Skip to content

Commit 7172bf4

Browse files
updated Sensitive with SecureSetting
Signed-off-by: Rishav9852Kumar <rishavkumaraug20005212@gmail.com>
1 parent a37fd52 commit 7172bf4

3 files changed

Lines changed: 21 additions & 20 deletions

File tree

src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@
4646
import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
4747
import org.opensearch.cluster.service.ClusterService;
4848
import org.opensearch.common.collect.Tuple;
49+
import org.opensearch.common.settings.SecureSetting;
4950
import org.opensearch.common.settings.Settings;
5051
import org.opensearch.common.xcontent.XContentHelper;
5152
import org.opensearch.common.xcontent.XContentType;
@@ -446,18 +447,18 @@ private List<Map<String, Object>> buildSettingsChanges(Settings newSettings, Set
446447
for (String key : newSettings.keySet()) {
447448
final String newValue = newSettings.get(key);
448449
final String oldValue = currentSettings.get(key);
449-
final boolean isSensitive = isSensitiveSetting(key);
450+
final boolean isSecure = isSecureSetting(key);
450451

451452
final Map<String, Object> change = new HashMap<>();
452453
change.put("setting", key);
453-
change.put("old_value", isSensitive && oldValue != null ? "***REDACTED***" : oldValue);
454+
change.put("old_value", isSecure && oldValue != null ? "***REDACTED***" : oldValue);
454455
change.put("scope", scope);
455456

456457
if (newValue == null) {
457458
change.put("new_value", null);
458459
change.put("operation", "removed");
459460
} else {
460-
change.put("new_value", isSensitive ? "***REDACTED***" : newValue);
461+
change.put("new_value", isSecure ? "***REDACTED***" : newValue);
461462
change.put("operation", "set");
462463
}
463464

@@ -468,18 +469,18 @@ private List<Map<String, Object>> buildSettingsChanges(Settings newSettings, Set
468469

469470
/**
470471
* Checks if a setting should have its value redacted in audit logs.
471-
* Uses ClusterSettings.isSensitiveSetting() to detect SecureSetting instances (e.g., keystore passwords,
472-
* TLS keys). Falls back to pattern matching for plugin-specific settings
473-
* that may not be registered in the cluster settings registry.
472+
* Returns true for settings registered as SecureSetting (secrets stored
473+
* in the keystore), or settings whose key contains common secret indicators
474+
* (password, secret, token).
474475
*/
475-
private boolean isSensitiveSetting(String key) {
476+
private boolean isSecureSetting(final String key) {
476477
try {
477-
// Looks up the Setting object by key and checks setting.isSensitive(),
478-
// which returns true for SecureSetting instances — the proper way to identify secrets
479-
if (clusterService.getClusterSettings().isSensitiveSetting(key)) {
478+
// Looks up the Setting object by key and checks if it is an instance of SecureSetting
479+
// i.e. secrets stored in the opensearch-keystore that must be redacted
480+
if (clusterService.getClusterSettings().get(key) instanceof SecureSetting) {
480481
return true;
481482
}
482-
} catch (Exception e) {
483+
} catch (final Exception e) {
483484
// Setting not registered in cluster settings — fall through to pattern match
484485
}
485486
// Pattern fallback for settings not registered as SecureSetting (e.g., plugin SSL settings)

src/test/java/org/opensearch/security/auditlog/impl/SettingsChangeAuditTest.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -295,10 +295,10 @@ public void testEmptyClusterSettingsProducesNoMessage() throws Exception {
295295
assertThat(result, not(containsString("CLUSTER_SETTINGS_CHANGED")));
296296
}
297297

298-
// --- Sensitive setting redaction tests ---
298+
// --- Secure setting redaction tests ---
299299

300300
@Test
301-
public void testSensitiveSettingRedactionByPasswordPattern() throws Exception {
301+
public void testSecureSettingRedactionByPasswordPattern() throws Exception {
302302
final AbstractAuditLog auditLog = createAuditLog();
303303

304304
final ClusterUpdateSettingsRequest request = new ClusterUpdateSettingsRequest();
@@ -313,7 +313,7 @@ public void testSensitiveSettingRedactionByPasswordPattern() throws Exception {
313313
}
314314

315315
@Test
316-
public void testSensitiveSettingRedactionBySecretPattern() throws Exception {
316+
public void testSecureSettingRedactionBySecretPattern() throws Exception {
317317
final AbstractAuditLog auditLog = createAuditLog();
318318

319319
final ClusterUpdateSettingsRequest request = new ClusterUpdateSettingsRequest();
@@ -328,7 +328,7 @@ public void testSensitiveSettingRedactionBySecretPattern() throws Exception {
328328
}
329329

330330
@Test
331-
public void testSensitiveSettingRedactionByTokenPattern() throws Exception {
331+
public void testSecureSettingRedactionByTokenPattern() throws Exception {
332332
final AbstractAuditLog auditLog = createAuditLog();
333333

334334
final ClusterUpdateSettingsRequest request = new ClusterUpdateSettingsRequest();
@@ -343,7 +343,7 @@ public void testSensitiveSettingRedactionByTokenPattern() throws Exception {
343343
}
344344

345345
@Test
346-
public void testNonSensitiveSettingNotRedacted() throws Exception {
346+
public void testNonSecureSettingNotRedacted() throws Exception {
347347
final AbstractAuditLog auditLog = createAuditLog();
348348

349349
final ClusterUpdateSettingsRequest request = new ClusterUpdateSettingsRequest();
@@ -358,7 +358,7 @@ public void testNonSensitiveSettingNotRedacted() throws Exception {
358358
}
359359

360360
@Test
361-
public void testSensitiveOldValueAlsoRedacted() throws Exception {
361+
public void testSecureOldValueAlsoRedacted() throws Exception {
362362
// Mock current state with a sensitive setting already set
363363
final Metadata metadata = mock(Metadata.class);
364364
when(metadata.persistentSettings()).thenReturn(
@@ -508,12 +508,12 @@ public void testMultipleSettingsInOneClusterRequest() throws Exception {
508508
// --- ClusterSettings registry redaction test ---
509509

510510
/**
511-
* Verifies that isSensitiveSetting() pattern fallback works even when ClusterSettings
511+
* Verifies that isSecureSetting() pattern fallback works even when ClusterSettings
512512
* registry is available but returns false (setting registered but not as SecureSetting).
513513
* The registry path returning true is covered by integration tests with a real cluster.
514514
*/
515515
@Test
516-
public void testSensitiveSettingRedactionWhenRegistryReturnsFalse() throws Exception {
516+
public void testSecureSettingRedactionWhenRegistryReturnsFalse() throws Exception {
517517
// When getClusterSettings() is not mocked, it returns null → exception caught → pattern fallback runs.
518518
// This test verifies the pattern fallback catches "password" in the key name regardless.
519519
final AbstractAuditLog auditLog = createAuditLog();

src/test/java/org/opensearch/security/auditlog/integration/SettingsChangeAuditIntegrationTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ public void testSettingsChangeAudit() throws Exception {
121121
Assert.assertTrue(auditlogs.contains("test-wild-002"));
122122
validateMsgs(TestAuditlogImpl.messages);
123123

124-
// test sensitive setting redaction
124+
// test secure setting redaction
125125
TestAuditlogImpl.clear();
126126
rh.executePutRequest(
127127
"_cluster/settings",

0 commit comments

Comments
 (0)