Adding security policy for json and http.

o19s · Jun 3, 2024 · d340557 · d340557
1 parent 8f139fa
commit d340557
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 61 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,4 +2,4 @@ FROM opensearchproject/opensearch:2.14.0
 
 COPY ./build/distributions/opensearch-ubi-0.0.12.1-os2.14.0.zip /tmp/
 
-RUN /usr/share/opensearch/bin/opensearch-plugin install file:/tmp/opensearch-ubi-0.0.12.1-os2.14.0.zip
+RUN /usr/share/opensearch/bin/opensearch-plugin install --batch file:/tmp/opensearch-ubi-0.0.12.1-os2.14.0.zip
diff --git a/src/main/java/org/opensearch/ubi/QueryRequest.java b/src/main/java/org/opensearch/ubi/QueryRequest.java
@@ -8,6 +8,11 @@
 
 package org.opensearch.ubi;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Map;
 
 /**
@@ -34,46 +39,31 @@ public class QueryRequest {
      */
     public QueryRequest(final String queryId, final String userQuery, final String clientId, final String query,
                         final Map<String, String> queryAttributes, final QueryResponse queryResponse) {
+
         this.timestamp = System.currentTimeMillis();
         this.queryId = queryId;
         this.clientId = clientId;
         this.userQuery = userQuery;
         this.query = query;
         this.queryAttributes = queryAttributes;
         this.queryResponse = queryResponse;
+
     }
 
     @Override
     public String toString() {
 
-        final StringBuilder sb = new StringBuilder();
-
-        // Query Request
-        sb.append("{");
-        sb.append("\"query_id\": \"").append(queryId).append("\", ");
-        sb.append("\"user_query\": \"").append(userQuery).append("\", ");
-        sb.append("\"user_id\": \"").append(clientId).append("\", ");
-
-        sb.append("query_attributes: {");
-        for(final String key : queryAttributes.keySet()) {
-            sb.append("\"").append(key).append("\": ").append("\"").append(queryAttributes.get(key)).append("\", ");
-        }
-        sb.append("},");
-
-        // Query Response
-        sb.append("\"query_response\": {");
-        sb.append("\"query_id\": ").append(queryResponse.getQueryId()).append("\", ");
-        sb.append("\"query_response_id\": ").append(queryResponse.getQueryResponseId()).append("\", ");
-        sb.append("\"query_response_object_ids\": [");
-        for(final String objectId : queryResponse.getQueryResponseObjectIds()) {
-            sb.append("\"").append(objectId).append("\", ");
-        }
-        sb.append("],");
-        sb.append("}");
+        final ObjectMapper objectMapper = new ObjectMapper();
 
-        sb.append("}");
+        final String json = AccessController.doPrivileged((PrivilegedAction<String>) () -> {
+            try {
+                return objectMapper.writeValueAsString(this);
+            } catch (JsonProcessingException ex) {
+                throw new RuntimeException(ex);
+            }
+        });
 
-        return sb.toString();
+        return "[" + json + "]";
 
     }
 
@@ -106,6 +96,9 @@ public String getQueryId() {
      * @return The user query.
      */
     public String getUserQuery() {
+        if(userQuery == null) {
+            return "";
+        }
         return userQuery;
     }
 
@@ -114,6 +107,9 @@ public String getUserQuery() {
      * @return The client ID.
      */
     public String getClientId() {
+        if(clientId == null) {
+            return "";
+        }
         return clientId;
     }
 
@@ -122,6 +118,9 @@ public String getClientId() {
      * @return The raw query.
      */
     public String getQuery() {
+        if(query == null) {
+            return "";
+        }
         return query;
     }
 

diff --git a/src/main/java/org/opensearch/ubi/UbiActionFilter.java b/src/main/java/org/opensearch/ubi/UbiActionFilter.java
@@ -8,6 +8,10 @@
 
 package org.opensearch.ubi;
 
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.StringEntity;
@@ -41,6 +45,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
@@ -111,6 +117,8 @@ public void onResponse(Response response) {
                         final String userId = ubiParameters.getClientId();
                         final String objectIdField = ubiParameters.getObjectIdField();
                         final Map<String, String> queryAttributes = ubiParameters.getQueryAttributes();
+
+                        // TODO: Ignore the UBI in ext.
                         final String query = searchRequest.source().toString();
 
                         final List<String> queryResponseHitIds = new LinkedList<>();
@@ -183,12 +191,19 @@ private void sendToDataPrepper(final String dataPrepperUrl, final QueryRequest q
                 httpPost.setEntity(new StringEntity(queryRequest.toString()));
                 httpPost.setHeader("Content-type", "application/json");
 
-                try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
-                    final int status = response.getStatusLine().getStatusCode();
-                    if (status != 200) {
-                        LOGGER.error("Unexpected response status from Data Prepper: " + status);
+                AccessController.doPrivileged((PrivilegedAction<Boolean>) () -> {
+                    try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
+                        final int status = response.getStatusLine().getStatusCode();
+                        if (status != 200) {
+                            LOGGER.error("Unexpected response status from Data Prepper: {}", status);
+                            return false;
+                        }
+                    } catch (Exception ex) {
+                        LOGGER.error("Unable to send query to Data Prepper", ex);
+                        return false;
                     }
-                }
+                    return true;
+                });
 
             }
 

diff --git a/src/main/plugin-metadata/plugin-security.policy b/src/main/plugin-metadata/plugin-security.policy
@@ -0,0 +1,8 @@
+grant {
+  // Jackson de/serialization
+  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+  permission java.lang.RuntimePermission "accessDeclaredMembers";
+
+  // Connecting to Data Prepper
+  permission java.net.SocketPermission "*", "connect,resolve";
+};
diff --git a/src/test/java/org/opensearch/ubi/QueryRequestTests.java b/src/test/java/org/opensearch/ubi/QueryRequestTests.java