merge from main

Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com>

.github/workflows/backport.yml

@@ -0,0 +1,29 @@
+
+name: Backport
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+
+jobs:
+  backport:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    name: Backport
+    steps:
+      - name: GitHub App token
+        id: github_app_token
+        uses: tibdex/github-app-token@v1.5.0
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          installation_id: 22958780
+
+      - name: Backport
+        uses: VachaShah/backport@v1.1.4
+        with:
+          github_token: ${{ steps.github_app_token.outputs.token }}
+          branch_name: backport/backport-${{ github.event.number }}

.github/workflows/ci.yml

@@ -9,32 +9,58 @@ on:
 
 jobs:
   build:
+    env:
+      BUILD_ARGS: ${{ matrix.os_build_args }}
+      WORKING_DIR: ${{ matrix.working_directory }}.
     strategy:
       matrix:
         java: [11, 17]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        include:
+          - os: windows-latest
+            os_build_args: -x integTest -x jacocoTestReport
+            working_directory: X:\
+            os_java_options: -Xmx4096M
+          - os: macos-latest
+            os_build_args: -x integTest -x jacocoTestReport
 
-    name: Build and Test
-    runs-on: ubuntu-latest
+    name: Build and Test security-analytics with JDK ${{ matrix.java }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      # This is a hack, but this step creates a link to the X: mounted drive, which makes the path
+      # short enough to work on Windows
+      - name: Shorten Path
+        if: ${{ matrix.os == 'windows-latest' }}
+        run: subst 'X:' .
+
       - name: Setup Java ${{ matrix.java }}
         uses: actions/setup-java@v1
         with:
           java-version: ${{ matrix.java }}
 
       - name: Build and Test
-        run: |
-          ./gradlew build
+        working-directory: ${{ env.WORKING_DIR }}
+        run: ./gradlew build ${{ env.BUILD_ARGS }}
+        env:
+          _JAVA_OPTIONS: ${{ matrix.os_java_options }}
 
-      - name: Publish to Maven Local
+      - name: Create Artifact Path
         run: |
-          ./gradlew publishToMavenLocal
-          
+          mkdir -p security-analytics-artifacts
+          cp ./build/distributions/*.zip security-analytics-artifacts
+
       - name: Upload Coverage Report
+        if: ${{ matrix.os == 'ubuntu-latest' }}
         uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: security-analytics-plugin-${{ matrix.os }}
+          path: security-analytics-artifacts

MAINTAINERS.md

@@ -0,0 +1,9 @@
+## Maintainers
+| Maintainer             | GitHub ID                                       | Affiliation |
+|------------------------|-------------------------------------------------| ----------- |
+| Saurabh Singh          | [getsaurabh02](https://github.com/getsaurabh02) | Amazon |
+| Subhobrata Dey         | [sbcd90](https://github.com/sbcd90)             | Amazon |
+| Surya Sashank Nistalai | [eirsep](https://github.com/eirsep)             | Amazon |
+
+
+[This document](https://github.com/opensearch-project/.github/blob/main/MAINTAINERS.md) explains what maintainers do in this repo, and how they should be doing it. If you're interested in contributing, see [CONTRIBUTING](CONTRIBUTING.md).

build.gradle

@@ -98,6 +98,7 @@ publishing {
     publications {
         pluginZip(MavenPublication) { publication ->
             pom {
+                groupId = "org.opensearch.plugin"
                 name = "opensearch-security-analytics"
                 description = "OpenSearch Security Analytics plugin"
                 licenses {

scripts/build.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
+
+set -ex
+
+function usage() {
+    echo "Usage: $0 [args]"
+    echo ""
+    echo "Arguments:"
+    echo -e "-v VERSION\t[Required] OpenSearch version."
+    echo -e "-q QUALIFIER\t[Optional] Build qualifier."
+    echo -e "-s SNAPSHOT\t[Optional] Build a snapshot, default is 'false'."
+    echo -e "-a ARCHITECTURE\t[Optional] Build architecture, ignored."
+    echo -e "-p PLATFORM\t[Optional] Platform, ignored."
+    echo -e "-o OUTPUT\t[Optional] Output path, default is 'artifacts'."
+    echo -e "-h help"
+}
+
+while getopts ":h:v:q:s:o:p:a:" arg; do
+    case $arg in
+        h)
+            usage
+            exit 1
+            ;;
+        v)
+            VERSION=$OPTARG
+            ;;
+        q)
+            QUALIFIER=$OPTARG
+            ;;
+        s)
+            SNAPSHOT=$OPTARG
+            ;;
+        o)
+            OUTPUT=$OPTARG
+            ;;
+        p)
+            PLATFORM=$OPTARG
+            ;;
+        a)
+            ARCHITECTURE=$OPTARG
+            ;;
+        :)
+            echo "Error: -${OPTARG} requires an argument"
+            usage
+            exit 1
+            ;;
+        ?)
+            echo "Invalid option: -${arg}"
+            exit 1
+            ;;
+    esac
+done
+
+if [ -z "$VERSION" ]; then
+    echo "Error: You must specify the OpenSearch version"
+    usage
+    exit 1
+fi
+
+[[ ! -z "$QUALIFIER" ]] && VERSION=$VERSION-$QUALIFIER
+[[ "$SNAPSHOT" == "true" ]] && VERSION=$VERSION-SNAPSHOT
+[ -z "$OUTPUT" ] && OUTPUT=artifacts
+
+mkdir -p $OUTPUT/plugins
+
+./gradlew assemble --no-daemon --refresh-dependencies -DskipTests=true -Dopensearch.version=$VERSION -Dbuild.version_qualifier=$QUALIFIER -Dbuild.snapshot=$SNAPSHOT
+
+zipPath=$(find . -path \*build/distributions/*.zip)
+distributions="$(dirname "${zipPath}")"
+
+echo "COPY ${distributions}/*.zip"
+cp ${distributions}/*.zip ./$OUTPUT/plugins
+
+./gradlew publishPluginZipPublicationToZipStagingRepository -Dopensearch.version=$VERSION -Dbuild.snapshot=$SNAPSHOT -Dbuild.version_qualifier=$QUALIFIER
+mkdir -p $OUTPUT/maven/org/opensearch
+cp -r ./build/local-staging-repo/org/opensearch/. $OUTPUT/maven/org/opensearch

src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java

@@ -18,9 +18,11 @@
 import org.opensearch.common.xcontent.XContentParserUtils;
 import org.opensearch.commons.alerting.model.action.Action;
 import org.opensearch.script.Script;
+import org.opensearch.script.ScriptType;
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -305,6 +307,26 @@ public String getSeverity() {
     }
 
     public List<Action> getActions() {
-        return actions;
+        List<Action> transformedActions = new ArrayList<>();
+
+        if (actions != null) {
+            for (Action action: actions) {
+                String subjectTemplate = action.getSubjectTemplate() != null ? action.getSubjectTemplate().getIdOrCode(): "";
+                subjectTemplate = subjectTemplate.replace("{{ctx.detector", "{{ctx.monitor");
+
+                action.getMessageTemplate();
+                String messageTemplate = action.getMessageTemplate().getIdOrCode();
+                messageTemplate = messageTemplate.replace("{{ctx.detector", "{{ctx.monitor");
+
+                Action transformedAction = new Action(action.getName(), action.getDestinationId(),
+                        new Script(ScriptType.INLINE, Script.DEFAULT_TEMPLATE_LANG, subjectTemplate, Collections.emptyMap()),
+                        new Script(ScriptType.INLINE, Script.DEFAULT_TEMPLATE_LANG, messageTemplate, Collections.emptyMap()),
+                        action.getThrottleEnabled(), action.getThrottle(),
+                        action.getId(), action.getActionExecutionPolicy());
+
+                transformedActions.add(transformedAction);
+            }
+        }
+        return transformedActions;
     }
 }

src/main/resources/OSMapping/windows/fieldmappings.yml

@@ -5,3 +5,7 @@ fieldmappings:
     fieldB: mappedB
     fieldA1: mappedA
     CommandLine: windows-event_data-CommandLine
+    HostName: windows-hostname
+    Message: windows-message
+    Provider_Name: windows-provider-name
+    ServiceName: windows-servicename

src/main/resources/OSMapping/windows/mappings.json

@@ -7,6 +7,22 @@
     "event_uid": {
       "type": "alias",
       "path": "EventID"
+    },
+    "windows-hostname": {
+      "type": "alias",
+      "path": "HostName"
+    },
+    "windows-message": {
+      "type": "alias",
+      "path": "Message"
+    },
+    "windows-provider-name": {
+      "type": "alias",
+      "path": "Provider_Name"
+    },
+    "windows-servicename": {
+      "type": "alias",
+      "path": "ServiceName"
     }
   }
 }

src/test/java/org/opensearch/securityanalytics/TestHelpers.java

@@ -269,7 +269,9 @@ public static DetectorRule randomDetectorRule() {
 
     public static Action randomAction(String destinationId) {
         String name = OpenSearchRestTestCase.randomUnicodeOfLength(10);
-        Script template = randomTemplateScript("Hello World", null);
+        Script template = randomTemplateScript("Detector {{ctx.detector.name}} just entered alert status. Please investigate the issue.\n" +
+                "  - Trigger: {{ctx.trigger.name}}\n" +
+                "  - Severity: {{ctx.trigger.severity}}", null);
         Boolean throttleEnabled = false;
         Throttle throttle = randomThrottle(null, null);
         return new Action(name, destinationId, template, template, throttleEnabled, throttle, OpenSearchRestTestCase.randomAlphaOfLength(10), null);

src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java

@@ -116,9 +116,11 @@ public void testGetAlerts_success() throws IOException {
 
                 for (Map.Entry<String, Object> actionResult: actionResults.entrySet()) {
                     Map<String, String> actionOutput = ((Map<String, Map<String, String>>) actionResult.getValue()).get("output");
+                    String expectedMessage = triggerAction.getSubjectTemplate().getIdOrCode().replace("{{ctx.detector.name}}", detector.getName())
+                            .replace("{{ctx.trigger.name}}", "test-trigger").replace("{{ctx.trigger.severity}}", "1");
 
-                    Assert.assertEquals("Hello World", actionOutput.get("subject"));
-                    Assert.assertEquals("Hello World", actionOutput.get("message"));
+                    Assert.assertEquals(expectedMessage, actionOutput.get("subject"));
+                    Assert.assertEquals(expectedMessage, actionOutput.get("message"));
                 }
             }
         }

src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java

@@ -329,7 +329,7 @@ public void testDeletingADetector() throws IOException {
         Assert.assertFalse(alertingMonitorExists(monitorId));
 
         // todo: change to assertFalse when alerting bug is fixed. https://github.com/opensearch-project/alerting/issues/581
-        Assert.assertTrue(doesIndexExist(String.format(Locale.getDefault(), ".opensearch-sap-%s-detectors-queries", "windows")));
+        Assert.assertFalse(doesIndexExist(String.format(Locale.getDefault(), ".opensearch-sap-%s-detectors-queries", "windows")));
 
         hits = executeSearch(Detector.DETECTORS_INDEX, request);
         Assert.assertEquals(0, hits.size());