) {
+        waitUntilForbidden(() -> getWorkflowStatus(client, workflowId, false));
+    }
 }