Merge pull request #247 from sujithvm/opendistro-0.10

Merge security-parent, security-ssl, security-advanced-modules

Author: sujithvm

.github/workflows/cd.yml

@@ -0,0 +1,75 @@
+name: CD
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11.0.x
+
+      - name: Checkout security
+        uses: actions/checkout@v1
+
+      - name: Build
+        run: |
+          mvn clean package -Padvanced -DskipTests
+          artifact_zip=`ls $(pwd)/target/releases/opendistro_security-*.zip | grep -v admin-standalone`
+          ./gradlew build buildDeb buildRpm --no-daemon -ParchivePath=$artifact_zip -Dbuild.snapshot=false
+          mkdir artifacts
+          cp $artifact_zip artifacts/
+          cp gradle-build/distributions/*.deb artifacts/
+          cp gradle-build/distributions/*.rpm artifacts/
+          zip -r artifacts.zip artifacts
+          echo ::set-env name=TAG_VERSION::${GITHUB_REF/refs\/tags\//}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+
+      - name: Upload Artifacts to S3
+        run: |
+          s3_path=s3://artifacts.opendistroforelasticsearch.amazon.com/downloads
+          aws s3 cp artifacts/*.zip $s3_path/elasticsearch-plugins/opendistro-security/
+          aws s3 cp artifacts/*.deb $s3_path/debs/opendistro-security/
+          aws s3 cp artifacts/*.rpm $s3_path/rpms/opendistro-security/
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.DISTRIBUTION_ID }} --paths '/downloads/*'
+
+      - name: Create Github Draft Release
+        id: create_release
+        uses: actions/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ env.TAG_VERSION }}
+          draft: true
+          prerelease: false
+
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_name: artifacts.zip
+          asset_path: artifacts.zip
+          asset_content_type: application/zip
+
+      - name: Upload Workflow Artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: artifacts
+          path: artifacts/

.github/workflows/ci.yml

@@ -7,6 +7,7 @@ on:
   push:
     branches:
       - master
+      - opendistro-*
 
 jobs:
   build:
@@ -15,26 +16,25 @@ jobs:
 
     steps:
 
-      - name: Checkout security-parent
-        uses: actions/checkout@v1
-        with:
-          repository: opendistro-for-elasticsearch/security-parent
-          ref: opendistro-0.10
-      - name: Install security-parent
-        run: mvn clean install -DskipTests --file ../security-parent/pom.xml
-
-      - name: Checkout security-ssl
-        uses: actions/checkout@v1
-        with:
-          repository: opendistro-for-elasticsearch/security-ssl
-          ref: opendistro-0.10
-      - name: Install security-ssl
-        run: mvn clean install -DskipTests --file ../security-ssl/pom.xml
-
       - name: Checkout security
         uses: actions/checkout@v1
-      - name: Install security
-        run: mvn clean install -DskipTests
+
+      - name: Checkstyle
+        run: mvn checkstyle:checkstyle
 
       - name: Test
         run: mvn test
+
+      - name: Coverage
+        uses: codecov/codecov-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Package
+        run: mvn clean package -Padvanced -DskipTests
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v1
+        with:
+          name: artifacts
+          path: target/releases/

.gitignore

@@ -1,11 +1,9 @@
-netty*/
 smoketests/
 target/
 test-output/
 kibana*/
 logstash*/
 deploy_all.sh
-/build.gradle
 *.log
 .externalToolBuilders
 maven-eclipse.xml
@@ -37,3 +35,8 @@ test.sh
 .idea/
 *.iml
 *.rej
+
+# gradle
+build/
+gradle-build/
+.gradle/

build.gradle

@@ -0,0 +1,68 @@
+// Uses Gradle to build RPMs since that's what we use for the other plugins. When all you have is a hammer...
+plugins {
+   id "nebula.ospackage" version "5.3.0"
+}
+
+// To prevent conflicts with maven build under build/
+buildDir = 'gradle-build'
+
+ext {
+    opendistroVersion = '0.10.1'
+    isSnapshot = "true" == System.getProperty("build.snapshot", "true")
+}
+
+group = "com.amazon.opendistroforelasticsearch"
+// Increment the final digit when there's a new plugin versions for the same opendistro version
+// Reset the final digit to 0 when upgrading to a new opendistro version
+version = "${opendistroVersion}.0" + (isSnapshot ? "-SNAPSHOT" : "")
+
+
+if (!project.hasProperty("archivePath")) {
+    throw new GradleException("Missing -ParchivePath command line switch pointing to built plugin ZIP")
+}
+if (!project.file(archivePath).exists()) {
+    throw new GradleException("Missing plugin zip file: $archivePath")
+}
+
+ospackage {
+    packageName = "opendistro-security"
+    release = isSnapshot ? "0.0" : '0'
+    version = "${project.version}" - "-SNAPSHOT"
+
+    into '/usr/share/elasticsearch/plugins'
+    from(zipTree(project.file(archivePath).absolutePath)) {
+        into "opendistro_security"
+    }
+
+    user 'root'
+    permissionGroup 'root'
+    fileMode 0644
+    dirMode 0755
+
+    requires('elasticsearch-oss', "6.8.6", EQUAL)
+    packager = 'Amazon'
+    vendor = 'Amazon'
+    os = 'LINUX'
+    prefix '/usr'
+
+    license 'ASL-2.0'
+    maintainer 'OpenDistro for Elasticsearch Team <[email protected]>'
+    url 'https://opendistro.github.io/elasticsearch/downloads'
+    summary '''
+     Security plugin for OpenDistro for Elasticsearch. 
+     Reference documentation can be found at https://opendistro.github.io/elasticsearch/docs.
+     '''.stripIndent().replace('\n', ' ').trim()
+
+    //TODO: Would be better if the install_demo_configuration.sh script is marked executable in the upstream plugin instead of running bash manually here
+    postInstall "exec /bin/bash /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh -y -i -s"
+}
+
+buildRpm {
+    arch = 'NOARCH'
+    archiveName "${packageName}-${version}.rpm"
+}
+
+buildDeb {
+    arch = 'amd64'
+    archiveName "${packageName}-${version}.deb"
+}

gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.10.2-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,172 @@
+#!/usr/bin/env sh
+
+##############################################################################
+##
+##  Gradle start up script for UN*X
+##
+##############################################################################
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+        PRG="$link"
+    else
+        PRG=`dirname "$PRG"`"/$link"
+    fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn () {
+    echo "$*"
+}
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "`uname`" in
+  CYGWIN* )
+    cygwin=true
+    ;;
+  Darwin* )
+    darwin=true
+    ;;
+  MINGW* )
+    msys=true
+    ;;
+  NONSTOP* )
+    nonstop=true
+    ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+        JAVACMD="$JAVA_HOME/bin/java"
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD="java"
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+    MAX_FD_LIMIT=`ulimit -H -n`
+    if [ $? -eq 0 ] ; then
+        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+            MAX_FD="$MAX_FD_LIMIT"
+        fi
+        ulimit -n $MAX_FD
+        if [ $? -ne 0 ] ; then
+            warn "Could not set maximum file descriptor limit: $MAX_FD"
+        fi
+    else
+        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+    fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+    JAVACMD=`cygpath --unix "$JAVACMD"`
+
+    # We build the pattern for arguments to be converted via cygpath
+    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+    SEP=""
+    for dir in $ROOTDIRSRAW ; do
+        ROOTDIRS="$ROOTDIRS$SEP$dir"
+        SEP="|"
+    done
+    OURCYGPATTERN="(^($ROOTDIRS))"
+    # Add a user-defined pattern to the cygpath arguments
+    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+    fi
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    i=0
+    for arg in "$@" ; do
+        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
+
+        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
+            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+        else
+            eval `echo args$i`="\"$arg\""
+        fi
+        i=$((i+1))
+    done
+    case $i in
+        (0) set -- ;;
+        (1) set -- "$args0" ;;
+        (2) set -- "$args0" "$args1" ;;
+        (3) set -- "$args0" "$args1" "$args2" ;;
+        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+    esac
+fi
+
+# Escape application args
+save () {
+    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+    echo " "
+}
+APP_ARGS=$(save "$@")
+
+# Collect all arguments for the java command, following the shell quoting and substitution rules
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+
+# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
+if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
+  cd "$(dirname "$0")"
+fi
+
+exec "$JAVACMD" "$@"