Merge remote-tracking branch 'upstream/main' into file-tail-source-6782

Author: srikanthpadakanti

.github/workflows/opensearch-sink-opensearch-integration-tests.yml

@@ -146,14 +146,22 @@ jobs:
         run: |
           docker cp ca-cert.pem opensearch-mtls:/usr/share/opensearch/config/
           docker exec opensearch-mtls bash -c "
-            if grep -q 'clientauth_mode' /usr/share/opensearch/config/opensearch.yml; then
-              sed -i 's/clientauth_mode:.*/clientauth_mode: REQUIRE/' /usr/share/opensearch/config/opensearch.yml
+            CONFIG=/usr/share/opensearch/config/opensearch.yml
+            if grep -q 'plugins.security' \$CONFIG; then
+              PREFIX=plugins.security
             else
-              echo 'plugins.security.ssl.http.clientauth_mode: REQUIRE' >> /usr/share/opensearch/config/opensearch.yml
+              PREFIX=opendistro_security
+            fi
+            if grep -q 'ssl.http.clientauth_mode' \$CONFIG; then
+              sed -i 's/ssl.http.clientauth_mode:.*/ssl.http.clientauth_mode: REQUIRE/' \$CONFIG
+            else
+              echo \"\${PREFIX}.ssl.http.clientauth_mode: REQUIRE\" >> \$CONFIG
+            fi
+            if grep -q 'ssl.http.pemtrustedcas_filepath' \$CONFIG; then
+              sed -i \"s|ssl.http.pemtrustedcas_filepath:.*|ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/ca-cert.pem|\" \$CONFIG
+            else
+              echo \"\${PREFIX}.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/ca-cert.pem\" >> \$CONFIG
             fi
-          "
-          docker exec opensearch-mtls bash -c "
-            sed -i '/http.*pemtrustedcas_filepath/s|:.*|: ca-cert.pem|' /usr/share/opensearch/config/opensearch.yml
           "
           docker restart opensearch-mtls
 

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/peerforwarder/exception/NoPeerForwarderTargetException.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.dataprepper.core.peerforwarder.exception;
+
+/**
+ * This exception is thrown when the peer forwarder receives a request
+ * with a destination pipeline or plugin that is not registered.
+ */
+public class NoPeerForwarderTargetException extends RuntimeException {
+
+    public NoPeerForwarderTargetException(final String errorMessage) {
+        super(errorMessage);
+    }
+}

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/peerforwarder/server/PeerForwarderHttpService.java

@@ -20,6 +20,7 @@
 import org.opensearch.dataprepper.core.peerforwarder.PeerForwarderProvider;
 import org.opensearch.dataprepper.core.peerforwarder.PeerForwarderReceiveBuffer;
 import org.opensearch.dataprepper.core.peerforwarder.codec.PeerForwarderCodec;
+import org.opensearch.dataprepper.core.peerforwarder.exception.NoPeerForwarderTargetException;
 import org.opensearch.dataprepper.core.peerforwarder.model.PeerForwardingEvents;
 import org.opensearch.dataprepper.metrics.PluginMetrics;
 import org.opensearch.dataprepper.model.acknowledgements.AcknowledgementSetManager;
@@ -126,7 +127,21 @@ private PeerForwarderReceiveBuffer<Record<Event>> getPeerForwarderBuffer(final S
         final Map<String, Map<String, PeerForwarderReceiveBuffer<Record<Event>>>> pipelinePeerForwarderReceiveBufferMap =
                 peerForwarderProvider.getPipelinePeerForwarderReceiveBufferMap();
 
-        return pipelinePeerForwarderReceiveBufferMap
-                .get(destinationPipelineName).get(destinationPluginId);
+        final Map<String, PeerForwarderReceiveBuffer<Record<Event>>> pluginBufferMap =
+                pipelinePeerForwarderReceiveBufferMap.get(destinationPipelineName);
+        if (pluginBufferMap == null) {
+            throw new NoPeerForwarderTargetException(
+                    "Unable to find a peer-forwarder target with destinationPluginId='" + destinationPluginId +
+                            "' and destinationPipelineName='" + destinationPipelineName + "'");
+        }
+
+        final PeerForwarderReceiveBuffer<Record<Event>> buffer = pluginBufferMap.get(destinationPluginId);
+        if (buffer == null) {
+            throw new NoPeerForwarderTargetException(
+                    "Unable to find a peer-forwarder target with destinationPluginId='" + destinationPluginId +
+                            "' and destinationPipelineName='" + destinationPipelineName + "'");
+        }
+
+        return buffer;
     }
 }

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/peerforwarder/server/ResponseHandler.java

@@ -13,6 +13,7 @@
 import com.linecorp.armeria.common.HttpStatus;
 import com.linecorp.armeria.common.MediaType;
 import io.micrometer.core.instrument.Counter;
+import org.opensearch.dataprepper.core.peerforwarder.exception.NoPeerForwarderTargetException;
 import org.opensearch.dataprepper.metrics.PluginMetrics;
 import org.opensearch.dataprepper.model.buffer.SizeOverflowException;
 
@@ -55,6 +56,11 @@ public HttpResponse handleException(final Exception e, final String message) {
             return HttpResponse.of(HttpStatus.REQUEST_TIMEOUT, MediaType.ANY_TYPE, message);
         }
 
+        if (e instanceof NoPeerForwarderTargetException) {
+            badRequestsCounter.increment();
+            return HttpResponse.of(HttpStatus.BAD_REQUEST, MediaType.ANY_TYPE, e.getMessage());
+        }
+
         if (e instanceof NullPointerException) {
             requestsUnprocessableCounter.increment();
             return HttpResponse.of(HttpStatus.UNPROCESSABLE_ENTITY, MediaType.ANY_TYPE, message);

data-prepper-core/src/test/java/org/opensearch/dataprepper/core/peerforwarder/PeerForwarder_ClientServerIT.java

@@ -11,9 +11,15 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.linecorp.armeria.client.UnprocessedRequestException;
+import com.linecorp.armeria.client.WebClient;
 import com.linecorp.armeria.common.AggregatedHttpResponse;
 import com.linecorp.armeria.common.ClosedSessionException;
+import com.linecorp.armeria.common.HttpData;
+import com.linecorp.armeria.common.HttpMethod;
+import com.linecorp.armeria.common.HttpRequest;
 import com.linecorp.armeria.common.HttpStatus;
+import com.linecorp.armeria.common.MediaType;
+import com.linecorp.armeria.common.RequestHeaders;
 import com.linecorp.armeria.server.Server;
 import io.netty.handler.ssl.NotSslRecordException;
 import org.junit.jupiter.api.AfterEach;
@@ -27,6 +33,7 @@
 import org.opensearch.dataprepper.core.peerforwarder.codec.JavaPeerForwarderCodec;
 import org.opensearch.dataprepper.core.peerforwarder.codec.PeerForwarderCodec;
 import org.opensearch.dataprepper.core.peerforwarder.codec.PeerForwarderCodecAppConfig;
+import org.opensearch.dataprepper.core.peerforwarder.model.PeerForwardingEvents;
 import org.opensearch.dataprepper.core.peerforwarder.discovery.DiscoveryMode;
 import org.opensearch.dataprepper.core.peerforwarder.server.PeerForwarderHttpServerProvider;
 import org.opensearch.dataprepper.core.peerforwarder.server.PeerForwarderHttpService;
@@ -340,6 +347,65 @@ void send_Events_to_server_when_expecting_SSL_should_throw(final boolean binaryC
             assertThat(receivedRecords, notNullValue());
             assertThat(receivedRecords, is(empty()));
         }
+
+        @ParameterizedTest
+        @ValueSource(booleans = {true, false})
+        void send_invalid_content_type_with_valid_body_returns_ok(final boolean binaryCodec) throws Exception {
+            setUpServer(binaryCodec);
+            final PeerForwarderCodec codec = applicationContext.getBean(PeerForwarderCodec.class);
+            final List<Event> eventList = outgoingRecords.stream().map(Record::getData).collect(Collectors.toList());
+            final PeerForwardingEvents peerForwardingEvents = new PeerForwardingEvents(eventList, pluginId, pipelineName);
+            final byte[] serializedBody = codec.serialize(peerForwardingEvents);
+
+            final WebClient client = WebClient.of("http://" + LOCALHOST + ":4994");
+
+            final AggregatedHttpResponse response = client.execute(
+                    HttpRequest.of(
+                            RequestHeaders.builder()
+                                    .method(HttpMethod.POST)
+                                    .path(PeerForwarderConfiguration.DEFAULT_PEER_FORWARDING_URI)
+                                    .contentType(MediaType.parse("application/x-www-form-urlencoded"))
+                                    .build(),
+                            HttpData.wrap(serializedBody)
+                    )
+            ).aggregate().join();
+
+            assertThat(response.status(), equalTo(HttpStatus.OK));
+        }
+
+        @ParameterizedTest
+        @ValueSource(booleans = {true, false})
+        void send_malformed_body_returns_bad_request(final boolean binaryCodec) {
+            setUpServer(binaryCodec);
+            final String body = "this is not valid json or yaml";
+
+            final WebClient client = WebClient.of("http://" + LOCALHOST + ":4994");
+
+            final AggregatedHttpResponse response = client.execute(
+                    HttpRequest.of(
+                            RequestHeaders.builder()
+                                    .method(HttpMethod.POST)
+                                    .path(PeerForwarderConfiguration.DEFAULT_PEER_FORWARDING_URI)
+                                    .build(),
+                            HttpData.ofUtf8(body)
+                    )
+            ).aggregate().join();
+
+            assertThat(response.status(), equalTo(HttpStatus.BAD_REQUEST));
+        }
+
+        @ParameterizedTest
+        @ValueSource(booleans = {true, false})
+        void send_Events_to_unknown_destination_returns_bad_request(final boolean binaryCodec) throws ExecutionException, InterruptedException {
+            setUpServer(binaryCodec);
+            final PeerForwarderClient client = createClient(peerForwarderConfiguration);
+
+            final CompletableFuture<AggregatedHttpResponse> httpResponseFuture =
+                    client.serializeRecordsAndSendHttpRequest(outgoingRecords, LOCALHOST, UUID.randomUUID().toString(), UUID.randomUUID().toString());
+            final AggregatedHttpResponse httpResponse = httpResponseFuture.get();
+
+            assertThat(httpResponse.status(), equalTo(HttpStatus.BAD_REQUEST));
+        }
     }
 
     @Nested

data-prepper-core/src/test/java/org/opensearch/dataprepper/core/peerforwarder/server/PeerForwarderHttpServiceTest.java

@@ -29,6 +29,7 @@
 import org.opensearch.dataprepper.core.peerforwarder.PeerForwarderProvider;
 import org.opensearch.dataprepper.core.peerforwarder.PeerForwarderReceiveBuffer;
 import org.opensearch.dataprepper.core.peerforwarder.codec.PeerForwarderCodec;
+import org.opensearch.dataprepper.core.peerforwarder.exception.NoPeerForwarderTargetException;
 import org.opensearch.dataprepper.core.peerforwarder.model.PeerForwardingEvents;
 import org.opensearch.dataprepper.metrics.PluginMetrics;
 import org.opensearch.dataprepper.model.acknowledgements.AcknowledgementSetManager;
@@ -167,6 +168,35 @@ void test_doPost_with_HTTP_request_size_greater_than_buffer_size_should_return_R
         assertThat(aggregatedHttpResponse.status(), equalTo(HttpStatus.REQUEST_ENTITY_TOO_LARGE));
     }
 
+    @Test
+    void test_doPost_with_unknown_pipeline_should_return_BAD_REQUEST() throws Exception {
+        lenient().when(peerForwardingEvents.getDestinationPipelineName()).thenReturn("unknown_pipeline");
+        when(responseHandler.handleException(any(NoPeerForwarderTargetException.class), anyString())).thenReturn(HttpResponse.of(HttpStatus.BAD_REQUEST));
+        final HashMap<String, Map<String, PeerForwarderReceiveBuffer<Record<Event>>>> pipelinePeerForwarderReceiveBufferMap = new HashMap<>();
+        when(peerForwarderProvider.getPipelinePeerForwarderReceiveBufferMap()).thenReturn(pipelinePeerForwarderReceiveBufferMap);
+
+        final PeerForwarderHttpService objectUnderTest = createObjectUnderTest();
+
+        final AggregatedHttpResponse aggregatedHttpResponse = objectUnderTest.doPost(aggregatedHttpRequest).aggregate().get();
+
+        assertThat(aggregatedHttpResponse.status(), equalTo(HttpStatus.BAD_REQUEST));
+    }
+
+    @Test
+    void test_doPost_with_unknown_plugin_should_return_BAD_REQUEST() throws Exception {
+        lenient().when(peerForwardingEvents.getDestinationPluginId()).thenReturn("unknown_plugin");
+        when(responseHandler.handleException(any(NoPeerForwarderTargetException.class), anyString())).thenReturn(HttpResponse.of(HttpStatus.BAD_REQUEST));
+        final HashMap<String, Map<String, PeerForwarderReceiveBuffer<Record<Event>>>> pipelinePeerForwarderReceiveBufferMap = new HashMap<>();
+        pipelinePeerForwarderReceiveBufferMap.put(PIPELINE_NAME, new HashMap<>());
+        when(peerForwarderProvider.getPipelinePeerForwarderReceiveBufferMap()).thenReturn(pipelinePeerForwarderReceiveBufferMap);
+
+        final PeerForwarderHttpService objectUnderTest = createObjectUnderTest();
+
+        final AggregatedHttpResponse aggregatedHttpResponse = objectUnderTest.doPost(aggregatedHttpRequest).aggregate().get();
+
+        assertThat(aggregatedHttpResponse.status(), equalTo(HttpStatus.BAD_REQUEST));
+    }
+
     private List<Event> generateEvents(final int numEvents) {
         final List<Event> events = new ArrayList<>();
         for (int i = 0; i < numEvents; i++) {

data-prepper-core/src/test/java/org/opensearch/dataprepper/core/peerforwarder/server/ResponseHandlerTest.java

@@ -20,6 +20,7 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.opensearch.dataprepper.core.peerforwarder.exception.NoPeerForwarderTargetException;
 import org.opensearch.dataprepper.metrics.PluginMetrics;
 import org.opensearch.dataprepper.model.buffer.SizeOverflowException;
 
@@ -134,6 +135,23 @@ void test_UnknownException() throws ExecutionException, InterruptedException {
         verify(badRequestsCounter).increment();
     }
 
+    @Test
+    void test_NoPeerForwarderTargetException() throws ExecutionException, InterruptedException {
+        final ResponseHandler objectUnderTest = createObjectUnderTest();
+        final String exceptionMessage = "Unable to find a peer-forwarder target with destinationPluginId='myPlugin' and destinationPipelineName='myPipeline'";
+        final NoPeerForwarderTargetException noPeerForwarderTargetException = new NoPeerForwarderTargetException(exceptionMessage);
+
+        final String testMessage = "test exception message";
+
+        final HttpResponse httpResponse = objectUnderTest.handleException(noPeerForwarderTargetException, testMessage);
+        final AggregatedHttpResponse aggregatedHttpResponse = httpResponse.aggregate().get();
+
+        assertEquals(HttpStatus.BAD_REQUEST, aggregatedHttpResponse.status());
+        assertEquals(exceptionMessage, aggregatedHttpResponse.contentUtf8());
+
+        verify(badRequestsCounter).increment();
+    }
+
     @Test
     void test_NullPointerException() throws ExecutionException, InterruptedException {
         final ResponseHandler objectUnderTest = createObjectUnderTest();

data-prepper-plugins/opensearch/src/integrationTest/java/org/opensearch/dataprepper/plugins/sink/opensearch/OpenSearchClientCertIT.java

@@ -12,6 +12,12 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.util.EntityUtils;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -20,6 +26,7 @@
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
+import org.opensearch.client.RestClientBuilder;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.dataprepper.aws.api.AwsCredentialsSupplier;
 import org.opensearch.dataprepper.expression.ExpressionEvaluator;
@@ -35,8 +42,20 @@
 import org.opensearch.dataprepper.plugins.sink.opensearch.configuration.OpenSearchSinkConfig;
 import org.opensearch.dataprepper.plugins.sink.opensearch.index.IndexConfiguration;
 
+import javax.net.ssl.SSLContext;
 import javax.ws.rs.HttpMethod;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -51,7 +70,6 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchIntegrationHelper.createContentParser;
-import static org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchIntegrationHelper.createOpenSearchClient;
 import static org.opensearch.dataprepper.plugins.sink.opensearch.OpenSearchIntegrationHelper.getHosts;
 
 @EnabledIfSystemProperty(named = "tests.mtls.client.cert", matches = ".+")
@@ -73,7 +91,7 @@ class OpenSearchClientCertIT {
     private OpenSearchSink sink;
 
     @BeforeEach
-    void setUp() throws IOException {
+    void setUp() throws Exception {
         MetricsTestUtil.initMetrics();
 
         objectMapper = new ObjectMapper();
@@ -88,7 +106,7 @@ void setUp() throws IOException {
         when(pluginSetting.getPipelineName()).thenReturn(PIPELINE_NAME);
         when(pluginSetting.getName()).thenReturn(PLUGIN_NAME);
 
-        client = createOpenSearchClient();
+        client = createClientWithClientCert();
     }
 
     @AfterEach
@@ -178,4 +196,51 @@ private void deleteIndex(final String index) throws IOException {
         final Request request = new Request(HttpMethod.DELETE, index);
         client.performRequest(request);
     }
+
+    private RestClient createClientWithClientCert() throws Exception {
+        final String certPath = System.getProperty("tests.mtls.client.cert");
+        final String keyPath = System.getProperty("tests.mtls.client.key");
+        final String userName = System.getProperty("tests.opensearch.user", "admin");
+        final String password = System.getProperty("tests.opensearch.password", "admin");
+
+        final CertificateFactory factory = CertificateFactory.getInstance("X.509");
+        final Collection<? extends Certificate> certs;
+        try (InputStream is = Files.newInputStream(Paths.get(certPath))) {
+            certs = factory.generateCertificates(is);
+        }
+
+        final String keyPem = new String(Files.readAllBytes(Paths.get(keyPath)));
+        final String keyBase64 = keyPem
+                .replace("-----BEGIN PRIVATE KEY-----", "")
+                .replace("-----END PRIVATE KEY-----", "")
+                .replaceAll("\\s", "");
+        final byte[] keyBytes = Base64.getDecoder().decode(keyBase64);
+        final PrivateKey privateKey = KeyFactory.getInstance("RSA")
+                .generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
+
+        final KeyStore keyStore = KeyStore.getInstance("PKCS12");
+        keyStore.load(null, null);
+        keyStore.setKeyEntry("client", privateKey, "".toCharArray(), certs.toArray(new Certificate[0]));
+
+        final SSLContext sslContext = SSLContextBuilder.create()
+                .loadTrustMaterial(null, (chains, authType) -> true)
+                .loadKeyMaterial(keyStore, "".toCharArray())
+                .build();
+
+        final BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
+        credentialsProvider.setCredentials(AuthScope.ANY,
+                new UsernamePasswordCredentials(userName, password));
+
+        final List<String> hosts = getHosts();
+        final HttpHost[] httpHosts = hosts.stream()
+                .map(HttpHost::create)
+                .toArray(HttpHost[]::new);
+
+        final RestClientBuilder builder = RestClient.builder(httpHosts);
+        builder.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
+                .setDefaultCredentialsProvider(credentialsProvider)
+                .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
+                .setSSLContext(sslContext));
+        return builder.build();
+    }
 }