From f04b68a185c3fd4e9e0a439364033760f3214eed Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 26 Apr 2021 23:04:57 +0300 Subject: [PATCH 01/46] wip --- .../java/org/elasticsearch/xpack/ccr/Ccr.java | 2 +- .../xpack/ccr/CcrLicenseChecker.java | 5 +- .../license/XPackLicenseState.java | 40 +---- .../SecurityIndexReaderWrapper.java | 8 +- .../license/XPackLicenseStateTests.java | 144 +----------------- ...ityIndexReaderWrapperIntegrationTests.java | 7 +- .../SecurityIndexReaderWrapperUnitTests.java | 9 +- .../TransportPutEnrichPolicyAction.java | 6 +- .../license/MachineLearningLicensingIT.java | 4 +- .../xpack/ml/MachineLearning.java | 2 +- ...nsportExplainDataFrameAnalyticsAction.java | 4 +- ...nsportPreviewDataFrameAnalyticsAction.java | 4 +- .../TransportPutDataFrameAnalyticsAction.java | 4 +- .../ml/action/TransportPutDatafeedAction.java | 4 +- .../InferencePipelineAggregationBuilder.java | 24 ++- ...erencePipelineAggregationBuilderTests.java | 2 +- .../SecuritySearchOperationListenerTests.java | 23 +-- .../xpack/security/Security.java | 25 ++- .../security/SecurityInfoTransportAction.java | 11 +- .../SecurityUsageTransportAction.java | 4 +- .../action/filter/SecurityActionFilter.java | 14 +- .../security/audit/AuditTrailService.java | 8 +- .../xpack/security/authc/ApiKeyService.java | 4 +- .../xpack/security/authc/Realms.java | 5 +- .../xpack/security/authc/TokenService.java | 4 +- .../DelegatedAuthorizationSupport.java | 5 +- .../security/authz/AuthorizationService.java | 3 +- .../SecuritySearchOperationListener.java | 14 +- .../authz/accesscontrol/OptOutQueryCache.java | 43 +----- .../BulkShardRequestInterceptor.java | 8 +- .../ingest/SetSecurityUserProcessor.java | 21 +-- .../security/rest/SecurityRestFilter.java | 11 +- .../rest/action/SecurityBaseRestHandler.java | 8 +- .../support/SecurityStatusChangeListener.java | 52 ------- .../SecurityServerTransportInterceptor.java | 30 +--- .../transport/ServerTransportFilter.java | 11 +- .../security/transport/filter/IPFilter.java | 5 +- .../SecurityInfoTransportActionTests.java | 62 +------- .../filter/SecurityActionFilterTests.java | 4 +- .../audit/AuditTrailServiceTests.java | 4 +- .../authc/AuthenticationServiceTests.java | 3 +- .../support/SecondaryAuthenticatorTests.java | 2 +- .../authz/AuthorizationServiceTests.java | 3 +- .../accesscontrol/OptOutQueryCacheTests.java | 36 +---- ...IndicesAliasesRequestInterceptorTests.java | 6 +- .../ResizeRequestInterceptorTests.java | 6 +- .../ingest/SetSecurityUserProcessorTests.java | 32 ++-- .../rest/SecurityRestFilterTests.java | 19 +-- .../SecurityStatusChangeListenerTests.java | 129 ---------------- .../transport/ServerTransportFilterTests.java | 2 +- .../transport/filter/IPFilterTests.java | 3 +- .../IpFilterRemoteAddressFilterTests.java | 3 +- .../transport/nio/NioIPFilterTests.java | 3 +- .../action/TransportPutTransformAction.java | 10 +- .../TransportUpdateTransformAction.java | 10 +- 55 files changed, 220 insertions(+), 695 deletions(-) delete mode 100644 x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java delete mode 100644 x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java diff --git a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/Ccr.java b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/Ccr.java index 9717012c75640..68dd89a97b0a2 100644 --- a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/Ccr.java +++ b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/Ccr.java @@ -154,7 +154,7 @@ public class Ccr extends Plugin implements ActionPlugin, PersistentTaskPlugin, E */ @SuppressWarnings("unused") // constructed reflectively by the plugin infrastructure public Ccr(final Settings settings) { - this(settings, new CcrLicenseChecker()); + this(settings, new CcrLicenseChecker(settings)); } /** diff --git a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java index 32ae89c80a6dd..1ef6c63e3baab 100644 --- a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java +++ b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java @@ -43,6 +43,7 @@ import org.elasticsearch.xpack.ccr.action.ShardChangesAction; import org.elasticsearch.xpack.core.ClientHelper; import org.elasticsearch.xpack.core.XPackPlugin; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction; import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest; @@ -74,9 +75,9 @@ public class CcrLicenseChecker { /** * Constructs a CCR license checker with the default rule based on the license state for checking if CCR is allowed. */ - CcrLicenseChecker() { + CcrLicenseChecker(Settings settings) { this(() -> XPackPlugin.getSharedLicenseState().checkFeature(XPackLicenseState.Feature.CCR), - XPackPlugin.getSharedLicenseState()::isSecurityEnabled); + () -> XPackSettings.SECURITY_ENABLED.get(settings)); } /** diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java index c3907b136986e..3d2fb8e862ce3 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java @@ -401,8 +401,6 @@ private static class Status { } private final List listeners; - private final boolean isSecurityEnabled; - private final boolean isSecurityExplicitlyEnabled; private final Map lastUsed; private final LongSupplier epochMillisProvider; @@ -412,10 +410,8 @@ private static class Status { // is only read once. private volatile Status status = new Status(OperationMode.TRIAL, true, Long.MAX_VALUE); - public XPackLicenseState(Settings settings, LongSupplier epochMillisProvider) { + public XPackLicenseState(LongSupplier epochMillisProvider) { this.listeners = new CopyOnWriteArrayList<>(); - this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings); - this.isSecurityExplicitlyEnabled = isSecurityEnabled && isSecurityExplicitlyEnabled(settings); // prepopulate feature last used map with entries for non basic features, which are the ones we // care to actually keep track of @@ -429,20 +425,14 @@ public XPackLicenseState(Settings settings, LongSupplier epochMillisProvider) { this.epochMillisProvider = epochMillisProvider; } - private XPackLicenseState(List listeners, boolean isSecurityEnabled, boolean isSecurityExplicitlyEnabled, - Status status, Map lastUsed, LongSupplier epochMillisProvider) { + private XPackLicenseState(List listeners, Status status, Map lastUsed, + LongSupplier epochMillisProvider) { this.listeners = listeners; - this.isSecurityEnabled = isSecurityEnabled; - this.isSecurityExplicitlyEnabled = isSecurityExplicitlyEnabled; this.status = status; this.lastUsed = lastUsed; this.epochMillisProvider = epochMillisProvider; } - private static boolean isSecurityExplicitlyEnabled(Settings settings) { - return settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()); - } - /** Performs function against status, only reading the status once to avoid races */ private T executeAgainstStatus(Function statusFn) { return statusFn.apply(this.status); @@ -551,14 +541,6 @@ public static boolean isFipsAllowedForOperationMode(final OperationMode operatio return isAllowedByOperationMode(operationMode, OperationMode.PLATINUM); } - /** - * Returns whether security is enabled, taking into account the default enabled state - * based on the current license level. - */ - public boolean isSecurityEnabled() { - return isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - } - public static boolean isTransportTlsRequired(License license, Settings settings) { if (license == null) { return false; @@ -568,9 +550,8 @@ public static boolean isTransportTlsRequired(License license, Settings settings) case GOLD: case PLATINUM: case ENTERPRISE: - return XPackSettings.SECURITY_ENABLED.get(settings); case BASIC: - return XPackSettings.SECURITY_ENABLED.get(settings) && isSecurityExplicitlyEnabled(settings); + return XPackSettings.SECURITY_ENABLED.get(settings); case MISSING: case TRIAL: return false; @@ -579,17 +560,6 @@ public static boolean isTransportTlsRequired(License license, Settings settings) } } - private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled, - final boolean isSecurityEnabled) { - switch (mode) { - case TRIAL: - case BASIC: - return isSecurityExplicitlyEnabled; - default: - return isSecurityEnabled; - } - } - public static boolean isCcrAllowedForOperationMode(final OperationMode operationMode) { return isAllowedByOperationMode(operationMode, OperationMode.PLATINUM); } @@ -611,7 +581,7 @@ public static boolean isAllowedByOperationMode( */ public XPackLicenseState copyCurrentLicenseState() { return executeAgainstStatus(status -> - new XPackLicenseState(listeners, isSecurityEnabled, isSecurityExplicitlyEnabled, status, lastUsed, epochMillisProvider)); + new XPackLicenseState(listeners, status, lastUsed, epochMillisProvider)); } /** diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java index 13c57e820b6cf..1ec399086d33b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java @@ -14,6 +14,7 @@ import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.common.CheckedFunction; import org.elasticsearch.common.logging.LoggerMessageFormat; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.query.SearchExecutionContext; import org.elasticsearch.index.shard.ShardId; @@ -21,6 +22,7 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.script.ScriptService; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; @@ -50,20 +52,22 @@ public class SecurityIndexReaderWrapper implements CheckedFunction searchExecutionContextProvider, DocumentSubsetBitsetCache bitsetCache, SecurityContext securityContext, - XPackLicenseState licenseState, ScriptService scriptService) { + XPackLicenseState licenseState, ScriptService scriptService, Settings settings) { this.scriptService = scriptService; this.searchExecutionContextProvider = searchExecutionContextProvider; this.bitsetCache = bitsetCache; this.securityContext = securityContext; this.licenseState = licenseState; + this.settings = settings; } @Override public DirectoryReader apply(final DirectoryReader reader) { - if (licenseState.isSecurityEnabled() == false || + if (XPackSettings.SECURITY_ENABLED.get(settings) == false || licenseState.checkFeature(Feature.SECURITY_DLS_FLS) == false) { return reader; } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index b8a3ba24c8345..0b2f760007563 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -82,152 +82,12 @@ public static OperationMode randomBasicStandardOrGold() { } public void testSecurityDefaults() { - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - assertThat(licenseState.isSecurityEnabled(), is(true)); + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true)); assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true)); assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true)); - - licenseState = TestUtils.newTestLicenseState(); - assertSecurityNotAllowed(licenseState); - } - - public void testTransportSslDoesNotAutomaticallyEnableSecurityOnTrialLicense() { - Settings settings = Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build(); - final XPackLicenseState licenseState= new XPackLicenseState(settings, () -> 0); - assertSecurityNotAllowed(licenseState); - } - - public void testSecurityBasicWithoutExplicitSecurityEnabled() { - XPackLicenseState licenseState = TestUtils.newTestLicenseState(); - licenseState.update(BASIC, true, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false)); - - assertThat(licenseState.isSecurityEnabled(), is(false)); - } - - public void testSecurityBasicWithExplicitSecurityEnabled() { - final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(BASIC, true, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false)); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - } - - public void testSecurityStandard() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(STANDARD, true, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityStandardExpired() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(STANDARD, false, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityGold() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(GOLD, true, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityGoldExpired() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(GOLD, false, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityPlatinum() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(PLATINUM, true, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testSecurityPlatinumExpired() { - Settings settings = randomFrom(Settings.EMPTY, - Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); - licenseState.update(PLATINUM, false, Long.MAX_VALUE, null); - - assertThat(licenseState.isSecurityEnabled(), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true)); - assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); - assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); - } - - public void testNewTrialDefaultsSecurityOff() { - XPackLicenseState licenseState = TestUtils.newTestLicenseState(); - licenseState.update(TRIAL, true, Long.MAX_VALUE, VersionUtils.randomCompatibleVersion(random(), Version.CURRENT)); - - assertThat(licenseState.isSecurityEnabled(), is(false)); - assertSecurityNotAllowed(licenseState); - } - - private void assertSecurityNotAllowed(XPackLicenseState licenseState) { - assertThat(licenseState.isSecurityEnabled(), is(false)); } public void testSecurityAckBasicToNotGoldOrStandard() { @@ -515,7 +375,7 @@ public void testCcrAckTrialOrPlatinumToNotTrialOrPlatinum() { public void testLastUsed() { Feature goldFeature = Feature.SECURITY_DLS_FLS; AtomicInteger currentTime = new AtomicInteger(100); // non zero start time - XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, currentTime::get); + XPackLicenseState licenseState = new XPackLicenseState(currentTime::get); assertThat("initial epoch time", licenseState.getLastUsed(), not(hasKey(goldFeature))); licenseState.isAllowed(goldFeature); assertThat("isAllowed does not track", licenseState.getLastUsed(), not(hasKey(goldFeature))); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java index e3212a4ea3ef9..201532698d69d 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java @@ -45,6 +45,7 @@ import org.elasticsearch.search.internal.ContextIndexSearcher; import org.elasticsearch.test.AbstractBuilderTestCase; import org.elasticsearch.test.IndexSettingsModule; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer; @@ -93,7 +94,6 @@ null, null, null, mappingLookup, null, null, xContentRegistry(), writableRegistr SearchExecutionContext searchExecutionContext = spy(realSearchExecutionContext); DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor()); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); Directory directory = newDirectory(); @@ -146,7 +146,7 @@ null, null, null, mappingLookup, null, null, xContentRegistry(), writableRegistr FieldPermissions(), DocumentPermissions.filteredBy(singleton(new BytesArray(termQuery)))); SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> searchExecutionContext, - bitsetCache, securityContext, licenseState, scriptService) { + bitsetCache, securityContext, licenseState, scriptService, Settings.EMPTY) { @Override protected IndicesAccessControl getIndicesAccessControl() { @@ -223,10 +223,9 @@ null, null, null, mappingLookup, null, null, xContentRegistry(), writableRegistr DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor()); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> searchExecutionContext, - bitsetCache, securityContext, licenseState, scriptService) { + bitsetCache, securityContext, licenseState, scriptService, Settings.EMPTY) { @Override protected IndicesAccessControl getIndicesAccessControl() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java index 48ca9244aa5f7..3d1ffb0c0a727 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java @@ -24,6 +24,7 @@ import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions; @@ -66,7 +67,6 @@ public void setup() throws Exception { ShardId shardId = new ShardId(index, 0); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY)); IndexShard indexShard = mock(IndexShard.class); @@ -88,7 +88,7 @@ public void tearDown() throws Exception { public void testDefaultMetaFields() throws Exception { securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService) { + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService, Settings.EMPTY) { @Override protected IndicesAccessControl getIndicesAccessControl() { IndicesAccessControl.IndexAccessControl indexAccessControl = new IndicesAccessControl.IndexAccessControl(true, @@ -118,7 +118,7 @@ protected IndicesAccessControl getIndicesAccessControl() { public void testWrapReaderWhenFeatureDisabled() throws Exception { when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(false); securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService); + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService, Settings.EMPTY); DirectoryReader reader = securityIndexReaderWrapper.apply(esIn); assertThat(reader, sameInstance(esIn)); } @@ -152,7 +152,8 @@ private void assertResolved(FieldPermissions permissions, Set expected, public void testFieldPermissionsWithFieldExceptions() throws Exception { securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, null); + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, null, + Settings.EMPTY); String[] grantedFields = new String[]{}; String[] deniedFields; Set expected = new HashSet<>(META_FIELDS); diff --git a/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java b/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java index 8ad538eaece9b..bba24f9a7b020 100644 --- a/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java +++ b/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java @@ -35,9 +35,9 @@ public class TransportPutEnrichPolicyAction extends AcknowledgedTransportMasterNodeAction { - private final XPackLicenseState licenseState; private final SecurityContext securityContext; private final Client client; + private final Settings settings; @Inject public TransportPutEnrichPolicyAction( @@ -60,7 +60,7 @@ public TransportPutEnrichPolicyAction( indexNameExpressionResolver, ThreadPool.Names.SAME ); - this.licenseState = licenseState; + this.settings = settings; this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) ? new SecurityContext(settings, threadPool.getThreadContext()) : null; @@ -75,7 +75,7 @@ protected void masterOperation( ActionListener listener ) { - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { RoleDescriptor.IndicesPrivileges privileges = RoleDescriptor.IndicesPrivileges.builder() .indices(request.getPolicy().getIndices()) .privileges("read") diff --git a/x-pack/plugin/ml/src/internalClusterTest/java/org/elasticsearch/license/MachineLearningLicensingIT.java b/x-pack/plugin/ml/src/internalClusterTest/java/org/elasticsearch/license/MachineLearningLicensingIT.java index 5b79438eb1bcf..af79593a6c003 100644 --- a/x-pack/plugin/ml/src/internalClusterTest/java/org/elasticsearch/license/MachineLearningLicensingIT.java +++ b/x-pack/plugin/ml/src/internalClusterTest/java/org/elasticsearch/license/MachineLearningLicensingIT.java @@ -21,6 +21,7 @@ import org.elasticsearch.action.support.master.AcknowledgedResponse; import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.common.bytes.BytesArray; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.license.License.OperationMode; @@ -699,12 +700,13 @@ public void testInferenceAggRestricted() { termsAgg.subAggregation(avgAgg); XPackLicenseState licenseState = internalCluster().getInstance(XPackLicenseState.class); + Settings settings = internalCluster().getInstance(Settings.class); ModelLoadingService modelLoading = internalCluster().getInstance(ModelLoadingService.class); Map bucketPaths = new HashMap<>(); bucketPaths.put("feature1", "avg_feature1"); InferencePipelineAggregationBuilder inferenceAgg = - new InferencePipelineAggregationBuilder("infer_agg", new SetOnce<>(modelLoading), licenseState, bucketPaths); + new InferencePipelineAggregationBuilder("infer_agg", new SetOnce<>(modelLoading), licenseState, settings, bucketPaths); inferenceAgg.setModelId(modelId); termsAgg.subAggregation(inferenceAgg); diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java index 99d2e0eb0bb83..ce5c70e2f154d 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java @@ -1078,7 +1078,7 @@ public Map> getTokenizers() { @Override public List getPipelineAggregations() { PipelineAggregationSpec spec = new PipelineAggregationSpec(InferencePipelineAggregationBuilder.NAME, - in -> new InferencePipelineAggregationBuilder(in, getLicenseState(), modelLoadingService), + in -> new InferencePipelineAggregationBuilder(in, getLicenseState(), settings, modelLoadingService), (ContextParser) (parser, name) -> InferencePipelineAggregationBuilder.parse(modelLoadingService, getLicenseState(), name, parser)); spec.addResultReader(InternalInferenceAggregation::new); diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportExplainDataFrameAnalyticsAction.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportExplainDataFrameAnalyticsAction.java index 0cdfd21be58b9..41ce380d8f329 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportExplainDataFrameAnalyticsAction.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportExplainDataFrameAnalyticsAction.java @@ -65,6 +65,7 @@ public class TransportExplainDataFrameAnalyticsAction private final MemoryUsageEstimationProcessManager processManager; private final SecurityContext securityContext; private final ThreadPool threadPool; + private final Settings settings; @Inject public TransportExplainDataFrameAnalyticsAction(TransportService transportService, @@ -82,6 +83,7 @@ public TransportExplainDataFrameAnalyticsAction(TransportService transportServic this.licenseState = licenseState; this.processManager = Objects.requireNonNull(processManager); this.threadPool = threadPool; + this.settings = settings; this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) ? new SecurityContext(settings, threadPool.getThreadContext()) : null; @@ -119,7 +121,7 @@ private void explain(Task task, final ExtractedFieldsDetectorFactory extractedFieldsDetectorFactory = new ExtractedFieldsDetectorFactory( new ParentTaskAssigningClient(client, task.getParentTaskId()) ); - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { useSecondaryAuthIfAvailable(this.securityContext, () -> { // Set the auth headers (preferring the secondary headers) to the caller's. // Regardless if the config was previously stored or not. diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPreviewDataFrameAnalyticsAction.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPreviewDataFrameAnalyticsAction.java index ee5e169bdac0b..410fb4ff51ba8 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPreviewDataFrameAnalyticsAction.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPreviewDataFrameAnalyticsAction.java @@ -48,6 +48,7 @@ public class TransportPreviewDataFrameAnalyticsAction extends HandledTransportAc private final NodeClient client; private final SecurityContext securityContext; private final ThreadPool threadPool; + private final Settings settings; @Inject public TransportPreviewDataFrameAnalyticsAction( @@ -62,6 +63,7 @@ public TransportPreviewDataFrameAnalyticsAction( this.client = Objects.requireNonNull(client); this.licenseState = licenseState; this.threadPool = threadPool; + this.settings = settings; this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) ? new SecurityContext(settings, threadPool.getThreadContext()) : null; @@ -79,7 +81,7 @@ protected void doExecute(Task task, Request request, ActionListener li listener.onFailure(LicenseUtils.newComplianceException(XPackField.MACHINE_LEARNING)); return; } - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { useSecondaryAuthIfAvailable(this.securityContext, () -> { // Set the auth headers (preferring the secondary headers) to the caller's. // Regardless if the config was previously stored or not. diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDataFrameAnalyticsAction.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDataFrameAnalyticsAction.java index c83551b3abbb9..da70a08d0cbfe 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDataFrameAnalyticsAction.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDataFrameAnalyticsAction.java @@ -68,6 +68,7 @@ public class TransportPutDataFrameAnalyticsAction private final Client client; private final DataFrameAnalyticsAuditor auditor; private final SourceDestValidator sourceDestValidator; + private final Settings settings; private volatile ByteSizeValue maxModelMemoryLimit; @@ -85,6 +86,7 @@ public TransportPutDataFrameAnalyticsAction(Settings settings, TransportService new SecurityContext(settings, threadPool.getThreadContext()) : null; this.client = client; this.auditor = Objects.requireNonNull(auditor); + this.settings = settings; maxModelMemoryLimit = MachineLearningField.MAX_MODEL_MEMORY_LIMIT.get(settings); clusterService.getClusterSettings() @@ -131,7 +133,7 @@ private void putValidatedConfig(DataFrameAnalyticsConfig config, ActionListener< .setVersion(Version.CURRENT) .build(); - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { useSecondaryAuthIfAvailable(securityContext, () -> { final String username = securityContext.getUser().principal(); RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder() diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java index 03df3c341233d..0ddb15a8c233b 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java @@ -72,6 +72,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction listener) { // If security is enabled only create the datafeed if the user requesting creation has // permission to read the indices the datafeed is going to read from - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { useSecondaryAuthIfAvailable(securityContext, () -> { final String[] indices = request.getDatafeed().getIndices().toArray(new String[0]); diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilder.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilder.java index cf3aab46130fb..c7853092d3f6e 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilder.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilder.java @@ -24,6 +24,7 @@ import org.elasticsearch.search.aggregations.pipeline.AbstractPipelineAggregationBuilder; import org.elasticsearch.search.aggregations.pipeline.PipelineAggregator; import org.elasticsearch.xpack.core.XPackField; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.ml.action.GetTrainedModelsAction; import org.elasticsearch.xpack.core.ml.inference.trainedmodel.ClassificationConfig; import org.elasticsearch.xpack.core.ml.inference.trainedmodel.ClassificationConfigUpdate; @@ -61,7 +62,7 @@ public class InferencePipelineAggregationBuilder extends AbstractPipelineAggrega private static final ConstructingObjectParser PARSER = new ConstructingObjectParser<>(NAME, false, (args, context) -> new InferencePipelineAggregationBuilder(context.name, context.modelLoadingService, - context.licenseState, (Map) args[0]) + context.licenseState, context.settings, (Map) args[0]) ); static { @@ -75,6 +76,7 @@ public class InferencePipelineAggregationBuilder extends AbstractPipelineAggrega private String modelId; private InferenceConfigUpdate inferenceConfig; private final XPackLicenseState licenseState; + private final Settings settings; private final SetOnce modelLoadingService; /** * The model. Set to a non-null value during the rewrite phase. @@ -83,35 +85,41 @@ public class InferencePipelineAggregationBuilder extends AbstractPipelineAggrega private static class ParserSupplement { final XPackLicenseState licenseState; + final Settings settings; final SetOnce modelLoadingService; final String name; - ParserSupplement(String name, XPackLicenseState licenseState, SetOnce modelLoadingService) { + ParserSupplement(String name, XPackLicenseState licenseState, Settings settings, SetOnce modelLoadingService) { this.name = name; this.licenseState = licenseState; + this.settings = settings; this.modelLoadingService = modelLoadingService; } } public static InferencePipelineAggregationBuilder parse(SetOnce modelLoadingService, XPackLicenseState licenseState, + Settings settings, String pipelineAggregatorName, XContentParser parser) { - return PARSER.apply(parser, new ParserSupplement(pipelineAggregatorName, licenseState, modelLoadingService)); + return PARSER.apply(parser, new ParserSupplement(pipelineAggregatorName, licenseState, settings, modelLoadingService)); } public InferencePipelineAggregationBuilder(String name, SetOnce modelLoadingService, XPackLicenseState licenseState, + Settings settings, Map bucketsPath) { super(name, NAME, new TreeMap<>(bucketsPath).values().toArray(new String[] {})); this.modelLoadingService = modelLoadingService; this.bucketPathMap = bucketsPath; this.model = null; this.licenseState = licenseState; + this.settings = settings; } public InferencePipelineAggregationBuilder(StreamInput in, XPackLicenseState licenseState, + Settings settings, SetOnce modelLoadingService) throws IOException { super(in, NAME); modelId = in.readString(); @@ -120,6 +128,7 @@ public InferencePipelineAggregationBuilder(StreamInput in, this.modelLoadingService = modelLoadingService; this.model = null; this.licenseState = licenseState; + this.settings = settings; } /** @@ -131,7 +140,8 @@ private InferencePipelineAggregationBuilder( Supplier model, String modelId, InferenceConfigUpdate inferenceConfig, - XPackLicenseState licenseState + XPackLicenseState licenseState, + Settings settings ) { super(name, NAME, new TreeMap<>(bucketsPath).values().toArray(new String[] {})); modelLoadingService = null; @@ -147,6 +157,7 @@ private InferencePipelineAggregationBuilder( this.modelId = modelId; this.inferenceConfig = inferenceConfig; this.licenseState = licenseState; + this.settings = settings; } public void setModelId(String modelId) { @@ -215,7 +226,7 @@ public InferencePipelineAggregationBuilder rewrite(QueryRewriteContext context) context.registerAsyncAction((client, listener) -> { - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { // check the user has ml privileges SecurityContext securityContext = new SecurityContext(Settings.EMPTY, client.threadPool().getThreadContext()); useSecondaryAuthIfAvailable(securityContext, () -> { @@ -243,7 +254,8 @@ public InferencePipelineAggregationBuilder rewrite(QueryRewriteContext context) modelLoadAction.accept(client, listener); } }); - return new InferencePipelineAggregationBuilder(name, bucketPathMap, loadedModel::get, modelId, inferenceConfig, licenseState); + return new InferencePipelineAggregationBuilder(name, bucketPathMap, loadedModel::get, modelId, inferenceConfig, licenseState, + settings); } @Override diff --git a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilderTests.java b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilderTests.java index 0619a95e8bba6..35e2618b93881 100644 --- a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilderTests.java +++ b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/inference/aggs/InferencePipelineAggregationBuilderTests.java @@ -64,7 +64,7 @@ protected InferencePipelineAggregationBuilder createTestAggregatorFactory() { InferencePipelineAggregationBuilder builder = new InferencePipelineAggregationBuilder(NAME, new SetOnce<>(mock(ModelLoadingService.class)), - mock(XPackLicenseState.class), bucketPaths); + mock(XPackLicenseState.class), Settings.EMPTY, bucketPaths); builder.setModelId(randomAlphaOfLength(6)); if (randomBoolean()) { diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java index 3dc5ce6cb9eb2..79dd804c6da5b 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java @@ -71,18 +71,15 @@ public void testUnlicensed() { try (LegacyReaderContext readerContext = new LegacyReaderContext(new ShardSearchContextId(UUIDs.randomBase64UUID(), 0L), indexService, shard, shard.acquireSearcherSupplier(), shardSearchRequest, Long.MAX_VALUE)) { - XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); AuditTrailService auditTrailService = mock(AuditTrailService.class); SearchContext searchContext = mock(SearchContext.class); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, licenseState, auditTrailService); + new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); listener.onNewScrollContext(readerContext); listener.validateReaderContext(readerContext, Empty.INSTANCE); - verify(licenseState, times(2)).isSecurityEnabled(); verifyZeroInteractions(auditTrailService, searchContext); } } @@ -93,8 +90,6 @@ public void testOnNewContextSetsAuthentication() throws Exception { try (LegacyReaderContext readerContext = new LegacyReaderContext(new ShardSearchContextId(UUIDs.randomBase64UUID(), 0L), indexService, shard, shard.acquireSearcherSupplier(), shardSearchRequest, Long.MAX_VALUE)) { - XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); AuditTrailService auditTrailService = mock(AuditTrailService.class); @@ -104,14 +99,13 @@ public void testOnNewContextSetsAuthentication() throws Exception { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, licenseState, auditTrailService); + new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); listener.onNewScrollContext(readerContext); Authentication contextAuth = readerContext.getFromContext(AuthenticationField.AUTHENTICATION_KEY); assertEquals(authentication, contextAuth); assertThat(readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), is(indicesAccessControl)); - verify(licenseState).isSecurityEnabled(); verifyZeroInteractions(auditTrailService); } } @@ -127,22 +121,20 @@ public void testValidateSearchContext() throws Exception { final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class); readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); AuditTrail auditTrail = mock(AuditTrail.class); AuditTrailService auditTrailService = - new AuditTrailService(Collections.singletonList(auditTrail), licenseState); + new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, licenseState, auditTrailService); + new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); try (StoredContext ignore = threadContext.newStoredContext(false)) { Authentication authentication = new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null); authentication.writeToContext(threadContext); listener.validateReaderContext(readerContext, Empty.INSTANCE); assertThat(threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), is(indicesAccessControl)); - verify(licenseState).isSecurityEnabled(); verifyZeroInteractions(auditTrail); } @@ -154,7 +146,6 @@ public void testValidateSearchContext() throws Exception { authentication.writeToContext(threadContext); listener.validateReaderContext(readerContext, Empty.INSTANCE); assertThat(threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), is(indicesAccessControl)); - verify(licenseState, times(2)).isSecurityEnabled(); verifyZeroInteractions(auditTrail); } @@ -173,7 +164,6 @@ public void testValidateSearchContext() throws Exception { () -> listener.validateReaderContext(readerContext, request)); assertEquals(readerContext.id(), expected.contextId()); assertThat(threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), nullValue()); - verify(licenseState, Mockito.atLeast(3)).isSecurityEnabled(); verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request), authzInfoRoles(authentication.getUser().roles())); } @@ -191,7 +181,6 @@ public void testValidateSearchContext() throws Exception { final InternalScrollSearchRequest request = new InternalScrollSearchRequest(); listener.validateReaderContext(readerContext, request); assertThat(threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), is(indicesAccessControl)); - verify(licenseState, Mockito.atLeast(4)).isSecurityEnabled(); verifyNoMoreInteractions(auditTrail); } @@ -211,7 +200,6 @@ public void testValidateSearchContext() throws Exception { () -> listener.validateReaderContext(readerContext, request)); assertEquals(readerContext.id(), expected.contextId()); assertThat(threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY), nullValue()); - verify(licenseState, Mockito.atLeast(5)).isSecurityEnabled(); verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request), authzInfoRoles(authentication.getUser().roles())); } @@ -226,10 +214,9 @@ public void testEnsuredAuthenticatedUserIsSame() { final String action = randomAlphaOfLength(4); TransportRequest request = Empty.INSTANCE; XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); AuditTrail auditTrail = mock(AuditTrail.class); - AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); final String auditId = randomAlphaOfLengthBetween(8, 20); ensureAuthenticatedUserIsSame(original, current, auditTrailService, contextId, action, request, auditId, diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 18f88df5ea501..4244b37a28564 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -282,7 +282,6 @@ import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry; import org.elasticsearch.xpack.security.support.ExtensionComponents; import org.elasticsearch.xpack.security.support.SecurityIndexManager; -import org.elasticsearch.xpack.security.support.SecurityStatusChangeListener; import org.elasticsearch.xpack.security.transport.SecurityHttpSettings; import org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor; import org.elasticsearch.xpack.security.transport.filter.IPFilter; @@ -438,7 +437,7 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste final List auditTrails = XPackSettings.AUDIT_ENABLED.get(settings) ? Collections.singletonList(new LoggingAuditTrail(settings, clusterService, threadPool)) : Collections.emptyList(); - final AuditTrailService auditTrailService = new AuditTrailService(auditTrails, getLicenseState()); + final AuditTrailService auditTrailService = new AuditTrailService(auditTrails, getLicenseState(), settings); components.add(auditTrailService); this.auditTrailService.set(auditTrailService); @@ -532,7 +531,6 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste // to keep things simple, just invalidate all cached entries on license change. this happens so rarely that the impact should be // minimal getLicenseState().addListener(allRolesStore::invalidateAll); - getLicenseState().addListener(new SecurityStatusChangeListener(getLicenseState())); final AuthenticationFailureHandler failureHandler = createAuthenticationFailureHandler(realms, extensionComponents); final OperatorPrivilegesService operatorPrivilegesService; @@ -556,7 +554,7 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste requestInterceptors.addAll(Arrays.asList( new SearchRequestInterceptor(threadPool, getLicenseState()), new UpdateRequestInterceptor(threadPool, getLicenseState()), - new BulkShardRequestInterceptor(threadPool, getLicenseState()) + new BulkShardRequestInterceptor(threadPool, getLicenseState(), settings) )); } requestInterceptors = Collections.unmodifiableSet(requestInterceptors); @@ -581,7 +579,7 @@ auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEn authzService, getLicenseState(), getSslService(), securityContext.get(), destructiveOperations, clusterService)); securityActionFilter.set(new SecurityActionFilter(authcService.get(), authzService, auditTrailService, getLicenseState(), - threadPool, securityContext.get(), destructiveOperations)); + threadPool, securityContext.get(), settings, destructiveOperations)); components.add(new SecurityUsageServices(realms, allRolesStore, nativeRoleMappingStore, ipFilter.get())); @@ -808,17 +806,18 @@ public void onIndexModule(IndexModule module) { dlsBitsetCache.get(), securityContext.get(), getLicenseState(), - indexService.getScriptService())); + indexService.getScriptService(), + settings)); /* * We need to forcefully overwrite the query cache implementation to use security's opt-out query cache implementation. This * implementation disables the query cache if field level security is used for a particular request. We have to forcefully * overwrite the query cache implementation to prevent data leakage to unauthorized users. */ module.forceQueryCacheProvider( - (settings, cache) -> { + (indexSettings, cache) -> { final OptOutQueryCache queryCache = - new OptOutQueryCache(settings, cache, threadContext.get(), getLicenseState()); - queryCache.listenForLicenseStateChanges(); + new OptOutQueryCache(indexSettings, cache, threadContext.get(), settings); + return queryCache; }); } @@ -827,7 +826,7 @@ public void onIndexModule(IndexModule module) { // attaches information to the scroll context so that we can validate the user that created the scroll against // the user that is executing a scroll operation module.addSearchOperationListener( - new SecuritySearchOperationListener(securityContext.get(), getLicenseState(), auditTrailService.get())); + new SecuritySearchOperationListener(securityContext.get(), settings, auditTrailService.get())); } } @@ -955,7 +954,7 @@ public List getRestHandlers(Settings settings, RestController restC @Override public Map getProcessors(Processor.Parameters parameters) { return Collections.singletonMap(SetSecurityUserProcessor.TYPE, - new SetSecurityUserProcessor.Factory(securityContext::get, this::getLicenseState)); + new SetSecurityUserProcessor.Factory(securityContext::get, settings)); } /** @@ -1120,7 +1119,7 @@ public UnaryOperator getRestHandlerWrapper(ThreadContext threadCont final boolean ssl = HTTP_SSL_ENABLED.get(settings); final SSLConfiguration httpSSLConfig = getSslService().getHttpTransportSSLConfiguration(); boolean extractClientCertificate = ssl && getSslService().isSSLClientAuthEnabled(httpSSLConfig); - return handler -> new SecurityRestFilter(getLicenseState(), threadContext, authcService.get(), secondayAuthc.get(), + return handler -> new SecurityRestFilter(settings, threadContext, authcService.get(), secondayAuthc.get(), handler, extractClientCertificate); } @@ -1153,7 +1152,7 @@ public Function> getFieldFilter() { if (enabled) { return index -> { XPackLicenseState licenseState = getLicenseState(); - if (licenseState.isSecurityEnabled() == false) { + if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { return MapperPlugin.NOOP_FIELD_PREDICATE; } IndicesAccessControl indicesAccessControl = threadContext.get().getTransient( diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java index fecbf70c518ea..419653d73f808 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java @@ -8,9 +8,11 @@ import org.elasticsearch.action.support.ActionFilters; import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.transport.TransportService; import org.elasticsearch.xpack.core.XPackField; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.action.XPackInfoFeatureAction; import org.elasticsearch.xpack.core.action.XPackInfoFeatureTransportAction; @@ -19,13 +21,12 @@ */ public class SecurityInfoTransportAction extends XPackInfoFeatureTransportAction { - private final XPackLicenseState licenseState; + private final Settings settings; @Inject - public SecurityInfoTransportAction(TransportService transportService, ActionFilters actionFilters, - XPackLicenseState licenseState) { + public SecurityInfoTransportAction(TransportService transportService, ActionFilters actionFilters, Settings settings) { super(XPackInfoFeatureAction.SECURITY.name(), transportService, actionFilters); - this.licenseState = licenseState; + this.settings = settings; } @Override @@ -40,6 +41,6 @@ public boolean available() { @Override public boolean enabled() { - return licenseState.isSecurityEnabled(); + return XPackSettings.SECURITY_ENABLED.get(settings); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java index 39104cccd1843..f9cc5681ed786 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java @@ -88,7 +88,7 @@ protected void masterOperation(Task task, XPackUsageRequest request, ClusterStat final AtomicReference> roleMappingUsageRef = new AtomicReference<>(); final AtomicReference> realmsUsageRef = new AtomicReference<>(); - final boolean enabled = licenseState.isSecurityEnabled(); + final boolean enabled = XPackSettings.SECURITY_ENABLED.get(settings); final CountDown countDown = new CountDown(3); final Runnable doCountDown = () -> { if (countDown.countDown()) { @@ -139,8 +139,6 @@ protected void masterOperation(Task task, XPackUsageRequest request, ClusterStat static Map sslUsage(Settings settings) { // If security has been explicitly disabled in the settings, then SSL is also explicitly disabled, and we don't want to report // these http/transport settings as they would be misleading (they could report `true` even though they were ignored) - // But, if security has not been explicitly configured, but has defaulted to off due to the current license type, - // then these SSL settings are still respected (that is SSL might be enabled, while the rest of security is disabled). if (XPackSettings.SECURITY_ENABLED.get(settings)) { Map map = new HashMap<>(2); map.put("http", singletonMap("enabled", HTTP_SSL_ENABLED.get(settings))); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java index 31f3d309b1264..172878a53b0d9 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java @@ -22,12 +22,14 @@ import org.elasticsearch.action.support.ContextPreservingActionListener; import org.elasticsearch.action.support.DestructiveOperations; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.XPackField; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege; @@ -56,16 +58,18 @@ public class SecurityActionFilter implements ActionFilter { private final ThreadContext threadContext; private final SecurityContext securityContext; private final DestructiveOperations destructiveOperations; + private final Settings settings; public SecurityActionFilter(AuthenticationService authcService, AuthorizationService authzService, AuditTrailService auditTrailService, XPackLicenseState licenseState, ThreadPool threadPool, - SecurityContext securityContext, DestructiveOperations destructiveOperations) { + SecurityContext securityContext, Settings settings, DestructiveOperations destructiveOperations) { this.authcService = authcService; this.authzService = authzService; this.auditTrailService = auditTrailService; this.licenseState = licenseState; this.threadContext = threadPool.getThreadContext(); this.securityContext = securityContext; + this.settings = settings; this.destructiveOperations = destructiveOperations; } @@ -88,7 +92,7 @@ public void app throw LicenseUtils.newComplianceException(XPackField.SECURITY); } - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { final ActionListener contextPreservingListener = ContextPreservingActionListener.wrapPreservingContext(listener, threadContext); final boolean useSystemUser = AuthorizationUtils.shouldReplaceUserWithSystem(threadContext, action); @@ -110,8 +114,8 @@ public void app listener.onFailure(e); } } else if (SECURITY_ACTION_MATCHER.test(action)) { - if (licenseState.isSecurityEnabled() == false) { - listener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a [" + + if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { + listener.onFailure(new ElasticsearchException("Security must be enabled when using a [" + licenseState.getOperationMode().description() + "] license. " + "Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " + "and restart the node.")); @@ -162,7 +166,7 @@ it to the action without an associated user (not via REST or transport - this is response); l.onResponse(response); })))); - } else if (licenseState.isSecurityEnabled() == false) { + } else if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { listener.onResponse(null); } else { listener.onFailure(new IllegalStateException("no authentication present but auth is allowed")); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java index 570d33a101cd5..dddb800c6a38d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java @@ -8,12 +8,14 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportResponse; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; @@ -33,16 +35,18 @@ public class AuditTrailService { private static final AuditTrail NOOP_AUDIT_TRAIL = new NoopAuditTrail(); private final CompositeAuditTrail compositeAuditTrail; private final XPackLicenseState licenseState; + private final Settings settings; private final Duration minLogPeriod = Duration.ofMinutes(30); protected AtomicReference nextLogInstantAtomic = new AtomicReference<>(Instant.EPOCH); - public AuditTrailService(List auditTrails, XPackLicenseState licenseState) { + public AuditTrailService(List auditTrails, XPackLicenseState licenseState, Settings settings) { this.compositeAuditTrail = new CompositeAuditTrail(Collections.unmodifiableList(auditTrails)); this.licenseState = licenseState; + this.settings = settings; } public AuditTrail get() { - if (compositeAuditTrail.isEmpty() == false && licenseState.isSecurityEnabled()) { + if (compositeAuditTrail.isEmpty() == false && XPackSettings.SECURITY_ENABLED.get(settings)) { if (licenseState.checkFeature(Feature.SECURITY_AUDITING)) { return compositeAuditTrail; } else { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index 1e5f552b91bf0..50fdacb12e310 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -749,11 +749,11 @@ private Instant getApiKeyExpiration(Instant now, CreateApiKeyRequest request) { } private boolean isEnabled() { - return enabled && licenseState.isSecurityEnabled(); + return enabled && XPackSettings.SECURITY_ENABLED.get(settings); } public void ensureEnabled() { - if (licenseState.isSecurityEnabled() == false) { + if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { throw LicenseUtils.newComplianceException("security is not enabled"); } if (enabled == false) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 7dc3849bd5fd0..b8ded7887b132 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -18,6 +18,7 @@ import org.elasticsearch.env.Environment; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; @@ -111,7 +112,7 @@ public Iterator iterator() { public List getUnlicensedRealms() { final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState(); // If auth is not allowed, then everything is unlicensed - if (licenseStateSnapshot.isSecurityEnabled() == false) { + if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { return Collections.unmodifiableList(realms); } @@ -137,7 +138,7 @@ public Stream stream() { public List asList() { final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState(); - if (licenseStateSnapshot.isSecurityEnabled() == false) { + if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { return Collections.emptyList(); } if (licenseStateSnapshot.checkFeature(Feature.SECURITY_ALL_REALMS)) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index 13f403fc5113a..ceadbeed7c62c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -1579,12 +1579,12 @@ private static String getTokenIdFromDocumentId(String docId) { } private boolean isEnabled() { - return enabled && licenseState.isSecurityEnabled() && + return enabled && XPackSettings.SECURITY_ENABLED.get(settings) && licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE); } private void ensureEnabled() { - if (licenseState.isSecurityEnabled() == false || + if ( XPackSettings.SECURITY_ENABLED.get(settings) == false || licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) { throw LicenseUtils.newComplianceException("security tokens"); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java index 0ee4737db9b6b..699b4be47f96c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java @@ -17,6 +17,7 @@ import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; @@ -42,6 +43,7 @@ public class DelegatedAuthorizationSupport { private final RealmUserLookup lookup; private final Logger logger; private final XPackLicenseState licenseState; + private final Settings settings; /** * Resolves the {@link DelegatedAuthorizationSettings#AUTHZ_REALMS} setting from {@code config} and calls @@ -64,6 +66,7 @@ protected DelegatedAuthorizationSupport(Iterable allRealms, Lis this.lookup = new RealmUserLookup(resolvedLookupRealms, threadContext); this.logger = LogManager.getLogger(getClass()); this.licenseState = licenseState; + this.settings = settings; } /** @@ -82,7 +85,7 @@ public boolean hasDelegation() { * with a meaningful diagnostic message. */ public void resolve(String username, ActionListener resultListener) { - boolean authzOk = licenseState.isSecurityEnabled() && licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM); + boolean authzOk = XPackSettings.SECURITY_ENABLED.get(settings) && licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM); if (authzOk == false) { resultListener.onResponse(AuthenticationResult.unsuccessful( DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX + " are not permitted", diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index 4e81f7f3260c5..5da1619e7fcba 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -41,6 +41,7 @@ import org.elasticsearch.transport.TransportActionProxy; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xpack.core.MigrateToDataStreamAction; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.action.CreateDataStreamAction; import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesRequest; import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse; @@ -398,7 +399,7 @@ AuthorizationEngine getAuthorizationEngine(final Authentication authentication) } private AuthorizationEngine getAuthorizationEngineForUser(final User user) { - if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() && + if (rbacEngine != authorizationEngine && XPackSettings.SECURITY_ENABLED.get(settings) && licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_ENGINE)) { if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternal(user)) { return rbacEngine; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index b1ddb753f20fe..a530f7b556686 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authz; import org.elasticsearch.ElasticsearchSecurityException; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.shard.SearchOperationListener; import org.elasticsearch.license.XPackLicenseState; @@ -16,6 +17,7 @@ import org.elasticsearch.search.internal.SearchContext; import org.elasticsearch.search.internal.ShardSearchContextId; import org.elasticsearch.transport.TransportRequest; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.AuthenticationField; @@ -40,12 +42,12 @@ public final class SecuritySearchOperationListener implements SearchOperationListener { private final SecurityContext securityContext; - private final XPackLicenseState licenseState; private final AuditTrailService auditTrailService; + private final Settings settings; - public SecuritySearchOperationListener(SecurityContext securityContext, XPackLicenseState licenseState, AuditTrailService auditTrail) { + public SecuritySearchOperationListener(SecurityContext securityContext, Settings settings, AuditTrailService auditTrail) { this.securityContext = securityContext; - this.licenseState = licenseState; + this.settings = settings; this.auditTrailService = auditTrail; } @@ -54,7 +56,7 @@ public SecuritySearchOperationListener(SecurityContext securityContext, XPackLic */ @Override public void onNewScrollContext(ReaderContext readerContext) { - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { readerContext.putInContext(AuthenticationField.AUTHENTICATION_KEY, securityContext.getAuthentication()); // store the DLS and FLS permissions of the initial search request that created the scroll // this is then used to assert the DLS/FLS permission for the scroll search action @@ -71,7 +73,7 @@ public void onNewScrollContext(ReaderContext readerContext) { */ @Override public void validateReaderContext(ReaderContext readerContext, TransportRequest request) { - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { if (readerContext.scrollContext() != null) { final Authentication originalAuth = readerContext.getFromContext(AuthenticationField.AUTHENTICATION_KEY); final Authentication current = securityContext.getAuthentication(); @@ -103,7 +105,7 @@ public void onPreQueryPhase(SearchContext searchContext) { } void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) { - if (licenseState.isSecurityEnabled() && searchContext.readerContext().scrollContext() != null) { + if (XPackSettings.SECURITY_ENABLED.get(settings) && searchContext.readerContext().scrollContext() != null) { IndicesAccessControl threadIndicesAccessControl = securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); if (null == threadIndicesAccessControl) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java index 357bd36b7a318..eeeaadc967d5b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java @@ -10,13 +10,13 @@ import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.AbstractIndexComponent; import org.elasticsearch.index.IndexSettings; import org.elasticsearch.index.cache.query.QueryCache; import org.elasticsearch.indices.IndicesQueryCache; -import org.elasticsearch.license.LicenseStateListener; -import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; @@ -25,69 +25,42 @@ import java.util.Set; /** - * Opts out of the query cache if field level security is active for the current request, and it is unsafe to cache. Note that the method - * {@link #listenForLicenseStateChanges()} must be invoked after construction of the query cache and before any other public methods are - * invoked on this query cache. + * Opts out of the query cache if field level security is active for the current request, and it is unsafe to cache. */ -public final class OptOutQueryCache extends AbstractIndexComponent implements LicenseStateListener, QueryCache { +public final class OptOutQueryCache extends AbstractIndexComponent implements QueryCache { private final IndicesQueryCache indicesQueryCache; private final ThreadContext context; private final String indexName; - private final XPackLicenseState licenseState; - private volatile boolean licenseStateListenerRegistered; + private final Settings settings; public OptOutQueryCache( final IndexSettings indexSettings, final IndicesQueryCache indicesQueryCache, final ThreadContext context, - final XPackLicenseState licenseState) { + final Settings settings) { super(indexSettings); this.indicesQueryCache = indicesQueryCache; this.context = Objects.requireNonNull(context, "threadContext must not be null"); this.indexName = indexSettings.getIndex().getName(); - this.licenseState = Objects.requireNonNull(licenseState, "licenseState"); - } - - /** - * Register this query cache to listen for license state changes. This must be done after construction of this query cache before any - * other public methods are invoked on this query cache. - */ - public void listenForLicenseStateChanges() { - /* - * Registering this as a listener can not be done in the constructor because otherwise it would be unsafe publication of this. That - * is, it would expose this to another thread before the constructor had finished. Therefore, we have a dedicated method to register - * the listener that is invoked after the constructor has returned. - */ - assert licenseStateListenerRegistered == false; - licenseState.addListener(this); - licenseStateListenerRegistered = true; + this.settings = Objects.requireNonNull(settings, "settings must not be null"); } @Override public void close() throws ElasticsearchException { - assert licenseStateListenerRegistered; - licenseState.removeListener(this); clear("close"); } - @Override - public void licenseStateChanged() { - assert licenseStateListenerRegistered; - clear("license state changed"); - } @Override public void clear(final String reason) { - assert licenseStateListenerRegistered; logger.debug("full cache clear, reason [{}]", reason); indicesQueryCache.clearIndex(index().getName()); } @Override public Weight doCache(Weight weight, QueryCachingPolicy policy) { - assert licenseStateListenerRegistered; - if (licenseState.isSecurityEnabled() == false) { + if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { logger.debug("not opting out of the query cache; authorization is not allowed"); return indicesQueryCache.doCache(weight, policy); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java index 0856db171ebc6..ace4c39337b70 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java @@ -14,11 +14,13 @@ import org.elasticsearch.action.bulk.BulkShardRequest; import org.elasticsearch.action.update.UpdateRequest; import org.elasticsearch.common.MemoizedSupplier; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -34,16 +36,18 @@ public class BulkShardRequestInterceptor implements RequestInterceptor { private final ThreadContext threadContext; private final XPackLicenseState licenseState; + private final Settings settings; - public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) { + public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings) { this.threadContext = threadPool.getThreadContext(); this.licenseState = licenseState; + this.settings = settings; } @Override public void intercept(RequestInfo requestInfo, AuthorizationEngine authzEngine, AuthorizationInfo authorizationInfo, ActionListener listener) { - boolean shouldIntercept = licenseState.isSecurityEnabled(); + boolean shouldIntercept = XPackSettings.SECURITY_ENABLED.get(settings); var licenseChecker = new MemoizedSupplier<>(() -> licenseState.checkFeature(Feature.SECURITY_DLS_FLS)); if (requestInfo.getRequest() instanceof BulkShardRequest && shouldIntercept) { IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java index 928dad255a058..2dfc9d2d4a90c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java @@ -8,10 +8,11 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.ingest.AbstractProcessor; import org.elasticsearch.ingest.IngestDocument; import org.elasticsearch.ingest.Processor; -import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.user.User; @@ -41,16 +42,16 @@ public final class SetSecurityUserProcessor extends AbstractProcessor { private final Logger logger = LogManager.getLogger(); private final SecurityContext securityContext; - private final XPackLicenseState licenseState; + private final Settings settings; private final String field; private final Set properties; - public SetSecurityUserProcessor(String tag, String description, SecurityContext securityContext, XPackLicenseState licenseState, + public SetSecurityUserProcessor(String tag, String description, SecurityContext securityContext, Settings settings, String field, Set properties) { super(tag, description); this.securityContext = securityContext; - this.licenseState = Objects.requireNonNull(licenseState, "license state cannot be null"); - if (licenseState.isSecurityEnabled() == false) { + this.settings = Objects.requireNonNull(settings, "settings object cannot be null"); + if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { logger.warn("Creating processor [{}] (tag [{}]) on field [{}] but authentication is not currently enabled on this cluster " + " - this processor is likely to fail at runtime if it is used", TYPE, tag, field); } else if (this.securityContext == null) { @@ -74,7 +75,7 @@ public IngestDocument execute(IngestDocument ingestDocument) throws Exception { if (user == null) { logger.debug( "Failed to find active user. SecurityContext=[{}] Authentication=[{}] User=[{}]", securityContext, authentication, user); - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { // This shouldn't happen. If authentication is allowed (and active), then there _should_ always be an authenticated user. // If we ever see this error message, then one of our assumptions are wrong. throw new IllegalStateException("There is no authenticated user - the [" + TYPE @@ -183,11 +184,11 @@ Set getProperties() { public static final class Factory implements Processor.Factory { private final Supplier securityContext; - private final Supplier licenseState; + private final Settings settings; - public Factory(Supplier securityContext, Supplier licenseState) { + public Factory(Supplier securityContext, Settings settings) { this.securityContext = securityContext; - this.licenseState = licenseState; + this.settings = settings; } @Override @@ -204,7 +205,7 @@ public SetSecurityUserProcessor create(Map processorF } else { properties = EnumSet.allOf(Property.class); } - return new SetSecurityUserProcessor(tag, description, securityContext.get(), licenseState.get(), field, properties); + return new SetSecurityUserProcessor(tag, description, securityContext.get(), settings, field, properties); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java index 643e7562ea8a1..4faee73265f83 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java @@ -15,12 +15,12 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.logging.HeaderWarning; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.Maps; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.MediaType; import org.elasticsearch.common.xcontent.MediaTypeRegistry; import org.elasticsearch.http.HttpChannel; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.BytesRestResponse; import org.elasticsearch.rest.RestChannel; import org.elasticsearch.rest.RestHandler; @@ -28,6 +28,7 @@ import org.elasticsearch.rest.RestRequest.Method; import org.elasticsearch.rest.RestRequestFilter; import org.elasticsearch.rest.RestStatus; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator; import org.elasticsearch.xpack.security.transport.SSLEngineUtils; @@ -43,13 +44,13 @@ public class SecurityRestFilter implements RestHandler { private final RestHandler restHandler; private final AuthenticationService authenticationService; private final SecondaryAuthenticator secondaryAuthenticator; - private final XPackLicenseState licenseState; + private final Settings settings; private final ThreadContext threadContext; private final boolean extractClientCertificate; - public SecurityRestFilter(XPackLicenseState licenseState, ThreadContext threadContext, AuthenticationService authenticationService, + public SecurityRestFilter(Settings settings, ThreadContext threadContext, AuthenticationService authenticationService, SecondaryAuthenticator secondaryAuthenticator, RestHandler restHandler, boolean extractClientCertificate) { - this.licenseState = licenseState; + this.settings = settings; this.threadContext = threadContext; this.authenticationService = authenticationService; this.secondaryAuthenticator = secondaryAuthenticator; @@ -64,7 +65,7 @@ public boolean allowSystemIndexAccessByDefault() { @Override public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception { - if (licenseState.isSecurityEnabled() && request.method() != Method.OPTIONS) { + if (XPackSettings.SECURITY_ENABLED.get(settings) && request.method() != Method.OPTIONS) { // CORS - allow for preflight unauthenticated OPTIONS request if (extractClientCertificate) { HttpChannel httpChannel = request.getHttpChannel(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java index 3dcbfe104dd1b..360efbc984154 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java @@ -57,8 +57,7 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie /** * Check whether the given request is allowed within the current license state and setup, * and return the name of any unlicensed feature. - * By default this returns an exception if security is not available by the current license or - * security is not enabled. + * By default this returns an exception if security is not enabled. * Sub-classes can override this method if they have additional requirements. * * @return {@code null} if all required features are available, otherwise an exception to be @@ -67,11 +66,6 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie protected Exception checkFeatureAvailable(RestRequest request) { if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { return new IllegalStateException("Security is not enabled but a security rest handler is registered"); - } else if (licenseState.isSecurityEnabled() == false) { - return new ElasticsearchException("Security must be explicitly enabled when using a [" + - licenseState.getOperationMode().description() + "] license. " + - "Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " + - "and restart the node."); } else { return null; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java deleted file mode 100644 index da71f41bb8604..0000000000000 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -package org.elasticsearch.xpack.security.support; - -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.elasticsearch.Version; -import org.elasticsearch.license.LicenseStateListener; -import org.elasticsearch.license.XPackLicenseState; - -import java.util.Objects; - -/** - * A listener for license state changes that provides log messages when a license change - * causes security to switch between enable and disabled (or vice versa). - */ -public class SecurityStatusChangeListener implements LicenseStateListener { - - private final Logger logger; - private final XPackLicenseState licenseState; - private Boolean securityEnabled; - - public SecurityStatusChangeListener(XPackLicenseState licenseState) { - this.logger = LogManager.getLogger(getClass()); - this.licenseState = licenseState; - this.securityEnabled = null; - } - - /** - * This listener will not be registered if security has been explicitly disabled, so we only need to account for dynamic changes due - * to changes in the applied license. - */ - @Override - public synchronized void licenseStateChanged() { - final boolean newState = licenseState.isSecurityEnabled(); - // old state might be null (undefined) so do Object comparison - if (Objects.equals(newState, securityEnabled) == false) { - logger.info("Active license is now [{}]; Security is {}", licenseState.getOperationMode(), newState ? "enabled" : "disabled"); - if (newState == false) { - logger.warn("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + - "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); - } - this.securityEnabled = newState; - } - } -} diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java index ccc4edf1c655e..53a3254b149ea 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java @@ -90,7 +90,7 @@ public AsyncSender interceptSender(AsyncSender sender) { @Override public void sendRequest(Transport.Connection connection, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler handler) { - final boolean requireAuth = shouldRequireExistingAuthentication(); + final boolean requireAuth = XPackSettings.SECURITY_ENABLED.get(settings); // the transport in core normally does this check, BUT since we are serializing to a string header we need to do it // ourselves otherwise we wind up using a version newer than what we can actually send final Version minVersion = Version.min(connection.getVersion(), Version.CURRENT); @@ -119,22 +119,6 @@ public void sendRequest(Transport.Connection conne }; } - /** - * Based on the current cluster state & license, should we require that all outgoing actions have an authentication header - * of some sort? - */ - private boolean shouldRequireExistingAuthentication() { - // If the license state is MISSING, then auth is not allowed. - // However this makes it difficult to installing a valid license, because that might implicitly turn on security. - // When security is enabled on the master node it will then reject any actions that do not have authentication headers - // but there may be in-flight internal actions (that will not have authentication headers) such as "cluster/shard/started" - // which we don't want to reject. - // So, we always send authentication headers for actions that have an implied user (system-user or explicit-origin) - // and then for other (user originated) actions we enforce that there is an authentication header that we can send, iff the - // current license allows authentication. - return licenseState.isSecurityEnabled() && isStateNotRecovered == false; - } - private void sendWithUser(Transport.Connection connection, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler handler, AsyncSender sender, final boolean requireAuthentication) { @@ -162,7 +146,7 @@ public TransportRequestHandler interceptHandler( boolean forceExecution, TransportRequestHandler actualHandler) { return new ProfileSecuredRequestHandler<>(logger, action, forceExecution, executor, actualHandler, profileFilters, - licenseState, threadPool); + settings, threadPool); } private Map initializeProfileFilters(DestructiveOperations destructiveOperations) { @@ -176,7 +160,7 @@ private Map initializeProfileFilters(DestructiveO final SSLConfiguration profileConfiguration = entry.getValue(); final boolean extractClientCert = transportSSLEnabled && sslService.isSSLClientAuthEnabled(profileConfiguration); profileFilters.put(entry.getKey(), new ServerTransportFilter(authcService, authzService, threadPool.getThreadContext(), - extractClientCert, destructiveOperations, securityContext, licenseState)); + extractClientCert, destructiveOperations, securityContext, settings)); } return Collections.unmodifiableMap(profileFilters); @@ -187,7 +171,7 @@ public static class ProfileSecuredRequestHandler imp private final String action; private final TransportRequestHandler handler; private final Map profileFilters; - private final XPackLicenseState licenseState; + private final Settings settings; private final ThreadContext threadContext; private final String executorName; private final ThreadPool threadPool; @@ -196,13 +180,13 @@ public static class ProfileSecuredRequestHandler imp ProfileSecuredRequestHandler(Logger logger, String action, boolean forceExecution, String executorName, TransportRequestHandler handler, Map profileFilters, - XPackLicenseState licenseState, ThreadPool threadPool) { + Settings settings, ThreadPool threadPool) { this.logger = logger; this.action = action; this.executorName = executorName; this.handler = handler; this.profileFilters = profileFilters; - this.licenseState = licenseState; + this.settings = settings; this.threadContext = threadPool.getThreadContext(); this.threadPool = threadPool; this.forceExecution = forceExecution; @@ -251,7 +235,7 @@ public String toString() { @Override public void messageReceived(T request, TransportChannel channel, Task task) throws Exception { try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) { - if (licenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { String profile = channel.getProfileName(); ServerTransportFilter filter = profileFilters.get(profile); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java index 303fb4d61ee6a..57ffdce30238a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java @@ -15,8 +15,8 @@ import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction; import org.elasticsearch.action.admin.indices.open.OpenIndexAction; import org.elasticsearch.action.support.DestructiveOperations; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.transport.TaskTransportChannel; import org.elasticsearch.transport.TcpChannel; import org.elasticsearch.transport.TcpTransportChannel; @@ -25,6 +25,7 @@ import org.elasticsearch.transport.TransportService; import org.elasticsearch.transport.netty4.Netty4TcpChannel; import org.elasticsearch.transport.nio.NioTcpChannel; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.user.SystemUser; @@ -47,18 +48,18 @@ final class ServerTransportFilter { private final boolean extractClientCert; private final DestructiveOperations destructiveOperations; private final SecurityContext securityContext; - private final XPackLicenseState licenseState; + private final Settings settings; ServerTransportFilter(AuthenticationService authcService, AuthorizationService authzService, ThreadContext threadContext, boolean extractClientCert, DestructiveOperations destructiveOperations, - SecurityContext securityContext, XPackLicenseState licenseState) { + SecurityContext securityContext, Settings settings) { this.authcService = authcService; this.authzService = authzService; this.threadContext = threadContext; this.extractClientCert = extractClientCert; this.destructiveOperations = destructiveOperations; this.securityContext = securityContext; - this.licenseState = licenseState; + this.settings = settings; } /** @@ -111,7 +112,7 @@ requests from all the nodes are attached with a user (either a serialize } else { authzService.authorize(authentication, securityAction, request, listener); } - } else if (licenseState.isSecurityEnabled() == false) { + } else if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { listener.onResponse(null); } else { listener.onFailure(new IllegalStateException("no authentication present but auth is allowed")); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java index bf5219c89be7f..8a005c325f0cb 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java @@ -20,6 +20,7 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.transport.TransportSettings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.audit.AuditTrail; import org.elasticsearch.xpack.security.audit.AuditTrailService; @@ -147,6 +148,7 @@ public IpFilterRuleType ruleType() { private final AuditTrailService auditTrailService; private final XPackLicenseState licenseState; + private final Settings settings; private final boolean alwaysAllowBoundAddresses; private volatile Map rules = Collections.emptyMap(); @@ -167,6 +169,7 @@ public IPFilter(final Settings settings, AuditTrailService auditTrailService, Cl XPackLicenseState licenseState) { this.auditTrailService = auditTrailService; this.licenseState = licenseState; + this.settings = settings; this.alwaysAllowBoundAddresses = ALLOW_BOUND_ADDRESSES_SETTING.get(settings); httpDenyFilter = HTTP_FILTER_DENY_SETTING.get(settings); httpAllowFilter = HTTP_FILTER_ALLOW_SETTING.get(settings); @@ -245,7 +248,7 @@ private void setHttpFiltering(boolean enabled) { } public boolean accept(String profile, InetSocketAddress peerAddress) { - if (licenseState.isSecurityEnabled() == false || + if (XPackSettings.SECURITY_ENABLED.get(settings) || licenseState.checkFeature(Feature.SECURITY_IP_FILTERING) == false) { return true; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java index 4855306acbe69..f443fb066d9ea 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java @@ -71,19 +71,18 @@ public void init() throws Exception { public void testAvailable() { SecurityInfoTransportAction featureSet = new SecurityInfoTransportAction( - mock(TransportService.class), mock(ActionFilters.class), licenseState); + mock(TransportService.class), mock(ActionFilters.class), settings); assertThat(featureSet.available(), is(true)); } public void testEnabled() { SecurityInfoTransportAction featureSet = new SecurityInfoTransportAction( - mock(TransportService.class), mock(ActionFilters.class), licenseState); - when(licenseState.isSecurityEnabled()).thenReturn(true); + mock(TransportService.class), mock(ActionFilters.class), settings); assertThat(featureSet.enabled(), is(true)); - when(licenseState.isSecurityEnabled()).thenReturn(false); + Settings disabled = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(),false).build(); featureSet = new SecurityInfoTransportAction( - mock(TransportService.class), mock(ActionFilters.class), licenseState); + mock(TransportService.class), mock(ActionFilters.class), disabled); assertThat(featureSet.enabled(), is(false)); } @@ -91,7 +90,6 @@ public void testUsage() throws Exception { final boolean explicitlyDisabled = randomBoolean(); final boolean enabled = explicitlyDisabled == false && randomBoolean(); final boolean operatorPrivilegesAvailable = randomBoolean(); - when(licenseState.isSecurityEnabled()).thenReturn(enabled); when(licenseState.isAllowed(XPackLicenseState.Feature.OPERATOR_PRIVILEGES)).thenReturn(operatorPrivilegesAvailable); Settings.Builder settings = Settings.builder().put(this.settings); @@ -249,58 +247,6 @@ public void testUsage() throws Exception { } } - public void testUsageOnTrialLicenseWithSecurityDisabledByDefault() throws Exception { - when(licenseState.isSecurityEnabled()).thenReturn(false); - - Settings.Builder settings = Settings.builder().put(this.settings); - - final boolean httpSSLEnabled = randomBoolean(); - settings.put("xpack.security.http.ssl.enabled", httpSSLEnabled); - final boolean transportSSLEnabled = randomBoolean(); - settings.put("xpack.security.transport.ssl.enabled", transportSSLEnabled); - - final boolean auditingEnabled = randomBoolean(); - settings.put(XPackSettings.AUDIT_ENABLED.getKey(), auditingEnabled); - - final boolean rolesStoreEnabled = randomBoolean(); - configureRoleStoreUsage(rolesStoreEnabled); - - final boolean roleMappingStoreEnabled = randomBoolean(); - configureRoleMappingStoreUsage(roleMappingStoreEnabled); - - configureRealmsUsage(Collections.emptyMap()); - - var usageAction = newUsageAction(settings.build()); - PlainActionFuture future = new PlainActionFuture<>(); - usageAction.masterOperation(null, null, null, future); - SecurityFeatureSetUsage securityUsage = (SecurityFeatureSetUsage) future.get().getUsage(); - BytesStreamOutput out = new BytesStreamOutput(); - securityUsage.writeTo(out); - XPackFeatureSet.Usage serializedUsage = new SecurityFeatureSetUsage(out.bytes().streamInput()); - for (XPackFeatureSet.Usage usage : Arrays.asList(securityUsage, serializedUsage)) { - assertThat(usage, is(notNullValue())); - assertThat(usage.name(), is(XPackField.SECURITY)); - assertThat(usage.enabled(), is(false)); - assertThat(usage.available(), is(true)); - XContentSource source = getXContentSource(usage); - - // check SSL : This is permitted even though security has been dynamically disabled by the trial license. - assertThat(source.getValue("ssl"), is(notNullValue())); - assertThat(source.getValue("ssl.http.enabled"), is(httpSSLEnabled)); - assertThat(source.getValue("ssl.transport.enabled"), is(transportSSLEnabled)); - - // everything else is missing because security is disabled - assertThat(source.getValue("realms"), is(nullValue())); - assertThat(source.getValue("token_service"), is(nullValue())); - assertThat(source.getValue("api_key_service"), is(nullValue())); - assertThat(source.getValue("audit"), is(nullValue())); - assertThat(source.getValue("anonymous"), is(nullValue())); - assertThat(source.getValue("ipfilter"), is(nullValue())); - assertThat(source.getValue("roles"), is(nullValue())); - assertThat(source.getValue("operator_privileges"), is(nullValue())); - } - } - private XContentSource getXContentSource(XPackFeatureSet.Usage usage) throws IOException { XContentSource source; try (XContentBuilder builder = XContentFactory.jsonBuilder()) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java index 2f5620e787375..f60a3178e5a9e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java @@ -82,7 +82,6 @@ public void init() throws Exception { when(auditTrailService.get()).thenReturn(auditTrail); chain = mock(ActionFilterChain.class); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); ThreadPool threadPool = mock(ThreadPool.class); threadContext = new ThreadContext(Settings.EMPTY); when(threadPool.getThreadContext()).thenReturn(threadContext); @@ -100,7 +99,7 @@ public void init() throws Exception { SecurityContext securityContext = new SecurityContext(settings, threadContext); filter = new SecurityActionFilter(authcService, authzService, auditTrailService, licenseState, threadPool, - securityContext, destructiveOperations); + securityContext, settings, destructiveOperations); } public void testApply() throws Exception { @@ -276,7 +275,6 @@ public void testApplyUnlicensed() throws Exception { ActionListener listener = mock(ActionListener.class); ActionFilterChain chain = mock(ActionFilterChain.class); Task task = mock(Task.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); filter.apply(task, "_action", request, listener, chain); verifyZeroInteractions(authcService); verifyZeroInteractions(authzService); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java index 1dc62ad01f48a..d4775c78e9af3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java @@ -10,6 +10,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.elasticsearch.common.logging.Loggers; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; @@ -58,9 +59,8 @@ public void init() throws Exception { } auditTrails = unmodifiableList(auditTrailsBuilder); licenseState = mock(XPackLicenseState.class); - service = new AuditTrailService(auditTrails, licenseState); + service = new AuditTrailService(auditTrails, licenseState, Settings.EMPTY); isAuditingAllowed = randomBoolean(); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed); token = mock(AuthenticationToken.class); request = mock(TransportRequest.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index f3faf992a78c8..62b30fe813c05 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -214,7 +214,6 @@ public void init() throws Exception { .build(); XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS)).thenReturn(true); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); @@ -227,7 +226,7 @@ public void init() throws Exception { Collections.singletonList(firstRealm))); auditTrail = mock(AuditTrail.class); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, settings); client = mock(Client.class); threadPool = new ThreadPool(settings, new FixedExecutorBuilder(settings, THREAD_POOL_NAME, 1, 1000, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java index 7981a205f4979..072a7603b63da 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java @@ -104,7 +104,7 @@ public void setupMocks() throws Exception { when(realms.asList()).thenReturn(List.of(realm)); when(realms.getUnlicensedRealms()).thenReturn(List.of()); - final AuditTrailService auditTrail = new AuditTrailService(Collections.emptyList(), null); + final AuditTrailService auditTrail = new AuditTrailService(Collections.emptyList(), null, Settings.EMPTY); final AuthenticationFailureHandler failureHandler = new DefaultAuthenticationFailureHandler(Map.of()); final AnonymousUser anonymous = new AnonymousUser(settings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index 8ac791d223aa0..4a0680c2dc8e0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -237,9 +237,8 @@ public void setup() { when(clusterService.state()).thenReturn(ClusterState.EMPTY_STATE); auditTrail = mock(AuditTrail.class); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); threadContext = new ThreadContext(settings); threadPool = mock(ThreadPool.class); when(threadPool.getThreadContext()).thenReturn(threadContext); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java index ce1b3e5f6802a..641f8d11a0e93 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java @@ -25,6 +25,7 @@ import org.elasticsearch.indices.IndicesQueryCache; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; @@ -129,15 +130,13 @@ public void testOptOutQueryCacheAuthIsNotAllowed() { final Settings.Builder settings = Settings.builder() .put("index.version.created", Version.CURRENT) .put("index.number_of_shards", 1) - .put("index.number_of_replicas", 0); + .put("index.number_of_replicas", 0) + .put(XPackSettings.SECURITY_ENABLED.getKey(), false); final IndexMetadata indexMetadata = IndexMetadata.builder("index").settings(settings).build(); final IndexSettings indexSettings = new IndexSettings(indexMetadata, Settings.EMPTY); final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class); final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState); - cache.listenForLicenseStateChanges(); + final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, settings.build()); final Weight weight = mock(Weight.class); final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); cache.doCache(weight, policy); @@ -153,10 +152,7 @@ public void testOptOutQueryCacheNoIndicesPermissions() { final IndexSettings indexSettings = new IndexSettings(indexMetadata, Settings.EMPTY); final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class); final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState); - cache.listenForLicenseStateChanges(); + final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, Settings.EMPTY); final Weight weight = mock(Weight.class); final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); final Weight w = cache.doCache(weight, policy); @@ -178,33 +174,13 @@ public void testOptOutQueryCacheIndexDoesNotHaveFieldLevelSecurity() { final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class); when(indicesAccessControl.getIndexPermissions("index")).thenReturn(indexAccessControl); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState); - cache.listenForLicenseStateChanges(); + final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, Settings.EMPTY); final Weight weight = mock(Weight.class); final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); cache.doCache(weight, policy); verify(indicesQueryCache).doCache(same(weight), same(policy)); } - public void testOptOutQueryCacheRemovesLicenseStateListenerOnClose() { - final Settings.Builder settings = Settings.builder() - .put("index.version.created", Version.CURRENT) - .put("index.number_of_shards", 1) - .put("index.number_of_replicas", 0); - final IndexMetadata indexMetadata = IndexMetadata.builder("index").settings(settings).build(); - final IndexSettings indexSettings = new IndexSettings(indexMetadata, Settings.EMPTY); - final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class); - final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final XPackLicenseState licenseState = mock(XPackLicenseState.class); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState); - cache.listenForLicenseStateChanges(); - verify(licenseState).addListener(cache); - cache.close(); - verify(licenseState).removeListener(cache); - } - private static FieldPermissionsDefinition fieldPermissionDef(String[] granted, String[] denied) { return new FieldPermissionsDefinition(granted, denied); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java index fca94d3217719..69287369ad209 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java @@ -47,11 +47,10 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase { public void testInterceptorThrowsWhenFLSDLSEnabled() { XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), new RealmRef(null, null, null)); final FieldPermissions fieldPermissions; @@ -106,11 +105,10 @@ public void testInterceptorThrowsWhenFLSDLSEnabled() { public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception { XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(randomBoolean()); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), new RealmRef(null, null, null)); final String action = IndicesAliasesAction.NAME; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java index 518ad872577e0..4c7d413587792 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java @@ -51,13 +51,12 @@ public class ResizeRequestInterceptorTests extends ESTestCase { public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() { XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); ThreadPool threadPool = mock(ThreadPool.class); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); when(threadPool.getThreadContext()).thenReturn(threadContext); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); final Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), null); final FieldPermissions fieldPermissions; final boolean useFls = randomBoolean(); @@ -103,13 +102,12 @@ public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() { public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception { XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); ThreadPool threadPool = mock(ThreadPool.class); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); when(threadPool.getThreadContext()).thenReturn(threadContext); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); final Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), null); Role role = Role.builder() .add(IndexPrivilege.ALL, "target") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java index 92f81fbeae252..228355f8df781 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java @@ -13,6 +13,7 @@ import org.elasticsearch.ingest.IngestDocument; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType; @@ -39,14 +40,11 @@ public class SetSecurityUserProcessorTests extends ESTestCase { private ThreadContext threadContext; private SecurityContext securityContext; - private XPackLicenseState licenseState; @Before public void setupObjects() { threadContext = new ThreadContext(Settings.EMPTY); securityContext = new SecurityContext(Settings.EMPTY, threadContext); - licenseState = Mockito.mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); } public void testProcessorWithData() throws Exception { @@ -55,7 +53,7 @@ public void testProcessorWithData() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); processor.execute(ingestDocument); Map result = ingestDocument.getFieldValue("_field", Map.class); @@ -96,7 +94,7 @@ public void testProcessorWithEmptyUserData() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); processor.execute(ingestDocument); Map result = ingestDocument.getFieldValue("_field", Map.class); // Still holds data for realm and authentication type @@ -109,17 +107,17 @@ public void testProcessorWithEmptyUserData() throws Exception { public void testNoCurrentUser() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); IllegalStateException e = expectThrows(IllegalStateException.class, () -> processor.execute(ingestDocument)); assertThat(e.getMessage(), equalTo("There is no authenticated user - the [set_security_user] processor requires an authenticated user")); } public void testSecurityDisabled() throws Exception { - when(licenseState.isSecurityEnabled()).thenReturn(false); + Settings securityDisabledSettings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, securityDisabledSettings, "_field", EnumSet.allOf(Property.class)); IllegalStateException e = expectThrows(IllegalStateException.class, () -> processor.execute(ingestDocument)); assertThat(e.getMessage(), equalTo("Security (authentication) is not enabled on this cluster, so there is no active user" + " - the [set_security_user] processor cannot be used without security")); @@ -131,7 +129,7 @@ public void testUsernameProperties() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.USERNAME)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.USERNAME)); processor.execute(ingestDocument); @SuppressWarnings("unchecked") @@ -146,7 +144,7 @@ public void testRolesProperties() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.ROLES)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.ROLES)); processor.execute(ingestDocument); @SuppressWarnings("unchecked") @@ -165,7 +163,7 @@ public void testFullNameProperties() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor - = new SetSecurityUserProcessor("_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.FULL_NAME)); + = new SetSecurityUserProcessor("_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.FULL_NAME)); processor.execute(ingestDocument); @SuppressWarnings("unchecked") @@ -180,7 +178,7 @@ public void testEmailProperties() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.EMAIL)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.EMAIL)); processor.execute(ingestDocument); @SuppressWarnings("unchecked") @@ -199,7 +197,7 @@ public void testMetadataProperties() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.METADATA)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.METADATA)); processor.execute(ingestDocument); @SuppressWarnings("unchecked") @@ -217,7 +215,7 @@ public void testOverwriteExistingField() throws Exception { authentication.writeToContext(threadContext); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.of(Property.USERNAME)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.of(Property.USERNAME)); IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); ingestDocument.setFieldValue("_field", "test"); @@ -257,7 +255,7 @@ public void testApiKeyPopulation() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); processor.execute(ingestDocument); Map result = ingestDocument.getFieldValue("_field", Map.class); @@ -288,7 +286,7 @@ public void testWillNotOverwriteExistingApiKeyAndRealm() throws Exception { "_field", Map.of("api_key", Map.of("version", 42), "realm", Map.of("id", 7)) )), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); processor.execute(ingestDocument); Map result = ingestDocument.getFieldValue("_field", Map.class); @@ -311,7 +309,7 @@ public void testWillSetRunAsRealmForNonApiAuth() throws Exception { IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>()); SetSecurityUserProcessor processor = new SetSecurityUserProcessor( - "_tag", null, securityContext, licenseState, "_field", EnumSet.allOf(Property.class)); + "_tag", null, securityContext, Settings.EMPTY, "_field", EnumSet.allOf(Property.class)); processor.execute(ingestDocument); Map result = ingestDocument.getFieldValue("_field", Map.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index fb4f370189546..fe7109cfffc6a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -75,12 +75,10 @@ public class SecurityRestFilterTests extends ESTestCase { public void init() throws Exception { authcService = mock(AuthenticationService.class); channel = mock(RestChannel.class); - licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); restHandler = mock(RestHandler.class); threadContext = new ThreadContext(Settings.EMPTY); secondaryAuthenticator = new SecondaryAuthenticator(Settings.EMPTY, threadContext, authcService); - filter = new SecurityRestFilter(licenseState, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); } public void testProcess() throws Exception { @@ -140,19 +138,8 @@ public void testProcessSecondaryAuthentication() throws Exception { assertThat(secondaryAuthRef.get().getAuthentication(), sameInstance(secondaryAuthentication)); } - public void testProcessBasicLicense() throws Exception { - RestRequest request = mock(RestRequest.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); - filter.handleRequest(request, channel, null); - assertWarnings("Elasticsearch built-in security features are not enabled. Without authentication, your cluster " + - "could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); - verify(restHandler).handleRequest(request, channel, null); - verifyZeroInteractions(channel, authcService); - } - public void testProcessAuthenticationFailedNoTrace() throws Exception { - filter = new SecurityRestFilter(licenseState, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + "cause", new ElasticsearchException("cause")), RestStatus.UNAUTHORIZED, true, true, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + @@ -234,7 +221,7 @@ public Set getFilteredFields() { callback.onResponse(new Authentication(XPackUser.INSTANCE, new RealmRef("test", "test", "t"), null)); return Void.TYPE; }).when(authcService).authenticate(any(RestRequest.class), any(ActionListener.class)); - filter = new SecurityRestFilter(licenseState, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); filter.handleRequest(restRequest, channel, null); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java deleted file mode 100644 index 4dffe7b93e4cf..0000000000000 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -package org.elasticsearch.xpack.security.support; - -import org.apache.logging.log4j.Level; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.elasticsearch.Version; -import org.elasticsearch.common.logging.Loggers; -import org.elasticsearch.license.License; -import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.test.MockLogAppender; -import org.junit.After; -import org.junit.Before; -import org.mockito.Mockito; - -import static org.mockito.Mockito.when; - -public class SecurityStatusChangeListenerTests extends ESTestCase { - - private XPackLicenseState licenseState; - private SecurityStatusChangeListener listener; - private MockLogAppender logAppender; - private Logger listenerLogger; - - @Before - public void setup() throws IllegalAccessException { - licenseState = Mockito.mock(XPackLicenseState.class); - listener = new SecurityStatusChangeListener(licenseState); - logAppender = new MockLogAppender(); - logAppender.start(); - listenerLogger = LogManager.getLogger(listener.getClass()); - Loggers.addAppender(listenerLogger, logAppender); - } - - @After - public void cleanup() { - Loggers.removeAppender(listenerLogger, logAppender); - logAppender.stop(); - } - - public void testSecurityEnabledToDisabled() { - when(licenseState.isSecurityEnabled()).thenReturn(true); - - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.GOLD); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "initial change", - listener.getClass().getName(), - Level.INFO, - "Active license is now [GOLD]; Security is enabled" - )); - listener.licenseStateChanged(); - - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.PLATINUM); - logAppender.addExpectation(new MockLogAppender.UnseenEventExpectation( - "no-op change", - listener.getClass().getName(), - Level.INFO, - "Active license is now [PLATINUM]; Security is enabled" - )); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "built-in security features are not enabled", - listener.getClass().getName(), - Level.WARN, - "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + - "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security." - )); - when(licenseState.isSecurityEnabled()).thenReturn(false); - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "change to basic", - listener.getClass().getName(), - Level.INFO, - "Active license is now [BASIC]; Security is disabled" - )); - listener.licenseStateChanged(); - - logAppender.assertAllExpectationsMatched(); - } - - public void testSecurityDisabledToEnabled() { - when(licenseState.isSecurityEnabled()).thenReturn(false); - - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "initial change", - listener.getClass().getName(), - Level.INFO, - "Active license is now [TRIAL]; Security is disabled" - )); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "built-in security features are not enabled", - listener.getClass().getName(), - Level.WARN, - "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + - "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security." - )); - listener.licenseStateChanged(); - - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); - logAppender.addExpectation(new MockLogAppender.UnseenEventExpectation( - "no-op change", - listener.getClass().getName(), - Level.INFO, - "Active license is now [BASIC]; Security is disabled" - )); - - when(licenseState.isSecurityEnabled()).thenReturn(true); - when(licenseState.getOperationMode()).thenReturn(License.OperationMode.PLATINUM); - logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( - "change to platinum", - listener.getClass().getName(), - Level.INFO, - "Active license is now [PLATINUM]; Security is enabled" - )); - listener.licenseStateChanged(); - - logAppender.assertAllExpectationsMatched(); - } - -} diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java index 1f064d40f30ac..c69b501e24dff 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java @@ -198,6 +198,6 @@ private ServerTransportFilter getNodeFilter() { Settings settings = Settings.builder().put("path.home", createTempDir()).build(); ThreadContext threadContext = new ThreadContext(settings); return new ServerTransportFilter(authcService, authzService, threadContext, false, destructiveOperations, - new SecurityContext(settings, threadContext), new XPackLicenseState(settings, () -> 0)); + new SecurityContext(settings, threadContext), settings); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java index 20324dff368d1..881542b29eb52 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java @@ -61,11 +61,10 @@ public class IPFilterTests extends ESTestCase { @Before public void init() { licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); auditTrail = mock(AuditTrail.class); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList( IPFilter.HTTP_FILTER_ALLOW_SETTING, IPFilter.HTTP_FILTER_DENY_SETTING, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java index 28293f06b7377..4ae0412e89f0d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java @@ -58,9 +58,8 @@ public void init() throws Exception { IPFilter.PROFILE_FILTER_ALLOW_SETTING, IPFilter.PROFILE_FILTER_DENY_SETTING))); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); if (isHttpEnabled) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java index 72148c1b9bf3e..3dee5d8996bd9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java @@ -61,9 +61,8 @@ public void init() throws Exception { IPFilter.PROFILE_FILTER_ALLOW_SETTING, IPFilter.PROFILE_FILTER_DENY_SETTING))); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); if (isHttpEnabled) { diff --git a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportPutTransformAction.java b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportPutTransformAction.java index 45e5c1c3f0175..bb684d065ce97 100644 --- a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportPutTransformAction.java +++ b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportPutTransformAction.java @@ -28,7 +28,6 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.ingest.IngestService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.persistent.PersistentTasksCustomMetadata; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.tasks.Task; @@ -65,7 +64,7 @@ public class TransportPutTransformAction extends AcknowledgedTransportMasterNode private static final Logger logger = LogManager.getLogger(TransportPutTransformAction.class); - private final XPackLicenseState licenseState; + private final Settings settings; private final Client client; private final TransformConfigManager transformConfigManager; private final SecurityContext securityContext; @@ -79,7 +78,6 @@ public TransportPutTransformAction( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -92,7 +90,6 @@ public TransportPutTransformAction( actionFilters, indexNameExpressionResolver, clusterService, - licenseState, transformServices, client, ingestService @@ -107,7 +104,6 @@ protected TransportPutTransformAction( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -122,7 +118,7 @@ protected TransportPutTransformAction( indexNameExpressionResolver, ThreadPool.Names.SAME ); - this.licenseState = licenseState; + this.settings = settings; this.client = client; this.transformConfigManager = transformServices.getConfigManager(); this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) @@ -198,7 +194,7 @@ protected void masterOperation(Task task, Request request, ClusterState clusterS ActionListener.wrap( validationResponse -> { // Early check to verify that the user can create the destination index and can read from the source - if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) { + if (XPackSettings.SECURITY_ENABLED.get(settings) && request.isDeferValidation() == false) { final String username = securityContext.getUser().principal(); HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username); ActionListener privResponseListener = ActionListener.wrap( diff --git a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportUpdateTransformAction.java b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportUpdateTransformAction.java index cd6c859789a72..c81662ce423a4 100644 --- a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportUpdateTransformAction.java +++ b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransportUpdateTransformAction.java @@ -29,7 +29,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.discovery.MasterNotDiscoveredException; import org.elasticsearch.ingest.IngestService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.persistent.PersistentTasksCustomMetadata; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.tasks.Task; @@ -74,7 +73,7 @@ public class TransportUpdateTransformAction extends TransportTasksAction { private static final Logger logger = LogManager.getLogger(TransportUpdateTransformAction.class); - private final XPackLicenseState licenseState; + private final Settings settings; private final Client client; private final TransformConfigManager transformConfigManager; private final SecurityContext securityContext; @@ -90,7 +89,6 @@ public TransportUpdateTransformAction( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -103,7 +101,6 @@ public TransportUpdateTransformAction( actionFilters, indexNameExpressionResolver, clusterService, - licenseState, transformServices, client, ingestService @@ -118,7 +115,6 @@ protected TransportUpdateTransformAction( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -134,7 +130,7 @@ protected TransportUpdateTransformAction( ThreadPool.Names.SAME ); - this.licenseState = licenseState; + this.settings = settings; this.client = client; this.transformConfigManager = transformServices.getConfigManager(); this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) @@ -295,7 +291,7 @@ private void checkPriviledgesAndUpdateTransform( ActionListener listener ) { // Early check to verify that the user can create the destination index and can read from the source - if (licenseState.isSecurityEnabled() && request.isDeferValidation() == false) { + if (XPackSettings.SECURITY_ENABLED.get(settings) && request.isDeferValidation() == false) { final String username = securityContext.getUser().principal(); HasPrivilegesRequest privRequest = buildPrivilegeCheck(config, indexNameExpressionResolver, clusterState, username); ActionListener privResponseListener = ActionListener.wrap( From 233e92bddf1f634dbd9df2a580ee5ee7dd5c052b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Apr 2021 08:59:46 +0300 Subject: [PATCH 02/46] Update remaining usages --- .../elasticsearch/xpack/core/XPackPlugin.java | 6 ++-- .../license/LicenseFIPSTests.java | 6 ++-- .../license/LicenseTLSTests.java | 10 +++---- .../org/elasticsearch/license/TestUtils.java | 6 ++-- .../xpack/ml/MachineLearning.java | 3 +- .../ml/MlUpgradeModeActionFilterTests.java | 2 +- .../xpack/security/Security.java | 10 +++---- .../xpack/security/authc/ApiKeyService.java | 5 +--- ...cumentLevelSecurityRequestInterceptor.java | 8 +++-- .../IndicesAliasesRequestInterceptor.java | 8 +++-- .../interceptor/ResizeRequestInterceptor.java | 8 +++-- .../interceptor/SearchRequestInterceptor.java | 5 ++-- .../interceptor/UpdateRequestInterceptor.java | 5 ++-- .../rest/action/SecurityBaseRestHandler.java | 1 - ...ansportOpenIdConnectLogoutActionTests.java | 1 - ...sportSamlInvalidateSessionActionTests.java | 1 - .../saml/TransportSamlLogoutActionTests.java | 1 - .../TransportCreateTokenActionTests.java | 1 - .../TransportInvalidateTokenActionTests.java | 1 - .../logfile/LoggingAuditTrailFilterTests.java | 3 +- .../audit/logfile/LoggingAuditTrailTests.java | 3 +- .../security/authc/ApiKeyServiceTests.java | 7 +---- .../authc/AuthenticationServiceTests.java | 2 +- .../xpack/security/authc/RealmsTests.java | 5 ++-- .../security/authc/TokenServiceTests.java | 1 - .../authc/kerberos/KerberosRealmTestCase.java | 1 - .../security/authc/ldap/LdapRealmTests.java | 1 - .../authc/oidc/OpenIdConnectRealmTests.java | 1 - .../security/authc/pki/PkiRealmTests.java | 1 - .../security/authc/saml/SamlRealmTests.java | 1 - .../DelegatedAuthorizationSupportTests.java | 1 - .../support/SecondaryAuthenticatorTests.java | 3 +- .../authz/AuthorizationServiceTests.java | 5 ++-- ...IndicesAliasesRequestInterceptorTests.java | 4 +-- .../ResizeRequestInterceptorTests.java | 4 +-- .../authz/store/CompositeRolesStoreTests.java | 30 +++++++++---------- .../authz/store/FileRolesStoreTests.java | 1 - .../authz/store/NativeRolesStoreTests.java | 1 - .../SetSecurityUserProcessorFactoryTests.java | 19 +++++------- .../action/SecurityBaseRestHandlerTests.java | 11 +++---- .../apikey/RestCreateApiKeyActionTests.java | 1 - .../apikey/RestGetApiKeyActionTests.java | 1 - .../RestInvalidateApiKeyActionTests.java | 1 - ...viceAccountTokenStoreCacheActionTests.java | 1 - .../RestGetUserPrivilegesActionTests.java | 5 ++-- .../user/RestHasPrivilegesActionTests.java | 2 -- .../xpack/security/test/SecurityMocks.java | 1 - ...curityServerTransportInterceptorTests.java | 23 ++++++-------- ...TransportPutTransformActionDeprecated.java | 3 -- ...nsportUpdateTransformActionDeprecated.java | 3 -- .../transforms/pivot/PivotTests.java | 2 +- 51 files changed, 100 insertions(+), 136 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java index ee1132c524bef..52fc1aedc256f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java @@ -162,7 +162,7 @@ public XPackPlugin( // We should only depend on the settings from the Environment object passed to createComponents this.settings = settings; - setLicenseState(new XPackLicenseState(settings, () -> getEpochMillisSupplier().getAsLong())); + setLicenseState(new XPackLicenseState(() -> getEpochMillisSupplier().getAsLong())); this.licensing = new Licensing(settings); } @@ -244,12 +244,12 @@ private static boolean alreadyContainsXPackCustomMetadata(ClusterState clusterSt clusterState.custom(TokenMetadata.TYPE) != null || metadata.custom(TransformMetadata.TYPE) != null; } - + @Override public Map getMetadataMappers() { return Map.of(DataTierFieldMapper.NAME, DataTierFieldMapper.PARSER); } - + @Override public Settings additionalSettings() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseFIPSTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseFIPSTests.java index eb4c0798f2a12..b665c947efeca 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseFIPSTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseFIPSTests.java @@ -29,7 +29,7 @@ public void testFIPSCheckWithAllowedLicense() throws Exception { .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.fips_mode.enabled", randomBoolean()) .build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); @@ -53,7 +53,7 @@ public void testFIPSCheckWithoutAllowedLicense() throws Exception { .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.fips_mode.enabled", true) .build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); @@ -68,7 +68,7 @@ public void testFIPSCheckWithoutAllowedLicense() throws Exception { .put("xpack.security.transport.ssl.enabled", true) .put("xpack.security.fips_mode.enabled", false) .build(); - licenseState = new XPackLicenseState(settings, () -> 0); + licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java index 6e3212ce61131..633ead4406a3e 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java @@ -34,7 +34,7 @@ public void testApplyLicenseInDevMode() throws Exception { request.acknowledge(true); request.license(newLicense); Settings settings = Settings.builder().put("xpack.security.enabled", true).build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); inetAddress = InetAddress.getLoopbackAddress(); setInitialState(null, licenseState, settings); @@ -49,7 +49,7 @@ public void testApplyLicenseInDevMode() throws Exception { .put("discovery.type", "single-node") .build(); licenseService.stop(); - licenseState = new XPackLicenseState(settings, () -> 0); + licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); licenseService.registerLicense(request, responseFuture); @@ -63,7 +63,7 @@ public void testApplyLicenseInProdMode() throws Exception { request.acknowledge(true); request.license(newLicense); Settings settings = Settings.builder().put("xpack.security.enabled", true).build(); - XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); inetAddress = TransportAddress.META_ADDRESS; setInitialState(null, licenseState, settings); @@ -75,7 +75,7 @@ public void testApplyLicenseInProdMode() throws Exception { settings = Settings.builder().put("xpack.security.enabled", false).build(); licenseService.stop(); - licenseState = new XPackLicenseState(settings, () -> 0); + licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); licenseService.registerLicense(request, responseFuture); @@ -86,7 +86,7 @@ public void testApplyLicenseInProdMode() throws Exception { .put("xpack.security.transport.ssl.enabled", true) .build(); licenseService.stop(); - licenseState = new XPackLicenseState(settings, () -> 0); + licenseState = new XPackLicenseState(() -> 0); setInitialState(null, licenseState, settings); licenseService.start(); licenseService.registerLicense(request, responseFuture); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java index 313ccacb2b52e..eb0a81b8e5543 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java @@ -364,7 +364,7 @@ public static class AssertingLicenseState extends XPackLicenseState { public final List expirationDateUpdates = new ArrayList<>(); public AssertingLicenseState() { - super(Settings.EMPTY, () -> 0); + super(() -> 0); } @Override @@ -386,7 +386,7 @@ public UpdatableLicenseState() { } public UpdatableLicenseState(Settings settings) { - super(settings, () -> 0); + super(() -> 0); } @Override @@ -396,7 +396,7 @@ public void update(License.OperationMode mode, boolean active, long expirationDa } public static XPackLicenseState newTestLicenseState() { - return new XPackLicenseState(Settings.EMPTY, () -> 0); + return new XPackLicenseState(() -> 0); } public static void putLicense(Metadata.Builder builder, License license) { diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java index ce5c70e2f154d..6d216b1a1e3ba 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java @@ -1080,7 +1080,8 @@ public List getPipelineAggregations() { PipelineAggregationSpec spec = new PipelineAggregationSpec(InferencePipelineAggregationBuilder.NAME, in -> new InferencePipelineAggregationBuilder(in, getLicenseState(), settings, modelLoadingService), (ContextParser) - (parser, name) -> InferencePipelineAggregationBuilder.parse(modelLoadingService, getLicenseState(), name, parser)); + (parser, name) -> + InferencePipelineAggregationBuilder.parse(modelLoadingService, getLicenseState(), settings, name, parser)); spec.addResultReader(InternalInferenceAggregation::new); return Collections.singletonList(spec); diff --git a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java index 3b11c063f7ffb..c82af08b5bc0d 100644 --- a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java +++ b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java @@ -114,7 +114,7 @@ public void testApply_ActionDisallowedInUpgradeModeWithResetModeExemption() { public void testOrder_UpgradeFilterIsExecutedAfterSecurityFilter() { MlUpgradeModeActionFilter upgradeModeFilter = new MlUpgradeModeActionFilter(clusterService); - SecurityActionFilter securityFilter = new SecurityActionFilter(null, null, null, null, mock(ThreadPool.class), null, null); + SecurityActionFilter securityFilter = new SecurityActionFilter(null, null, null, null, mock(ThreadPool.class), null, null, null); ActionFilter[] actionFiltersInOrderOfExecution = new ActionFilters(Sets.newHashSet(upgradeModeFilter, securityFilter)).filters(); assertThat(actionFiltersInOrderOfExecution, is(arrayContaining(securityFilter, upgradeModeFilter))); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 4244b37a28564..15c35e037bfc5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -505,7 +505,7 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste rolesProviders.addAll(extension.getRolesProviders(extensionComponents)); } - final ApiKeyService apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, getLicenseState(), securityIndex.get(), + final ApiKeyService apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, securityIndex.get(), clusterService, cacheInvalidatorRegistry, threadPool); components.add(apiKeyService); @@ -548,12 +548,12 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste securityIndex.get().addIndexStateListener(authcService.get()::onSecurityIndexStateChange); Set requestInterceptors = Sets.newHashSet( - new ResizeRequestInterceptor(threadPool, getLicenseState(), auditTrailService), - new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), auditTrailService)); + new ResizeRequestInterceptor(threadPool, getLicenseState(), settings, auditTrailService), + new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), settings, auditTrailService)); if (XPackSettings.DLS_FLS_ENABLED.get(settings)) { requestInterceptors.addAll(Arrays.asList( - new SearchRequestInterceptor(threadPool, getLicenseState()), - new UpdateRequestInterceptor(threadPool, getLicenseState()), + new SearchRequestInterceptor(threadPool, getLicenseState(), settings), + new UpdateRequestInterceptor(threadPool, getLicenseState(), settings), new BulkShardRequestInterceptor(threadPool, getLicenseState(), settings) )); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index 50fdacb12e310..d1329eb217bdb 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -70,7 +70,6 @@ import org.elasticsearch.index.query.BoolQueryBuilder; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.license.LicenseUtils; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.search.SearchHit; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.XPackSettings; @@ -177,7 +176,6 @@ public class ApiKeyService { private final Clock clock; private final Client client; - private final XPackLicenseState licenseState; private final SecurityIndexManager securityIndex; private final ClusterService clusterService; private final Hasher hasher; @@ -192,11 +190,10 @@ public class ApiKeyService { private volatile long lastExpirationRunMs; - public ApiKeyService(Settings settings, Clock clock, Client client, XPackLicenseState licenseState, SecurityIndexManager securityIndex, + public ApiKeyService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndex, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry, ThreadPool threadPool) { this.clock = clock; this.client = client; - this.licenseState = licenseState; this.securityIndex = securityIndex; this.clusterService = clusterService; this.enabled = XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.get(settings); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java index 3ecfe490aed4f..1597d67cefa9d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java @@ -12,10 +12,12 @@ import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.common.MemoizedSupplier; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.transport.TransportActionProxy; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -30,11 +32,13 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor implements Reques private final ThreadContext threadContext; private final XPackLicenseState licenseState; + private final Settings settings; private final Logger logger; - FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState) { + FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, Settings settings) { this.threadContext = threadContext; this.licenseState = licenseState; + this.settings = settings; this.logger = LogManager.getLogger(getClass()); } @@ -43,7 +47,7 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization ActionListener listener) { if (requestInfo.getRequest() instanceof IndicesRequest && false == TransportActionProxy.isProxyAction(requestInfo.getAction())) { IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequest(); - boolean shouldIntercept = licenseState.isSecurityEnabled(); + boolean shouldIntercept = XPackSettings.SECURITY_ENABLED.get(settings); var licenseChecker = new MemoizedSupplier<>(() -> licenseState.checkFeature(Feature.SECURITY_DLS_FLS)); if (supports(indicesRequest) && shouldIntercept) { final IndicesAccessControl indicesAccessControl = diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java index 317e2478a0dee..9853551b0f775 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java @@ -11,10 +11,12 @@ import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.common.MemoizedSupplier; import org.elasticsearch.common.collect.Tuple; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -37,12 +39,14 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto private final ThreadContext threadContext; private final XPackLicenseState licenseState; + private final Settings settings; private final AuditTrailService auditTrailService; - public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, + public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, Settings settings, AuditTrailService auditTrailService) { this.threadContext = threadContext; this.licenseState = licenseState; + this.settings = settings; this.auditTrailService = auditTrailService; } @@ -53,7 +57,7 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization final IndicesAliasesRequest request = (IndicesAliasesRequest) requestInfo.getRequest(); final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState(); final AuditTrail auditTrail = auditTrailService.get(); - if (frozenLicenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java index f7f2565e59bc9..61aa05007ff6a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java @@ -10,11 +10,13 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.admin.indices.shrink.ResizeRequest; import org.elasticsearch.common.MemoizedSupplier; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -33,12 +35,14 @@ public final class ResizeRequestInterceptor implements RequestInterceptor { private final ThreadContext threadContext; private final XPackLicenseState licenseState; + private final Settings settings; private final AuditTrailService auditTrailService; - public ResizeRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, + public ResizeRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings, AuditTrailService auditTrailService) { this.threadContext = threadPool.getThreadContext(); this.licenseState = licenseState; + this.settings = settings; this.auditTrailService = auditTrailService; } @@ -49,7 +53,7 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization final ResizeRequest request = (ResizeRequest) requestInfo.getRequest(); final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState(); final AuditTrail auditTrail = auditTrailService.get(); - if (frozenLicenseState.isSecurityEnabled()) { + if (XPackSettings.SECURITY_ENABLED.get(settings)) { var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java index 8495024f5149d..6d21c25e43244 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java @@ -10,6 +10,7 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.search.SearchRequest; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.search.builder.SearchSourceBuilder; @@ -21,8 +22,8 @@ */ public class SearchRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor { - public SearchRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) { - super(threadPool.getThreadContext(), licenseState); + public SearchRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings) { + super(threadPool.getThreadContext(), licenseState, settings); } @Override diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java index edae98076c3cc..7eb6280cd3183 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java @@ -10,6 +10,7 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.update.UpdateRequest; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; @@ -23,8 +24,8 @@ */ public class UpdateRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor { - public UpdateRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) { - super(threadPool.getThreadContext(), licenseState); + public UpdateRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings) { + super(threadPool.getThreadContext(), licenseState, settings); } @Override diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java index 360efbc984154..95ad3a472f126 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java @@ -6,7 +6,6 @@ */ package org.elasticsearch.xpack.security.rest.action; -import org.elasticsearch.ElasticsearchException; import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java index 0e582f5bee390..7f1f24fd2b2f1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java @@ -173,7 +173,6 @@ public void setup() throws Exception { final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool); final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, new SecurityContext(settings, threadContext), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java index 05bfc96dff020..4d2cc1c4fa9a4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java @@ -208,7 +208,6 @@ void doExecute(ActionType action, Request request, ActionListener 0), - mock(SecurityIndexManager.class), clusterService, + apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), mock(Client.class), mock(SecurityIndexManager.class), clusterService, mock(CacheInvalidatorRegistry.class), mock(ThreadPool.class)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java index b1c0546159bfe..9fa289e65b449 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java @@ -288,8 +288,7 @@ public void init() throws Exception { } logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout); auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext); - apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, new XPackLicenseState(settings, () -> 0), - securityIndexManager, clusterService, + apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, securityIndexManager, clusterService, mock(CacheInvalidatorRegistry.class), mock(ThreadPool.class)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index 373ec9cf99050..25aab4e9a56c4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -34,7 +34,6 @@ import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.common.xcontent.json.JsonXContent; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ClusterServiceUtils; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.VersionUtils; @@ -118,7 +117,6 @@ public class ApiKeyServiceTests extends ESTestCase { private ThreadPool threadPool; - private XPackLicenseState licenseState; private Client client; private SecurityIndexManager securityIndex; private CacheInvalidatorRegistry cacheInvalidatorRegistry; @@ -139,9 +137,6 @@ public void stopThreadPool() { @Before public void setupMocks() { - this.licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); - this.client = mock(Client.class); this.securityIndex = SecurityMocks.mockSecurityIndexManager(); this.cacheInvalidatorRegistry = mock(CacheInvalidatorRegistry.class); @@ -1061,7 +1056,7 @@ private ApiKeyService createApiKeyService(Settings baseSettings) { .put(baseSettings) .build(); final ApiKeyService service = new ApiKeyService( - settings, Clock.systemUTC(), client, licenseState, securityIndex, + settings, Clock.systemUTC(), client, securityIndex, ClusterServiceUtils.createClusterService(threadPool), cacheInvalidatorRegistry, threadPool); if ("0s".equals(settings.get(ApiKeyService.CACHE_TTL_SETTING.getKey()))) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index 62b30fe813c05..c07e139eac3f5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -266,7 +266,7 @@ public void init() throws Exception { }).when(securityIndex).checkIndexVersionThenExecute(any(Consumer.class), any(Runnable.class)); ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool); final SecurityContext securityContext = new SecurityContext(settings, threadContext); - apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, licenseState, securityIndex, clusterService, + apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), client, securityIndex, clusterService, mock(CacheInvalidatorRegistry.class), threadPool); tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, securityContext, securityIndex, securityIndex, clusterService); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index f98c881647f73..9eb3b0e59c247 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -15,6 +15,7 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authc.Realm; @@ -75,7 +76,6 @@ public void init() throws Exception { when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState); threadContext = new ThreadContext(Settings.EMPTY); reservedRealm = mock(ReservedRealm.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); allowAllRealms(); when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE); when(reservedRealm.name()).thenReturn("reserved"); @@ -481,6 +481,7 @@ public void testDisabledRealmsAreNotAdded() throws Exception { public void testAuthcAuthzDisabled() throws Exception { Settings settings = Settings.builder() .put("path.home", createTempDir()) + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".realm_1.order", 0) .build(); Environment env = TestEnvironment.newEnvironment(settings); @@ -488,7 +489,6 @@ public void testAuthcAuthzDisabled() throws Exception { assertThat(realms.iterator().hasNext(), is(true)); - when(licenseState.isSecurityEnabled()).thenReturn(false); assertThat(realms.iterator().hasNext(), is(false)); } @@ -541,7 +541,6 @@ public void testUsageStats() throws Exception { } // check standard realms include native - when(licenseState.isSecurityEnabled()).thenReturn(true); allowOnlyStandardRealms(); future = new PlainActionFuture<>(); realms.usageStats(future); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java index 07fc8bff93548..1b19cf9326dc4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java @@ -193,7 +193,6 @@ public void setupClient() { // License state (enabled by default) licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); // version 7.2 was an "inflection" point in the Token Service development (access_tokens as UUIDS, multiple concurrent refreshes, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java index e0791ef32af7e..df262f7b057e0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java @@ -85,7 +85,6 @@ public void setup() throws Exception { settings = buildKerberosRealmSettings(REALM_NAME, writeKeyTab(dir.resolve("key.keytab"), "asa").toString(), 100, "10m", true, randomBoolean()); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index 959a00c92ab2b..fd3926c6bb0e4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -103,7 +103,6 @@ public void init() throws Exception { defaultGlobalSettings = Settings.builder().put("path.home", createTempDir()).build(); sslService = new SSLService(TestEnvironment.newEnvironment(defaultGlobalSettings)); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index a8cc016eb8430..22d847bd2a3aa 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -459,7 +459,6 @@ private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapp private void initializeRealms(Realm... realms) { XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true); final List realmList = Arrays.asList(realms); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index 6784d4358954b..73eb1cf8ef10f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -79,7 +79,6 @@ public void setup() throws Exception { .put(RealmSettings.getFullSettingKey(realmIdentifier, RealmSettings.ORDER_SETTING), 0) .build(); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 6b30e04db0242..258d827e9d1f0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -298,7 +298,6 @@ private AuthenticationResult performAuthentication(UserRoleMapper roleMapper, bo private void initializeRealms(Realm... realms) { XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true); final List realmList = Arrays.asList(realms); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java index 154e1e964195b..5a0b8a8f14ee4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java @@ -194,7 +194,6 @@ public void testLicenseRejection() throws Exception { private XPackLicenseState getLicenseState(boolean authzRealmsAllowed) { final XPackLicenseState license = mock(XPackLicenseState.class); - when(license.isSecurityEnabled()).thenReturn(true); when(license.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(authzRealmsAllowed); return license; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java index 072a7603b63da..4807315ca86fd 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java @@ -126,8 +126,7 @@ public void setupMocks() throws Exception { securityContext = new SecurityContext(settings, threadContext); tokenService = new TokenService(settings, clock, client, licenseState, securityContext, securityIndex, tokensIndex, clusterService); - final ApiKeyService apiKeyService = new ApiKeyService(settings, clock, client, licenseState, - securityIndex, clusterService, + final ApiKeyService apiKeyService = new ApiKeyService(settings, clock, client, securityIndex, clusterService, mock(CacheInvalidatorRegistry.class),threadPool); final ServiceAccountService serviceAccountService = mock(ServiceAccountService.class); doAnswer(invocationOnMock -> { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index 4a0680c2dc8e0..594f9a31babfe 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -1052,7 +1052,7 @@ public void testDenialForAnonymousUser() throws IOException { final AnonymousUser anonymousUser = new AnonymousUser(settings); authorizationService = new AuthorizationService(settings, rolesStore, clusterService, auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, anonymousUser, null, Collections.emptySet(), - new XPackLicenseState(settings, () -> 0), TestIndexNameExpressionResolver.newInstance(), operatorPrivilegesService); + new XPackLicenseState(() -> 0), TestIndexNameExpressionResolver.newInstance(), operatorPrivilegesService); RoleDescriptor role = new RoleDescriptor("a_all", null, new IndicesPrivileges[]{IndicesPrivileges.builder().indices("a").privileges("all").build()}, null); @@ -1080,7 +1080,7 @@ public void testDenialForAnonymousUserAuthorizationExceptionDisabled() throws IO final Authentication authentication = createAuthentication(new AnonymousUser(settings)); authorizationService = new AuthorizationService(settings, rolesStore, clusterService, auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, new AnonymousUser(settings), null, - Collections.emptySet(), new XPackLicenseState(settings, () -> 0), TestIndexNameExpressionResolver.newInstance(), + Collections.emptySet(), new XPackLicenseState(() -> 0), TestIndexNameExpressionResolver.newInstance(), operatorPrivilegesService); RoleDescriptor role = new RoleDescriptor("a_all", null, @@ -1818,7 +1818,6 @@ public void getUserPrivileges(Authentication authentication, AuthorizationInfo a }; XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true); authorizationService = new AuthorizationService(Settings.EMPTY, rolesStore, clusterService, auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java index 69287369ad209..0159999b42528 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java @@ -74,7 +74,7 @@ public void testInterceptorThrowsWhenFLSDLSEnabled() { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); IndicesAliasesRequestInterceptor interceptor = - new IndicesAliasesRequestInterceptor(threadContext, licenseState, auditTrailService); + new IndicesAliasesRequestInterceptor(threadContext, licenseState, Settings.EMPTY, auditTrailService); IndicesAliasesRequest indicesAliasesRequest = new IndicesAliasesRequest(); if (randomBoolean()) { @@ -115,7 +115,7 @@ public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Except IndicesAccessControl accessControl = new IndicesAccessControl(true, Collections.emptyMap()); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); IndicesAliasesRequestInterceptor interceptor = - new IndicesAliasesRequestInterceptor(threadContext, licenseState, auditTrailService); + new IndicesAliasesRequestInterceptor(threadContext, licenseState, Settings.EMPTY, auditTrailService); final IndicesAliasesRequest indicesAliasesRequest = new IndicesAliasesRequest(); if (randomBoolean()) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java index 4c7d413587792..4037150392d6d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java @@ -79,7 +79,7 @@ public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); ResizeRequestInterceptor resizeRequestInterceptor = - new ResizeRequestInterceptor(threadPool, licenseState, auditTrailService); + new ResizeRequestInterceptor(threadPool, licenseState, Settings.EMPTY, auditTrailService); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); RequestInfo requestInfo = new RequestInfo(authentication, new ResizeRequest("bar", "foo"), action); @@ -117,7 +117,7 @@ public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() IndicesAccessControl accessControl = new IndicesAccessControl(true, Collections.emptyMap()); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); ResizeRequestInterceptor resizeRequestInterceptor = - new ResizeRequestInterceptor(threadPool, licenseState, auditTrailService); + new ResizeRequestInterceptor(threadPool, licenseState, Settings.EMPTY, auditTrailService); AuthorizationEngine mockEngine = mock(AuthorizationEngine.class); { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java index bc0d822536063..aa59fb575e505 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java @@ -133,7 +133,6 @@ public class CompositeRolesStoreTests extends ESTestCase { public void testRolesWhenDlsFlsUnlicensed() throws IOException { XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(false); RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] { IndicesPrivileges.builder() @@ -205,7 +204,6 @@ public void testRolesWhenDlsFlsUnlicensed() throws IOException { public void testRolesWhenDlsFlsLicensed() throws IOException { XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] { IndicesPrivileges.builder() @@ -359,7 +357,7 @@ public void testNegativeLookupsCacheDisabled() { final DocumentSubsetBitsetCache documentSubsetBitsetCache = buildBitsetCache(); final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(settings, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(settings), - new XPackLicenseState(settings, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); verify(fileRolesStore).addListener(any(Consumer.class)); // adds a listener in ctor @@ -399,7 +397,7 @@ public void testNegativeLookupsAreNotCachedWithFailures() { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); verify(fileRolesStore).addListener(any(Consumer.class)); // adds a listener in ctor @@ -487,7 +485,7 @@ public void testCustomRolesProviders() { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Arrays.asList(inMemoryProvider1, inMemoryProvider2), - new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), + new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); @@ -716,7 +714,7 @@ public void testCustomRolesProviderFailures() throws Exception { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Arrays.asList(inMemoryProvider1, failingProvider), - new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), + new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); @@ -836,7 +834,7 @@ public void testCacheClearOnIndexHealthChange() { CompositeRolesStore compositeRolesStore = new CompositeRolesStore( Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(Settings.EMPTY), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> {}) { @Override @@ -891,7 +889,7 @@ public void testCacheClearOnIndexOutOfDateChange() { CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> {}) { @Override public void invalidateAll() { @@ -988,7 +986,7 @@ public void testDoesNotUseRolesStoreForXPacAndAsyncSearchUser() { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); verify(fileRolesStore).addListener(any(Consumer.class)); // adds a listener in ctor @@ -1030,7 +1028,7 @@ public void testGetRolesForSystemUserThrowsException() { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, mock(ApiKeyService.class), + new XPackLicenseState(() -> 0), cache, mock(ApiKeyService.class), mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); verify(fileRolesStore).addListener(any(Consumer.class)); // adds a listener in ctor @@ -1054,7 +1052,7 @@ public void testApiKeyAuthUsesApiKeyService() throws Exception { final ReservedRolesStore reservedRolesStore = spy(new ReservedRolesStore()); ThreadContext threadContext = new ThreadContext(SECURITY_ENABLED_SETTINGS); ApiKeyService apiKeyService = spy(new ApiKeyService(SECURITY_ENABLED_SETTINGS, Clock.systemUTC(), mock(Client.class), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), mock(SecurityIndexManager.class), mock(ClusterService.class), + mock(SecurityIndexManager.class), mock(ClusterService.class), mock(CacheInvalidatorRegistry.class), mock(ThreadPool.class))); NativePrivilegeStore nativePrivStore = mock(NativePrivilegeStore.class); doAnswer(invocationOnMock -> { @@ -1069,7 +1067,7 @@ public void testApiKeyAuthUsesApiKeyService() throws Exception { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, nativePrivStore, Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, apiKeyService, + new XPackLicenseState(() -> 0), cache, apiKeyService, mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); AuditUtil.getOrGenerateRequestId(threadContext); @@ -1108,7 +1106,7 @@ public void testApiKeyAuthUsesApiKeyServiceWithScopedRole() throws Exception { ThreadContext threadContext = new ThreadContext(SECURITY_ENABLED_SETTINGS); ApiKeyService apiKeyService = spy(new ApiKeyService(SECURITY_ENABLED_SETTINGS, Clock.systemUTC(), mock(Client.class), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), mock(SecurityIndexManager.class), mock(ClusterService.class), + mock(SecurityIndexManager.class), mock(ClusterService.class), mock(CacheInvalidatorRegistry.class), mock(ThreadPool.class))); NativePrivilegeStore nativePrivStore = mock(NativePrivilegeStore.class); doAnswer(invocationOnMock -> { @@ -1123,7 +1121,7 @@ public void testApiKeyAuthUsesApiKeyServiceWithScopedRole() throws Exception { final CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore, nativePrivStore, Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), cache, apiKeyService, + new XPackLicenseState(() -> 0), cache, apiKeyService, mock(ServiceAccountService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); AuditUtil.getOrGenerateRequestId(threadContext); @@ -1258,7 +1256,7 @@ public void testCacheEntryIsReusedForIdenticalApiKeyRoles() { nativePrivStore, Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), - new XPackLicenseState(SECURITY_ENABLED_SETTINGS, () -> 0), + new XPackLicenseState(() -> 0), cache, apiKeyService, mock(ServiceAccountService.class), @@ -1386,7 +1384,7 @@ private CompositeRolesStore buildCompositeRolesStore(Settings settings, }).when(privilegeStore).getPrivileges(isA(Set.class), isA(Set.class), any(ActionListener.class)); } if (licenseState == null) { - licenseState = new XPackLicenseState(settings, () -> 0); + licenseState = new XPackLicenseState(() -> 0); } if (apiKeyService == null) { apiKeyService = mock(ApiKeyService.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java index 89a292dd4dfa0..665636a00fbc2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java @@ -290,7 +290,6 @@ public void testParseFileWithFLSAndDLSUnlicensed() throws Exception { List events = CapturingLogger.output(logger.getName(), Level.WARN); events.clear(); XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(false); Map roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, licenseState, xContentRegistry()); assertThat(roles, notNullValue()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java index 8513867afb899..7620955ac5629 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java @@ -95,7 +95,6 @@ public void testBWCFieldPermissions() throws IOException { public void testRoleDescriptorWithFlsDlsLicensing() throws IOException { XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(false); RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] { IndicesPrivileges.builder().privileges("READ").indices("*") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorFactoryTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorFactoryTests.java index cafb006dcb16f..d3a6cafbbdd3f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorFactoryTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorFactoryTests.java @@ -9,12 +9,11 @@ import org.elasticsearch.ElasticsearchParseException; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor.Property; import org.junit.Before; -import org.mockito.Mockito; import java.util.Arrays; import java.util.EnumSet; @@ -23,22 +22,18 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; -import static org.mockito.Mockito.when; public class SetSecurityUserProcessorFactoryTests extends ESTestCase { private SecurityContext securityContext; - private XPackLicenseState licenseState; @Before public void setupContext() { securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY)); - licenseState = Mockito.mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); } public void testProcessor() throws Exception { - SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, () -> licenseState); + SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, Settings.EMPTY); Map config = new HashMap<>(); config.put("field", "_field"); SetSecurityUserProcessor processor = factory.create(null, "_tag", null, config); @@ -47,7 +42,7 @@ public void testProcessor() throws Exception { } public void testProcessor_noField() throws Exception { - SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, () -> licenseState); + SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, Settings.EMPTY); Map config = new HashMap<>(); ElasticsearchParseException e = expectThrows(ElasticsearchParseException.class, () -> factory.create(null, "_tag", null, config)); assertThat(e.getMetadata("es.property_name").get(0), equalTo("field")); @@ -56,7 +51,7 @@ public void testProcessor_noField() throws Exception { } public void testProcessor_validProperties() throws Exception { - SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, () -> licenseState); + SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, Settings.EMPTY); Map config = new HashMap<>(); config.put("field", "_field"); config.put("properties", Arrays.asList(Property.USERNAME.name(), Property.ROLES.name())); @@ -66,7 +61,7 @@ public void testProcessor_validProperties() throws Exception { } public void testProcessor_invalidProperties() throws Exception { - SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, () -> licenseState); + SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> securityContext, Settings.EMPTY); Map config = new HashMap<>(); config.put("field", "_field"); config.put("properties", Arrays.asList("invalid")); @@ -77,8 +72,8 @@ public void testProcessor_invalidProperties() throws Exception { } public void testCanConstructorProcessorWithoutSecurityEnabled() throws Exception { - when(licenseState.isSecurityEnabled()).thenReturn(false); - SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> null, () -> licenseState); + Settings securityDisabled = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + SetSecurityUserProcessor.Factory factory = new SetSecurityUserProcessor.Factory(() -> null, securityDisabled); Map config = new HashMap<>(); config.put("field", "_field"); final SetSecurityUserProcessor processor = factory.create(null, "_tag", null, config); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java index d9a562c96b2a2..32db18d9302f2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java @@ -15,6 +15,7 @@ import org.elasticsearch.test.client.NoOpNodeClient; import org.elasticsearch.test.rest.FakeRestChannel; import org.elasticsearch.test.rest.FakeRestRequest; +import org.elasticsearch.xpack.core.XPackSettings; import java.io.IOException; import java.util.Collections; @@ -28,13 +29,13 @@ public class SecurityBaseRestHandlerTests extends ESTestCase { public void testSecurityBaseRestHandlerChecksLicenseState() throws Exception { - final boolean securityDefaultEnabled = randomBoolean(); + final boolean securityEnabled = randomBoolean(); + Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), securityEnabled).build(); final AtomicBoolean consumerCalled = new AtomicBoolean(false); final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(securityDefaultEnabled); when(licenseState.getOperationMode()).thenReturn( randomFrom(License.OperationMode.BASIC, License.OperationMode.STANDARD, License.OperationMode.GOLD)); - SecurityBaseRestHandler handler = new SecurityBaseRestHandler(Settings.EMPTY, licenseState) { + SecurityBaseRestHandler handler = new SecurityBaseRestHandler(settings, licenseState) { @Override public String getName() { @@ -56,14 +57,14 @@ protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClien } }; FakeRestRequest fakeRestRequest = new FakeRestRequest(); - FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityDefaultEnabled ? 0 : 1); + FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityEnabled ? 0 : 1); try (NodeClient client = new NoOpNodeClient(this.getTestName())) { assertFalse(consumerCalled.get()); verifyZeroInteractions(licenseState); handler.handleRequest(fakeRestRequest, fakeRestChannel, client); - if (securityDefaultEnabled) { + if (securityEnabled) { assertTrue(consumerCalled.get()); assertEquals(0, fakeRestChannel.responses().get()); assertEquals(0, fakeRestChannel.errors().get()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java index 7a14632688a0f..743fb1a34b3bc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java @@ -54,7 +54,6 @@ public void setUp() throws Exception { .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toString()) .build(); threadPool = new ThreadPool(settings); - when(mockLicenseState.isSecurityEnabled()).thenReturn(true); } @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java index 0300b723e546e..ae351c55669e3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java @@ -56,7 +56,6 @@ public void setUp() throws Exception { settings = Settings.builder().put("path.home", createTempDir().toString()).put("node.name", "test-" + getTestName()) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toString()).build(); threadPool = new ThreadPool(settings); - when(mockLicenseState.isSecurityEnabled()).thenReturn(true); } @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java index 501e3d4058aa1..0d96fcd8322fc 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java @@ -55,7 +55,6 @@ public void setUp() throws Exception { .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toString()) .build(); threadPool = new ThreadPool(settings); - when(mockLicenseState.isSecurityEnabled()).thenReturn(true); } @Override diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java index 7d3cfd69d2d8f..3a4ce6b7a6a23 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java @@ -44,7 +44,6 @@ public class RestClearServiceAccountTokenStoreCacheActionTests extends RestActio public void init() { settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); requestHolder = new AtomicReference<>(); controller().registerHandler(new RestClearServiceAccountTokenStoreCacheAction(settings, licenseState)); verifyingClient.setExecuteVerifier(((actionType, actionRequest) -> { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java index 7d43809d596f6..19efca8a7fbe0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java @@ -20,6 +20,7 @@ import org.elasticsearch.test.client.NoOpNodeClient; import org.elasticsearch.test.rest.FakeRestChannel; import org.elasticsearch.test.rest.FakeRestRequest; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ApplicationResourcePrivileges; @@ -42,11 +43,11 @@ public class RestGetUserPrivilegesActionTests extends ESTestCase { public void testSecurityDisabled() throws Exception { + final Settings securityDisabledSettings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); final RestGetUserPrivilegesAction action = - new RestGetUserPrivilegesAction(Settings.EMPTY, mock(SecurityContext.class), licenseState); + new RestGetUserPrivilegesAction(securityDisabledSettings, mock(SecurityContext.class), licenseState); final FakeRestRequest request = new FakeRestRequest(); final FakeRestChannel channel = new FakeRestChannel(request, true, 1); try (NodeClient nodeClient = new NoOpNodeClient(this.getTestName())) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java index 1c7de5e4861bf..debe7a3e79b1a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java @@ -41,7 +41,6 @@ public class RestHasPrivilegesActionTests extends ESTestCase { */ public void testBodyConsumed() throws Exception { final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); final RestHasPrivilegesAction action = new RestHasPrivilegesAction(Settings.EMPTY, mock(SecurityContext.class), licenseState); try (XContentBuilder bodyBuilder = JsonXContent.contentBuilder().startObject().endObject(); @@ -59,7 +58,6 @@ public void testBodyConsumed() throws Exception { public void testSecurityDisabled() throws Exception { final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); final RestHasPrivilegesAction action = new RestHasPrivilegesAction(Settings.EMPTY, mock(SecurityContext.class), licenseState); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java index 71aa27416f796..18cb87aa6a84f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java @@ -161,7 +161,6 @@ public static TokenServiceMock tokenService(boolean enabled, ThreadPool threadPo final Client client = mock(Client.class); when(client.threadPool()).thenReturn(threadPool); final XPackLicenseState licenseState = mock(XPackLicenseState.class); - when(licenseState.isSecurityEnabled()).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true); final ClusterService clusterService = mock(ClusterService.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java index eaed0bf9cd7ad..7c89c1c020d36 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java @@ -31,6 +31,7 @@ import org.elasticsearch.transport.TransportResponse.Empty; import org.elasticsearch.transport.TransportResponseHandler; import org.elasticsearch.transport.TransportService; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -76,7 +77,6 @@ public void setUp() throws Exception { threadContext = threadPool.getThreadContext(); securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext())); xPackLicenseState = mock(XPackLicenseState.class); - when(xPackLicenseState.isSecurityEnabled()).thenReturn(true); } @After @@ -86,12 +86,12 @@ public void stopThreadPool() throws Exception { } public void testSendAsyncUserActionWhenUnlicensed() { - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, + Settings securityDisabledSettings = Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener - when(xPackLicenseState.isSecurityEnabled()).thenReturn(false); AtomicBoolean calledWrappedSender = new AtomicBoolean(false); AtomicReference sendingUser = new AtomicReference<>(); AsyncSender sender = interceptor.interceptSender(new AsyncSender() { @@ -109,17 +109,16 @@ public void sendRequest(Transport.Connection conne sender.sendRequest(connection, MainAction.NAME, null, null, null); assertTrue(calledWrappedSender.get()); assertThat(sendingUser.get(), nullValue()); - verify(xPackLicenseState).isSecurityEnabled(); verifyNoMoreInteractions(xPackLicenseState); } public void testSendAsyncInternalActionWhenUnlicensed() { - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, + Settings securityDisabledSettings = Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener - when(xPackLicenseState.isSecurityEnabled()).thenReturn(false); AtomicBoolean calledWrappedSender = new AtomicBoolean(false); AtomicReference sendingUser = new AtomicReference<>(); AsyncSender sender = interceptor.interceptSender(new AsyncSender() { @@ -137,18 +136,18 @@ public void sendRequest(Transport.Connection conne sender.sendRequest(connection, "internal:foo", null, null, null); assertTrue(calledWrappedSender.get()); assertThat(sendingUser.get(), is(SystemUser.INSTANCE)); - verify(xPackLicenseState).isSecurityEnabled(); verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT)); verifyNoMoreInteractions(xPackLicenseState); } public void testSendAsyncWithStateNotRecovered() { - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, + final boolean authAllowed = randomBoolean(); + Settings securityDisabledSettings = + Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), authAllowed).build(); + SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); - final boolean authAllowed = randomBoolean(); - when(xPackLicenseState.isSecurityEnabled()).thenReturn(authAllowed); ClusterState notRecovered = ClusterState.builder(clusterService.state()) .blocks(ClusterBlocks.builder().addGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK).build()) .build(); @@ -172,7 +171,6 @@ public void sendRequest(Transport.Connection conne sender.sendRequest(connection, "internal:foo", null, null, null); assertTrue(calledWrappedSender.get()); assertEquals(SystemUser.INSTANCE, sendingUser.get()); - verify(xPackLicenseState).isSecurityEnabled(); verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT)); verifyNoMoreInteractions(xPackLicenseState); } @@ -206,7 +204,6 @@ public void sendRequest(Transport.Connection conne assertTrue(calledWrappedSender.get()); assertEquals(user, sendingUser.get()); assertEquals(user, securityContext.getUser()); - verify(xPackLicenseState).isSecurityEnabled(); verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class)); verifyNoMoreInteractions(xPackLicenseState); } @@ -243,7 +240,6 @@ public void sendRequest(Transport.Connection conne assertNotEquals(user, sendingUser.get()); assertEquals(SystemUser.INSTANCE, sendingUser.get()); assertEquals(user, securityContext.getUser()); - verify(xPackLicenseState).isSecurityEnabled(); verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT)); verifyNoMoreInteractions(xPackLicenseState); } @@ -273,7 +269,6 @@ public void sendRequest(Transport.Connection conne expectThrows(IllegalStateException.class, () -> sender.sendRequest(connection, "indices:foo", null, null, null)); assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage()); assertNull(securityContext.getUser()); - verify(xPackLicenseState).isSecurityEnabled(); verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class)); verifyNoMoreInteractions(xPackLicenseState); } diff --git a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportPutTransformActionDeprecated.java b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportPutTransformActionDeprecated.java index c3b169b98a3fd..5114a1058220d 100644 --- a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportPutTransformActionDeprecated.java +++ b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportPutTransformActionDeprecated.java @@ -14,7 +14,6 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.ingest.IngestService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportService; import org.elasticsearch.xpack.core.transform.action.compat.PutTransformActionDeprecated; @@ -31,7 +30,6 @@ public TransportPutTransformActionDeprecated( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -44,7 +42,6 @@ public TransportPutTransformActionDeprecated( actionFilters, indexNameExpressionResolver, clusterService, - licenseState, transformServices, client, ingestService diff --git a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportUpdateTransformActionDeprecated.java b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportUpdateTransformActionDeprecated.java index 697aa0968a8d4..6127534ed2786 100644 --- a/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportUpdateTransformActionDeprecated.java +++ b/x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/compat/TransportUpdateTransformActionDeprecated.java @@ -14,7 +14,6 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.ingest.IngestService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportService; import org.elasticsearch.xpack.core.transform.action.compat.UpdateTransformActionDeprecated; @@ -31,7 +30,6 @@ public TransportUpdateTransformActionDeprecated( ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, - XPackLicenseState licenseState, TransformServices transformServices, Client client, IngestService ingestService @@ -44,7 +42,6 @@ public TransportUpdateTransformActionDeprecated( actionFilters, indexNameExpressionResolver, clusterService, - licenseState, transformServices, client, ingestService diff --git a/x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/transforms/pivot/PivotTests.java b/x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/transforms/pivot/PivotTests.java index 13bca17ea0073..fa3ac39bbe467 100644 --- a/x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/transforms/pivot/PivotTests.java +++ b/x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/transforms/pivot/PivotTests.java @@ -357,7 +357,7 @@ private static class TestSpatialPlugin extends SpatialPlugin { @Override protected XPackLicenseState getLicenseState() { - return new XPackLicenseState(Settings.EMPTY, System::currentTimeMillis); + return new XPackLicenseState(System::currentTimeMillis); } } From ff23d23f921fd76ca14a7c20f74130b5b449ef9f Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Apr 2021 10:47:25 +0300 Subject: [PATCH 03/46] fix unused imports --- .../license/XPackLicenseStateTests.java | 4 -- ...ityIndexReaderWrapperIntegrationTests.java | 1 - .../SecurityIndexReaderWrapperUnitTests.java | 1 - .../ssl/TLSLicenseBootstrapCheckTests.java | 5 +- .../SecuritySearchOperationListenerTests.java | 7 ++- .../security/SecurityInfoTransportAction.java | 1 - .../SecuritySearchOperationListener.java | 1 - .../security/transport/filter/IPFilter.java | 2 +- .../xpack/security/SecurityTests.java | 46 ------------------- .../filter/SecurityActionFilterTests.java | 9 +++- .../logfile/LoggingAuditTrailFilterTests.java | 1 - .../audit/logfile/LoggingAuditTrailTests.java | 1 - .../xpack/security/authc/RealmsTests.java | 3 -- .../accesscontrol/OptOutQueryCacheTests.java | 1 - .../ingest/SetSecurityUserProcessorTests.java | 1 - .../rest/SecurityRestFilterTests.java | 1 - .../apikey/RestCreateApiKeyActionTests.java | 1 - .../apikey/RestGetApiKeyActionTests.java | 1 - .../RestInvalidateApiKeyActionTests.java | 1 - ...viceAccountTokenStoreCacheActionTests.java | 1 - .../RestGetUserPrivilegesActionTests.java | 2 +- .../user/RestHasPrivilegesActionTests.java | 6 ++- .../transport/ServerTransportFilterTests.java | 1 - 23 files changed, 18 insertions(+), 80 deletions(-) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index 0b2f760007563..3df5c63ab696a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -6,14 +6,10 @@ */ package org.elasticsearch.license; -import org.elasticsearch.Version; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.License.OperationMode; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.test.VersionUtils; import org.elasticsearch.xpack.core.XPackField; -import org.elasticsearch.xpack.core.XPackSettings; import java.util.Arrays; import java.util.concurrent.atomic.AtomicInteger; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java index 201532698d69d..283f8be4bca58 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java @@ -45,7 +45,6 @@ import org.elasticsearch.search.internal.ContextIndexSearcher; import org.elasticsearch.test.AbstractBuilderTestCase; import org.elasticsearch.test.IndexSettingsModule; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java index 3d1ffb0c0a727..f8c120891a9fa 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java @@ -24,7 +24,6 @@ import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java index e6adc60c25c28..85a5ebb3ec755 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java @@ -66,10 +66,7 @@ public void testBootstrapCheckFailureOnBasicLicense() throws Exception { public void testBootstrapSucceedsIfSecurityIsNotEnabledOnBasicLicense() throws Exception { final Settings.Builder settings = Settings.builder(); - if (randomBoolean()) { - // randomise between default-false & explicit-false - settings.put("xpack.security.enabled", false); - } + settings.put("xpack.security.enabled", false); if (randomBoolean()) { // it does not matter whether or not this is set, as security is not enabled. settings.put("xpack.security.transport.ssl.enabled", randomBoolean()); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java index 79dd804c6da5b..e7c81dcefa402 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java @@ -25,6 +25,7 @@ import org.elasticsearch.test.ESSingleNodeTestCase; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest.Empty; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -36,7 +37,6 @@ import org.elasticsearch.xpack.security.audit.AuditTrail; import org.elasticsearch.xpack.security.audit.AuditTrailService; import org.junit.Before; -import org.mockito.Mockito; import java.util.Collections; @@ -49,7 +49,6 @@ import static org.hamcrest.Matchers.nullValue; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.verifyZeroInteractions; @@ -75,9 +74,9 @@ public void testUnlicensed() { final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); AuditTrailService auditTrailService = mock(AuditTrailService.class); SearchContext searchContext = mock(SearchContext.class); - + Settings disabledSecurity = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); + new SecuritySearchOperationListener(securityContext, disabledSecurity, auditTrailService); listener.onNewScrollContext(readerContext); listener.validateReaderContext(readerContext, Empty.INSTANCE); verifyZeroInteractions(auditTrailService, searchContext); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java index 419653d73f808..1b11737eac7bf 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityInfoTransportAction.java @@ -9,7 +9,6 @@ import org.elasticsearch.action.support.ActionFilters; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.transport.TransportService; import org.elasticsearch.xpack.core.XPackField; import org.elasticsearch.xpack.core.XPackSettings; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index a530f7b556686..723bb37311a4d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -10,7 +10,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.shard.SearchOperationListener; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.search.SearchContextMissingException; import org.elasticsearch.search.internal.ReaderContext; import org.elasticsearch.search.internal.ScrollContext; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java index 8a005c325f0cb..5365741e6b4ae 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java @@ -248,7 +248,7 @@ private void setHttpFiltering(boolean enabled) { } public boolean accept(String profile, InetSocketAddress peerAddress) { - if (XPackSettings.SECURITY_ENABLED.get(settings) || + if (XPackSettings.SECURITY_ENABLED.get(settings) == false || licenseState.checkFeature(Feature.SECURITY_IP_FILTERING) == false) { return true; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 3b8d393d4f066..a136d235734b8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -6,9 +6,7 @@ */ package org.elasticsearch.xpack.security; -import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.Version; -import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.Client; import org.elasticsearch.cluster.ClusterName; import org.elasticsearch.cluster.ClusterState; @@ -31,14 +29,11 @@ import org.elasticsearch.license.TestUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.MapperPlugin; -import org.elasticsearch.rest.RestRequest; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.VersionUtils; -import org.elasticsearch.test.rest.FakeRestRequest; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; -import org.elasticsearch.xpack.core.XPackField; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityExtension; import org.elasticsearch.xpack.core.security.SecurityField; @@ -54,7 +49,6 @@ import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.security.audit.AuditTrailService; import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail; -import org.elasticsearch.xpack.security.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.Realms; import org.hamcrest.Matchers; import org.junit.After; @@ -67,7 +61,6 @@ import java.util.List; import java.util.Map; import java.util.Set; -import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.BiConsumer; import java.util.function.Function; import java.util.function.Predicate; @@ -80,8 +73,6 @@ import static org.hamcrest.Matchers.empty; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; -import static org.hamcrest.Matchers.instanceOf; -import static org.hamcrest.Matchers.notNullValue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -488,41 +479,4 @@ public void testValidateForFipsNoErrorsForDefaultSettings() { Security.validateForFips(settings); // no exception thrown } - - public void testLicenseUpdateFailureHandlerUpdate() throws Exception { - Settings settings = Settings.builder(). - put("xpack.security.authc.api_key.enabled", "true"). - build(); - Collection components = createComponentsWithSecurityNotExplicitlyEnabled(settings); - AuthenticationService service = findComponent(AuthenticationService.class, components); - assertNotNull(service); - RestRequest request = new FakeRestRequest(); - final AtomicBoolean completed = new AtomicBoolean(false); - service.authenticate(request, ActionListener.wrap(result -> { - assertTrue(completed.compareAndSet(false, true)); - }, this::logAndFail)); - assertTrue(completed.compareAndSet(true, false)); - threadContext.stashContext(); - licenseState.update( - randomFrom(License.OperationMode.GOLD, License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM), - true, Long.MAX_VALUE, null); - service.authenticate(request, ActionListener.wrap(result -> { - assertTrue(completed.compareAndSet(false, true)); - }, this::VerifyBasicAuthenticationHeader)); - if(completed.get()){ - fail("authentication succeeded but it shouldn't"); - } - } - - private void logAndFail(Exception e) { - logger.error("unexpected exception", e); - fail("unexpected exception " + e.getMessage()); - } - - private void VerifyBasicAuthenticationHeader(Exception e) { - assertThat(e, instanceOf(ElasticsearchSecurityException.class)); - assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate"), notNullValue()); - assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate"), - hasItem("Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"")); - } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java index f60a3178e5a9e..422c2125a4d75 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java @@ -30,6 +30,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportRequest; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -70,6 +71,7 @@ public class SecurityActionFilterTests extends ESTestCase { private ActionFilterChain chain; private XPackLicenseState licenseState; private SecurityActionFilter filter; + private SecurityActionFilter filterWithSecurityDisabled; private ThreadContext threadContext; private boolean failDestructiveOperations; @@ -88,6 +90,9 @@ public void init() throws Exception { failDestructiveOperations = randomBoolean(); Settings settings = Settings.builder() .put(DestructiveOperations.REQUIRES_NAME_SETTING.getKey(), failDestructiveOperations).build(); + Settings disabledSecurity = Settings.builder() + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) + .put(DestructiveOperations.REQUIRES_NAME_SETTING.getKey(), failDestructiveOperations).build(); DestructiveOperations destructiveOperations = new DestructiveOperations(settings, new ClusterSettings(settings, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))); ClusterState state = mock(ClusterState.class); @@ -100,6 +105,8 @@ public void init() throws Exception { SecurityContext securityContext = new SecurityContext(settings, threadContext); filter = new SecurityActionFilter(authcService, authzService, auditTrailService, licenseState, threadPool, securityContext, settings, destructiveOperations); + filterWithSecurityDisabled = new SecurityActionFilter(authcService, authzService, auditTrailService, licenseState, threadPool, + securityContext, disabledSecurity, destructiveOperations); } public void testApply() throws Exception { @@ -275,7 +282,7 @@ public void testApplyUnlicensed() throws Exception { ActionListener listener = mock(ActionListener.class); ActionFilterChain chain = mock(ActionFilterChain.class); Task task = mock(Task.class); - filter.apply(task, "_action", request, listener, chain); + filterWithSecurityDisabled.apply(task, "_action", request, listener, chain); verifyZeroInteractions(authcService); verifyZeroInteractions(authzService); verify(chain).proceed(eq(task), eq("_action"), eq(request), eq(listener)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java index 9f1d0a9effdb4..e552883a47627 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java @@ -19,7 +19,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.common.xcontent.XContentType; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.mock.orig.Mockito; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.test.ESTestCase; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java index 9fa289e65b449..0480f1e5963ce 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java @@ -35,7 +35,6 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentType; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.mock.orig.Mockito; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.tasks.Task; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 9eb3b0e59c247..ab0f592124e1a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -486,9 +486,6 @@ public void testAuthcAuthzDisabled() throws Exception { .build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); - - assertThat(realms.iterator().hasNext(), is(true)); - assertThat(realms.iterator().hasNext(), is(false)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java index 641f8d11a0e93..f9c6f7786b3b4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java @@ -23,7 +23,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.IndexSettings; import org.elasticsearch.indices.IndicesQueryCache; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java index 228355f8df781..2587d82eae284 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java @@ -11,7 +11,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.ingest.IngestDocument; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index fe7109cfffc6a..e259ba441433a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -9,7 +9,6 @@ import com.nimbusds.jose.util.StandardCharset; import org.apache.lucene.util.SetOnce; import org.elasticsearch.ElasticsearchException; -import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.bytes.BytesArray; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java index 743fb1a34b3bc..93ec05ff05867 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestCreateApiKeyActionTests.java @@ -38,7 +38,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; public class RestCreateApiKeyActionTests extends ESTestCase { private final XPackLicenseState mockLicenseState = mock(XPackLicenseState.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java index ae351c55669e3..29d681f2ef22b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestGetApiKeyActionTests.java @@ -43,7 +43,6 @@ import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.is; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; public class RestGetApiKeyActionTests extends ESTestCase { private final XPackLicenseState mockLicenseState = mock(XPackLicenseState.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java index 0d96fcd8322fc..f254ddb4dd926 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestInvalidateApiKeyActionTests.java @@ -39,7 +39,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; public class RestInvalidateApiKeyActionTests extends ESTestCase { private final XPackLicenseState mockLicenseState = mock(XPackLicenseState.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java index 3a4ce6b7a6a23..0b77eb91a48b3 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java @@ -32,7 +32,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; public class RestClearServiceAccountTokenStoreCacheActionTests extends RestActionTestCase { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java index 19efca8a7fbe0..e6fd0aa20706e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestGetUserPrivilegesActionTests.java @@ -56,7 +56,7 @@ public void testSecurityDisabled() throws Exception { assertThat(channel.capturedResponse(), notNullValue()); assertThat(channel.capturedResponse().status(), equalTo(RestStatus.INTERNAL_SERVER_ERROR)); assertThat(channel.capturedResponse().content().utf8ToString(), - containsString("Security must be explicitly enabled when using a [basic] license")); + containsString("Security is not enabled but a security rest handler is registered")); } public void testBuildResponse() throws Exception { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java index debe7a3e79b1a..8cdd61f8f49a2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/user/RestHasPrivilegesActionTests.java @@ -22,6 +22,7 @@ import org.elasticsearch.test.client.NoOpNodeClient; import org.elasticsearch.test.rest.FakeRestChannel; import org.elasticsearch.test.rest.FakeRestRequest; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import static org.hamcrest.Matchers.containsString; @@ -58,9 +59,10 @@ public void testBodyConsumed() throws Exception { public void testSecurityDisabled() throws Exception { final XPackLicenseState licenseState = mock(XPackLicenseState.class); + final Settings securityDisabledSettings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); final RestHasPrivilegesAction action = - new RestHasPrivilegesAction(Settings.EMPTY, mock(SecurityContext.class), licenseState); + new RestHasPrivilegesAction(securityDisabledSettings, mock(SecurityContext.class), licenseState); try (XContentBuilder bodyBuilder = JsonXContent.contentBuilder().startObject().endObject(); NodeClient client = new NoOpNodeClient(this.getTestName())) { final RestRequest request = new FakeRestRequest.Builder(xContentRegistry()) @@ -73,7 +75,7 @@ public void testSecurityDisabled() throws Exception { assertThat(channel.capturedResponse().status(), equalTo(RestStatus.INTERNAL_SERVER_ERROR)); assertThat( channel.capturedResponse().content().utf8ToString(), - containsString("Security must be explicitly enabled when using a [basic] license")); + containsString("Security is not enabled but a security rest handler is registered")); } } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java index c69b501e24dff..aa1963de326f0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java @@ -19,7 +19,6 @@ import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.transport.TransportChannel; import org.elasticsearch.transport.TransportRequest; From 90c258e577fb0dd1958632861256aadc2b00ba1f Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Apr 2021 10:54:41 +0300 Subject: [PATCH 04/46] remove unecessary tests --- .../qa/basic-enable-security/build.gradle | 76 ------- .../EnableSecurityOnBasicLicenseIT.java | 202 ------------------ .../src/javaRestTest/resources/roles.yml | 14 -- .../resources/ssl/README.asciidoc | 30 --- .../src/javaRestTest/resources/ssl/ca.crt | 20 -- .../src/javaRestTest/resources/ssl/ca.key | 30 --- .../javaRestTest/resources/ssl/transport.crt | 22 -- .../javaRestTest/resources/ssl/transport.key | 30 --- .../qa/security-not-enabled/build.gradle | 25 --- ...UserProcessorWithSecurityNotEnabledIT.java | 49 ----- 10 files changed, 498 deletions(-) delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/build.gradle delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt delete mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key delete mode 100644 x-pack/plugin/security/qa/security-not-enabled/build.gradle delete mode 100644 x-pack/plugin/security/qa/security-not-enabled/src/javaRestTest/java/org/elasticsearch/xpack/security/SetSecurityUserProcessorWithSecurityNotEnabledIT.java diff --git a/x-pack/plugin/security/qa/basic-enable-security/build.gradle b/x-pack/plugin/security/qa/basic-enable-security/build.gradle deleted file mode 100644 index 4aae54c3a21e4..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/build.gradle +++ /dev/null @@ -1,76 +0,0 @@ -import org.elasticsearch.gradle.testclusters.StandaloneRestIntegTestTask -import org.elasticsearch.gradle.internal.test.rest.JavaRestTestPlugin -import org.elasticsearch.gradle.internal.info.BuildParams - -apply plugin: 'elasticsearch.java-rest-test' - -//randomise between implicitly and explicitly disabled security -boolean implicitlyDisabledSecurity = (new Random(Long.parseUnsignedLong(BuildParams.testSeed.tokenize(':').get(0), 16))).nextBoolean() - -dependencies { - javaRestTestImplementation(testArtifact(project(xpackModule('security')))) - javaRestTestImplementation(testArtifact(project(xpackModule('core')))) -} - -tasks.named("javaRestTest").configure { - description = "Run tests against a cluster that doesn't have security" - if (!implicitlyDisabledSecurity) { - systemProperty 'tests.has_security', 'false' - } -} - -if (BuildParams.inFipsJvm){ - // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC - tasks.named("javaRestTest").configure{enabled = false } -} - -testClusters { - javaRestTest { - testDistribution = 'DEFAULT' - numberOfNodes = 2 - setting 'xpack.ml.enabled', 'false' - setting 'xpack.license.self_generated.type', 'basic' - if (!implicitlyDisabledSecurity) { - setting 'xpack.security.enabled', 'false' - } - } -} - -tasks.register("javaRestTestWithSecurityEnabled", StandaloneRestIntegTestTask) { - mustRunAfter("javaRestTest") - description = "Run tests against a cluster that has security enabled" - dependsOn "javaRestTest" - useCluster testClusters.javaRestTest - systemProperty 'tests.has_security', 'true' - testClassesDirs = sourceSets.javaRestTest.output.classesDirs - classpath = sourceSets.javaRestTest.runtimeClasspath - onlyIf { - BuildParams.inFipsJvm == false - } - doFirst { - testClusters.javaRestTest { - // TODO Rene: revisit if using dedicated new cluster definitions would be more efficient. - // Reconfigure cluster to enable security - setting 'xpack.security.enabled', 'true' - setting 'xpack.security.authc.anonymous.roles', 'anonymous' - setting 'xpack.security.transport.ssl.enabled', 'true' - setting 'xpack.security.transport.ssl.certificate', 'transport.crt' - setting 'xpack.security.transport.ssl.key', 'transport.key' - setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password' - setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' - - extraConfigFile 'transport.key', file('src/javaRestTest/resources/ssl/transport.key') - extraConfigFile 'transport.crt', file('src/javaRestTest/resources/ssl/transport.crt') - extraConfigFile 'ca.crt', file('src/javaRestTest/resources/ssl/ca.crt') - extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml') - - user username: "admin_user", password: "admin-password" - user username: "security_test_user", password: "security-test-password", role: "security_test_role" - - restart() - } - nonInputProperties.systemProperty 'tests.rest.cluster', "${-> testClusters.javaRestTest.getAllHttpSocketURI().join(",")}" - } -} -tasks.named("check").configure { dependsOn("javaRestTestWithSecurityEnabled") } - diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java deleted file mode 100644 index 69e1c0bd91d32..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -package org.elasticsearch.xpack.security; - -import org.apache.http.HttpHost; -import org.apache.http.util.EntityUtils; -import org.elasticsearch.Version; -import org.elasticsearch.client.Request; -import org.elasticsearch.client.Response; -import org.elasticsearch.client.ResponseException; -import org.elasticsearch.client.RestClient; -import org.elasticsearch.client.RestClientBuilder; -import org.elasticsearch.common.Booleans; -import org.elasticsearch.common.settings.SecureString; -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.test.rest.ESRestTestCase; -import org.elasticsearch.test.rest.yaml.ObjectPath; -import org.elasticsearch.xpack.security.authc.InternalRealms; -import org.hamcrest.Matchers; -import org.junit.BeforeClass; - -import java.io.IOException; -import java.util.Arrays; -import java.util.List; -import java.util.Locale; -import java.util.Map; - -import static org.hamcrest.Matchers.contains; -import static org.hamcrest.Matchers.containsString; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.notNullValue; - -public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { - - private static boolean securityEnabled; - private static boolean securityExplicitlySet; - - @BeforeClass - public static void checkTestMode() { - final String hasSecurity = System.getProperty("tests.has_security"); - securityExplicitlySet = hasSecurity != null; - securityEnabled = hasSecurity == null ? false : Booleans.parseBoolean(hasSecurity); - } - - @Override - protected Settings restAdminSettings() { - String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } - - @Override - protected Settings restClientSettings() { - String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } - - @Override - protected boolean preserveClusterUponCompletion() { - // If this is one of the first two runs (security not yet enabled), then don't clean up afterwards because we want to test restart - // with data - return securityEnabled == false; - } - - @Override - protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { - RestClientBuilder builder = RestClient.builder(hosts); - configureClient(builder, settings); - if (System.getProperty("tests.has_security") != null) { - builder.setStrictDeprecationMode(true); - } else { - builder.setStrictDeprecationMode(false); - } - return builder.build(); - } - - - public void testSecuritySetup() throws Exception { - logger.info("Security status: {}", securityEnabled); - logger.info("Cluster:\n{}", getClusterInfo()); - logger.info("Indices:\n{}", getIndices()); - checkBasicLicenseType(); - - checkSecurityStatus(securityEnabled); - if (securityEnabled) { - checkAuthentication(); - } - - checkAllowedWrite("index_allowed"); - // Security runs third, and should see the docs from the first two (non-security) runs - // Security explicitly disabled runs second and should see the doc from the first (implicitly disabled) run - final int expectedIndexCount = securityEnabled ? 2 : 1; - checkIndexCount("index_allowed", expectedIndexCount); - - final String otherIndex = "index_" + randomAlphaOfLengthBetween(2, 6).toLowerCase(Locale.ROOT); - if (securityEnabled) { - checkDeniedWrite(otherIndex); - } else { - checkAllowedWrite(otherIndex); - } - checkSecurityDisabledWarning(); - } - - public void checkSecurityDisabledWarning() throws Exception { - final Request request = new Request("GET", "/_cat/indices"); - Response response = client().performRequest(request); - List warningHeaders = response.getWarnings(); - if (securityExplicitlySet) { - assertThat (warningHeaders, Matchers.empty()); - } else { - assertThat (warningHeaders, Matchers.hasSize(1)); - assertThat (warningHeaders.get(0), - containsString("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + - "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security.")); - } - } - - private String getClusterInfo() throws IOException { - Map info = getAsMap("/"); - assertThat(info, notNullValue()); - return info.toString(); - } - - private String getIndices() throws IOException { - final Request request = new Request("GET", "/_cat/indices"); - Response response = client().performRequest(request); - return EntityUtils.toString(response.getEntity()); - } - - private void checkBasicLicenseType() throws Exception { - assertBusy(() -> { - try { - Map license = getAsMap("/_license"); - assertThat(license, notNullValue()); - assertThat(ObjectPath.evaluate(license, "license.type"), equalTo("basic")); - } catch (ResponseException e) { - throw new AssertionError(e); - } - }); - } - - private void checkSecurityStatus(boolean expectEnabled) throws IOException { - Map usage = getAsMap("/_xpack/usage"); - assertThat(usage, notNullValue()); - assertThat(ObjectPath.evaluate(usage, "security.available"), equalTo(true)); - assertThat(ObjectPath.evaluate(usage, "security.enabled"), equalTo(expectEnabled)); - if (expectEnabled) { - for (String realm : Arrays.asList("file", "native")) { - assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".available"), equalTo(true)); - assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".enabled"), equalTo(true)); - } - for (String realm : InternalRealms.getConfigurableRealmsTypes()) { - if (realm.equals("file") == false && realm.equals("native") == false) { - assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".available"), equalTo(false)); - assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".enabled"), equalTo(false)); - } - } - } - } - - private void checkAuthentication() throws IOException { - final Map auth = getAsMap("/_security/_authenticate"); - // From file realm, configured in build.gradle - assertThat(ObjectPath.evaluate(auth, "username"), equalTo("security_test_user")); - // The anonymous role is granted by anonymous access enabled in build.gradle - assertThat(ObjectPath.evaluate(auth, "roles"), contains("security_test_role", "anonymous")); - } - - private void checkAllowedWrite(String indexName) throws IOException { - final Request request = new Request("POST", "/" + indexName + "/_doc"); - request.setJsonEntity("{ \"key\" : \"value\" }"); - Response response = client().performRequest(request); - final Map result = entityAsMap(response); - assertThat(ObjectPath.evaluate(result, "_index"), equalTo(indexName)); - assertThat(ObjectPath.evaluate(result, "result"), equalTo("created")); - } - - private void checkDeniedWrite(String indexName) { - final Request request = new Request("POST", "/" + indexName + "/_doc"); - request.setJsonEntity("{ \"key\" : \"value\" }"); - ResponseException e = expectThrows(ResponseException.class, () -> client().performRequest(request)); - assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(403)); - assertThat(e.getMessage(), containsString("unauthorized for user [security_test_user]")); - } - - private void checkIndexCount(String indexName, int expectedCount) throws IOException { - final Request request = new Request("POST", "/" + indexName + "/_refresh"); - adminClient().performRequest(request); - - final Map result = getAsMap("/" + indexName + "/_count"); - assertThat(ObjectPath.evaluate(result, "count"), equalTo(expectedCount)); - } -} diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml deleted file mode 100644 index eb6c3ec45786b..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml +++ /dev/null @@ -1,14 +0,0 @@ -# A basic role that is used to test security -security_test_role: - cluster: - - monitor - - "cluster:admin/xpack/license/*" - indices: - - names: [ "index_allowed" ] - privileges: [ "read", "write", "create_index" ] - - names: [ "*" ] - privileges: [ "monitor" ] - -anonymous: - cluster: - - monitor \ No newline at end of file diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc deleted file mode 100644 index b3729f42d17b0..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc +++ /dev/null @@ -1,30 +0,0 @@ -= Keystore Details - -This document details the steps used to create the certificate and keystore files in this directory. - -== Instructions on generating certificates -The certificates in this directory have been generated using elasticsearch-certutil (7.0.0 SNAPSHOT) - -[source,shell] ------------------------------------------------------------------------------------------------------------ -elasticsearch-certutil ca --pem --out=ca.zip --pass="ca-password" --days=3500 -unzip ca.zip -mv ca/ca.* ./ - -rm ca.zip -rmdir ca ------------------------------------------------------------------------------------------------------------ - -[source,shell] ------------------------------------------------------------------------------------------------------------ -elasticsearch-certutil cert --pem --name=transport --out=transport.zip --pass="transport-password" --days=3500 \ - --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \ - --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ - --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 - -unzip transport.zip -mv transport/transport.* ./ - -rm transport.zip -rmdir transport ------------------------------------------------------------------------------------------------------------ diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt deleted file mode 100644 index 95068217a612a..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIVAL0RCyWTbBDd2ntuWoqRwW0IE9+9MA0GCSqGSIb3DQEB -CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMB4XDTE5MDQzMDAzNTQwN1oXDTI4MTEyODAzNTQwN1owNDEyMDAG -A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA4VwADiyl+Xl15D27gtpS -TXZfHt40MUx12FY0MEd3A3hU+Fp4PaLE2ejECx04yrq8Rfc0Yltux/Fc5zE98XM8 -dY4j0QN/e6C/f0mrBI0KaJ25nv0MWFvoqS/D3vWvDFLUP1a3OZICWWoBDG+zCHe5 -Aq0qwge+FU9IUc7G2WPJeUp4e0+EzLxFInls3rTX1xkyq8Q6PT3gi0RZKvHqIudL -DAXDVEGWNxEX9KwQ1nMtRkDZICx/W665kZiBD4XC3WuEkYlDL1ISVw3cmsbYdhb4 -IusIK5zNERi4ewTgDDxic8TbRpkQW189/M3IglrQipH5ixfF6oNSyoRVAa3KZqj5 -AgMBAAGjUzBRMB0GA1UdDgQWBBRI4mOaeunbu60GfjWTpHcvhb6/YTAfBgNVHSME -GDAWgBRI4mOaeunbu60GfjWTpHcvhb6/YTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG -SIb3DQEBCwUAA4IBAQCUOXddlGoU+Ni85D0cRjYYxyx8a5Rwngp+kztttT/5l3Ch -5JMZyl/xcaTryh37BG3+NuqKR1zHtcLpq/+xaCrwBQ8glJofF+1n9w4zBL9nrH5c -O5NgG7+u/sfB+xdqMVdoBBqfm1Roq7O1T/kBXis1+5ZtBlj+7WIKeWWTZGLTrHV+ -MW5RDOmMoLkqT5qzpR9Yf7UChPVrvKGs4Kd+fYJeb0R5W6mvZQ6/FrsLwAWLC2Q1 -rW1u4zIkO0ih5qd52dl/73u7SWqzWxPy1ynwqJefD4AA0uaJYtMlXHK2vYjutHvY -K7301gzc5fueqo1YMmPgsjjsj+ErR1t0ve7faOBy ------END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key deleted file mode 100644 index a6de1f9958d32..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,0F6B57727499DA47 - -OmK77UnFtk/zNEbNTxNJz73D2XWFDWLyHCDZPEXkX55vch/pXkkfVbWbPBFv35nA -LKni0j802Qnc1D4V3BUSmVWHk9SfjI5nlcDkSELbgCOpuZkf6Bmk8FgLfV42BFxn -lAiY+oBB4VV+rxA+HUV6CiWWrTgSjkvFyXCBZzcTEPdF2ifWerjsWKOjQZJtmvMX -J5DhYCCp1/n4R/OQpYxQiOqJdUxbKx4k0h139ySK2PggdL17w1a7AuQnHwJO3+ic -1IntPKD/ZhpAPPzq8A5R5jZyvrSj9Dgv94PXAQ5xTZWnZd2nuJtbkrYJ47pBR3Re -R2aZdF/N8ljG1TYHuJXdiL3A80Y3AS00TFNgSAZKSz5Ktt6zI2EAZu9xdHd8EfUm -m3qJmfce9P9cCBzo7DLGHwRMfu9hEFWN9dRD8KWNcB+ahQ1/jItzi25yZM6vD6+S -ZVUzegybeYlMwPks3YObX9IdUSwAd9F76SVwHCsziKQW4RfETaShG/oRNqq04nqA -E//KUl5bfTuv8jumyMlg6iiqIDQAUvzI74mWe2lIy6rglm2rR39SN4NxSrnTwoz4 -KAf+kHWJVyxFqEYs+dqboRWpRfQac3+iYoIlZFob/nRhNyKnccTkHtjh7+1C8CXI -sYXhuJZLCoiXh990M9t1ct0hqfWLNALlEsJesfRG8/fvi+LZd9i3fyCjrM+z96/G -/2zQzdga4bOs3ZEBluYFYkhHRJw1rAF3LTcWYvjP0gjZYVQki7AsLb0me1selS6O -P1bXaLaSUvMsAVO0wOtHMXAoBgEybP4+OonLiMScjdQZ2KRQ8L8OwzuGt0yguPRy -7wQv4NrH8LQu+X7tlQox28kascZUNHxORbh9M/wWx/2htw88uXWb5vxbDe30Rras -mTg0Gxky/88ZWvYxr7PlhBRrrfkJQ9sF/RyygUFhpQaXTwspkpF+MZv+1X6ROHqR -OueSa606FrptZ5n4RRPjq0hVZQgWKMAlIxNSum+gFn/Z7Q9I6gKrGFxjkD65L1kK -BbvbHAomiTyphrMtBRP52VqsFr4NxCWzxr/ZSlwaxTEid2vYg3zm7ls4dHYjUiNR -cs/JZJTkXn2aVaILSQkr9/I0eOOH9t/APSXHY8urQuYsDdmOOL7J2tlh3w1ivP8A -vVeomdUr2jgn53pBzbaLlTfsZ9+UneuLcztLfqN+BydQq1bKWvn2j3GvUkmhE//M -+fpo+uGlslMLh8rjtRH1y9rtCKhLgIxLO4U/ZJksFcJAqF3mR+Xxkrf82LUrAg8x -Oj++3QhOJE7f+vKog8b0gGrySSwzII2Ar7KiJDVJaZpmbbXToBlcC7xoksN3Ra0E -15WxKBSRqb7gi2+ml02rwtFMzq93H05Uoa9mG8uf1QH8t/+o6fniFx5N5kKWmPMy -shXjaYg7NzEBAkxI4VO41faMxEj/CUV0klQDPbnAsTCrcYu7CS2lml3e0zVf6RB8 -plXee99DiWpHZTRoGzpInK3DpnGRP1Frgl1KyhT+HayFZeYSMHfVSFPk3CKKmtEp -r+J/SrpGnEx0NKK3f+MxflZfnMIvgjGxkHdgSaDpz9iTjveq176Bq1GmNLALotOq ------END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt deleted file mode 100644 index 8ffb02e3d5794..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuDCCAqCgAwIBAgIVAOSHUsKiRx+ekWEEmfI2Q2q3B5hoMA0GCSqGSIb3DQEB -CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMB4XDTE5MDQzMDAzNTU0NloXDTI4MTEyODAzNTU0NlowFDESMBAG -A1UEAxMJdHJhbnNwb3J0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -wBaoGJ9vv9yFxCOg24CsVfwSThOPnea8oujexGZYDgKkCdtcVn03tlyomjOra/dL -PJ0zOvUyktTxv022VQNhkJ/PO+w/NKpHBHaAVZE0o2zvUf8xQqXoHw0S6rAhurs5 -50r8QRkh1Z3ky3uOcFs0pXYCR/2ZVmQNSBhqmhUSK5y0VURot1MtPMw1SeqyabZQ -upDTJ6um/zk2LalfChKJ3vGQGEW7AGfv10eIWSmqQx6rLWAGO4MDelbZhUUr5iFc -D4fW0/MNUXJHTBO5Dyq6n63Wsm0jTYK72bSVw8LZS+uabQCtcHtKUZh38uUEUCjp -MDVY7YmDv0i8qx/MvWasbwIDAQABo4HgMIHdMB0GA1UdDgQWBBQwoESvk9jbbTax -/+c5MCAFEvWW5TAfBgNVHSMEGDAWgBRI4mOaeunbu60GfjWTpHcvhb6/YTCBjwYD -VR0RBIGHMIGEgglsb2NhbGhvc3SCF2xvY2FsaG9zdDYubG9jYWxkb21haW42hwR/ -AAABhxAAAAAAAAAAAAAAAAAAAAABggpsb2NhbGhvc3Q0ggpsb2NhbGhvc3Q2ghVs -b2NhbGhvc3QubG9jYWxkb21haW6CF2xvY2FsaG9zdDQubG9jYWxkb21haW40MAkG -A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAIQ8/PLfsZ1eKOWW74a4h/Uh5eh8 -u9Led1v+U9tszmULN8JoYSEgyql6zy2pJOuIVLwI9cUvrcypUSDL53NmWhTGAjEL -jbww/G1cngBh5cBzAPq3lRL2lwc8j3ZZ16I1eNyWastvBDdtANlDArCUamZoboBm -HE/jrssC9DOQhxAraiitH3YqjquqztEp1zIuqRI0qYTDFNPzyfyXIyCFIT+3eVI5 -22MqjFL+9IDuoET+VU1i22LhF32TEPotz2hfZTFddql0V1IOJQuVkDkQGFvaJMFy -Xw7d4orV3sxzQYd7muCoaao7g/F675KqpZiiVHqKxTOLafF/MPcfLhH6xZk= ------END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key deleted file mode 100644 index f540e17202492..0000000000000 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,0B9EFA0829A750FB - -NCrPD7gkQ4Jr5/xIiohWILW3nO/WmNjApqOIc5g/wX/xJpk/554f8zCZ8dUD0D2E -ZW+z7Yj8GWKB0E6+hQZ+3ZUHLYASYSpSDVjg8UaaCxQyoVcUhshahFprqlzgU/An -Er8TbrGvhH0VmNlcQhaImqCOk41Hf8gjrxrtoLKbk3DfTk/Uuv4Jlsz4X+oSBVZN -fezIN70IZvGLKu7O3T9DeVLV1bLL6hNGIXnYe+FzLomMck2UoFv6uGS1VyFIGNf0 -ly80NGgdWTGxzLmiiGCgm5gbqbIehMsei1CC3jZIcfgfGyp4NVvF4HxFxZLTR3kY -YqzBWta/PoY6XXOlLFZupYt/YMt9hU6It9xdudPyNxwSuFXU66Fc08Ljj151iyhv -Ggf88jo9xSVvKOlqqHN6dY/xo9CfzTyuldG4jsKVHgGosSGghksjZ+PpHc7Mo5aP -S/UofhQgApJgU30TQPiQuJ+my/h9CiJyIgP7HnZtltwxg1k3dj+LxlpRKvjTOfuc -epOFmPeIdPkrQDir0j9+h+yoMgeqoT2unUYXw/qx5SVQxB5ckajLmJkUJPej9U3O -wASqNcWCTBEkGt102RU8o6lywdzBvfTB7gegR6oDvRfaxHOiUrRT/IwgszRfIdoC -fZa7Pb9pUuR3oY4uduDYgIKnxJhhQF2ERVXsfQeyxdiHEXvRnBFoAhoDjO8rWv07 -xiFPVMCAqXPImmdI34QezuzV2MUIVlKyeovbf+Kjv/Uat3zTj5FbmyVHcmPXpTY7 -t5iTQG+nQwz6UGcM5lF40EWrRdCzHEXNszwEY3Oz8D5rgBa6kxHYjcG9rzbTGlk2 -gsKdKA0am0hnCCJdTxbK5AkDcCWn/eclw0RPpbhFv5anvHTJ5WAWE7ZaACRuSfvy -UbNRGiWo4cNcR7+PGgV5184zjwJOql1mz+I79tlpxtK/FazP61WAYKOeEx1paKXX -syq+WDWgoZu/RzKDyTu10NUgq9J/IXDBn8/JjOVPCmPhMMLxNdoUhMfO4Ij9+3Jv -mH6ZaU6E+NZuc5N4Ivws42PwNY9FoyuLLgMBbezjhepQrDveHUK5v0weWqEapZ7Z -4KkFAeK7pjuItn5Of+233cp9Y68G8NrwMLQzI23kebNJwwzUMf3DnUJCXiy3PvrF -WpA0Q6/FspJgG3x2AXKo2QsHxydW+4w4pkawS9TCl0E03D7V6Gf17/HOxPDSH972 -+Yzzv8IkaOw5g+paeX9+tHjDFaxuvKiFyn/J7xYZAAQUoa2uQu440RakE73qLO34 -wtWdRzvIYitwLNJSfSojQDNoXuv8eyI/hP573cs6pmbheKXG1XKsWfpfj8sI7OkH -AdjRyeToSKbZ8yCn2vp0jyaRocOucu5oo7c0v+IocWOgdw+913EToJ6G3ck1heVR -b/U04VqKkXowO1YK7xDBAalMxyWq40spIKCC8HBBlng3vfUKqF46q9bMpesXnwPr -/00JfDVhFbqkJbqB8UYpjs9MN+vV5A7lsYbObom4pV25FSnwNSyxK0bhWGfZgutI -pjeQDkvHNG606AsqLz6SmIJP/GBBSMwvT3PGMPOO5XcayKeK3cbOQYJ0Yh7Muoqe ------END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/security-not-enabled/build.gradle b/x-pack/plugin/security/qa/security-not-enabled/build.gradle deleted file mode 100644 index 9b9ba98f53f8a..0000000000000 --- a/x-pack/plugin/security/qa/security-not-enabled/build.gradle +++ /dev/null @@ -1,25 +0,0 @@ -/* - * This QA project tests the security plugin when security is not enabled. - * It is intended to cover security functionality which is supposed to - * function in a specific way even if security is not enabled on the cluster - * For example: If a cluster has a pipeline with the set_security_user processor - * defined, it should be not fail - */ - -apply plugin: 'elasticsearch.java-rest-test' - -dependencies { - javaRestTestImplementation(testArtifact(project(xpackModule('security')))) - javaRestTestImplementation(testArtifact(project(xpackModule('core')))) -} - -testClusters.all { - testDistribution = 'DEFAULT' - numberOfNodes = 2 - - setting 'xpack.ml.enabled', 'false' - // We run with a trial license, but do not enable security. - // This means the security plugin is loaded and all feature are permitted, but they are not enabled - setting 'xpack.license.self_generated.type', 'trial' - setting 'xpack.security.enabled', 'false' -} diff --git a/x-pack/plugin/security/qa/security-not-enabled/src/javaRestTest/java/org/elasticsearch/xpack/security/SetSecurityUserProcessorWithSecurityNotEnabledIT.java b/x-pack/plugin/security/qa/security-not-enabled/src/javaRestTest/java/org/elasticsearch/xpack/security/SetSecurityUserProcessorWithSecurityNotEnabledIT.java deleted file mode 100644 index f19fedf324e7f..0000000000000 --- a/x-pack/plugin/security/qa/security-not-enabled/src/javaRestTest/java/org/elasticsearch/xpack/security/SetSecurityUserProcessorWithSecurityNotEnabledIT.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -package org.elasticsearch.xpack.security; - -import org.apache.http.util.EntityUtils; -import org.elasticsearch.client.Request; -import org.elasticsearch.client.Response; -import org.elasticsearch.client.ResponseException; -import org.elasticsearch.test.rest.ESRestTestCase; - -import static org.hamcrest.Matchers.containsString; - -/** - * Tests that it is possible to define a pipeline with the - * {@link org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor} on a cluster where security is not enabled, - * but it is not possible to use that pipeline for ingestion. - */ -public class SetSecurityUserProcessorWithSecurityNotEnabledIT extends ESRestTestCase { - - public void testDefineAndUseProcessor() throws Exception { - final String pipeline = "pipeline-" + getTestName(); - final String index = "index-" + getTestName(); - { - final Request putPipeline = new Request("PUT", "/_ingest/pipeline/" + pipeline); - putPipeline.setJsonEntity("{" + - " \"description\": \"Test pipeline (" + getTestName() + ")\"," + - " \"processors\":[{" + - " \"set_security_user\":{ \"field\": \"user\" }" + - " }]" + - "}"); - final Response response = client().performRequest(putPipeline); - assertOK(response); - } - - { - final Request ingest = new Request("PUT", "/" + index + "/_doc/1?pipeline=" + pipeline); - ingest.setJsonEntity("{\"field\":\"value\"}"); - final ResponseException ex = expectThrows(ResponseException.class, () -> client().performRequest(ingest)); - final Response response = ex.getResponse(); - assertThat(EntityUtils.toString(response.getEntity()), - containsString("Security (authentication) is not enabled on this cluster")); - } - } - -} From c23e1536527b9f8865823c9370b621bed8579298 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Apr 2021 13:35:17 +0300 Subject: [PATCH 05/46] Fix a number of tests by explicitly disabling security so that they run with security off as before --- qa/wildfly/docker-compose.yml | 1 + .../enrich/action/TransportPutEnrichPolicyAction.java | 2 -- .../elasticsearch/xpack/enrich/BasicEnrichTests.java | 10 ++++++++++ .../xpack/enrich/EnrichPolicyUpdateTests.java | 9 +++++++++ .../xpack/enrich/EnrichResiliencyTests.java | 3 +++ 5 files changed, 23 insertions(+), 2 deletions(-) diff --git a/qa/wildfly/docker-compose.yml b/qa/wildfly/docker-compose.yml index cd934b1a36499..b1816e1ada57f 100644 --- a/qa/wildfly/docker-compose.yml +++ b/qa/wildfly/docker-compose.yml @@ -20,6 +20,7 @@ services: image: elasticsearch:test environment: - discovery.type=single-node + - xpack.security.enabled=false - "ES_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: diff --git a/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java b/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java index bba24f9a7b020..e1a3672b097a1 100644 --- a/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java +++ b/x-pack/plugin/enrich/src/main/java/org/elasticsearch/xpack/enrich/action/TransportPutEnrichPolicyAction.java @@ -19,7 +19,6 @@ import org.elasticsearch.common.Strings; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportService; @@ -46,7 +45,6 @@ public TransportPutEnrichPolicyAction( ClusterService clusterService, ThreadPool threadPool, Client client, - XPackLicenseState licenseState, ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver ) { diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java index c61c050f7b95c..b8cbb2d60fc89 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.action.ingest.PutPipelineRequest; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.bytes.BytesArray; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.geo.GeoPlugin; import org.elasticsearch.index.reindex.ReindexPlugin; @@ -26,6 +27,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.script.mustache.MustachePlugin; import org.elasticsearch.test.ESSingleNodeTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.enrich.EnrichPolicy; import org.elasticsearch.xpack.core.enrich.action.EnrichStatsAction; import org.elasticsearch.xpack.core.enrich.action.ExecuteEnrichPolicyAction; @@ -62,6 +64,14 @@ protected boolean resetNodeAfterTest() { return true; } + @Override + protected Settings nodeSettings() { + return Settings.builder() + // TODO Fix the test so that it runs with security enabled + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) + .build(); + } + public void testIngestDataWithMatchProcessor() { int numDocs = 32; int maxMatches = randomIntBetween(2, 8); diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java index 87f4dc5198ac6..5cde4c8f3b461 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java @@ -17,6 +17,7 @@ import org.elasticsearch.ingest.common.IngestCommonPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESSingleNodeTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.enrich.EnrichPolicy; import org.elasticsearch.xpack.core.enrich.action.ExecuteEnrichPolicyAction; import org.elasticsearch.xpack.core.enrich.action.PutEnrichPolicyAction; @@ -36,6 +37,14 @@ protected Collection> getPlugins() { return List.of(LocalStateEnrich.class, ReindexPlugin.class, IngestCommonPlugin.class); } + @Override + protected Settings nodeSettings() { + return Settings.builder() + // TODO Fix the test so that it runs with security enabled + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) + .build(); + } + public void testUpdatePolicyOnly() { IngestService ingestService = getInstanceFromNode(IngestService.class); createIndex("index", Settings.EMPTY, "_doc", "key1", "type=keyword", "field1", "type=keyword"); diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java index 21fef30f6b11a..19be3373f926e 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java @@ -25,6 +25,7 @@ import org.elasticsearch.ingest.common.IngestCommonPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESSingleNodeTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.enrich.EnrichPolicy; import org.elasticsearch.xpack.core.enrich.action.ExecuteEnrichPolicyAction; import org.elasticsearch.xpack.core.enrich.action.PutEnrichPolicyAction; @@ -51,6 +52,8 @@ protected Settings nodeSettings() { .put(EnrichPlugin.COORDINATOR_PROXY_MAX_CONCURRENT_REQUESTS.getKey(), 1) .put(EnrichPlugin.COORDINATOR_PROXY_MAX_LOOKUPS_PER_REQUEST.getKey(), 1) .put(EnrichPlugin.COORDINATOR_PROXY_QUEUE_CAPACITY.getKey(), 10) + // TODO Fix the test so that it runs with security enabled + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } From e4eecb6fd650ac8fcb9adddd1e2dbf441e6300b1 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 28 Apr 2021 22:15:12 +0300 Subject: [PATCH 06/46] Remove acknowledgments when switching to basic --- .../java/org/elasticsearch/license/XPackLicenseState.java | 5 +---- .../org/elasticsearch/license/XPackLicenseStateTests.java | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java index 3d2fb8e862ce3..46b978d5fd8ca 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java @@ -190,15 +190,12 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod case BASIC: switch (currentMode) { case STANDARD: - return new String[] { - "Security will default to disabled (set " + XPackSettings.SECURITY_ENABLED.getKey() + " to enable security).", - }; + return Strings.EMPTY_ARRAY; case TRIAL: case GOLD: case PLATINUM: case ENTERPRISE: return new String[] { - "Security will default to disabled (set " + XPackSettings.SECURITY_ENABLED.getKey() + " to enable security).", "Authentication will be limited to the native and file realms.", "Security tokens and API keys will not be supported.", "IP filtering and auditing will be disabled.", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index 3df5c63ab696a..207592213c5ee 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -96,11 +96,11 @@ public void testSecurityAckAnyToTrialOrPlatinum() { } public void testSecurityAckTrialGoldOrPlatinumToBasic() { - assertAckMessages(XPackField.SECURITY, randomTrialGoldOrPlatinumMode(), BASIC, 7); + assertAckMessages(XPackField.SECURITY, randomTrialGoldOrPlatinumMode(), BASIC, 6); } public void testSecurityAckStandardToBasic() { - assertAckMessages(XPackField.SECURITY, STANDARD, BASIC, 1); + assertAckMessages(XPackField.SECURITY, STANDARD, BASIC, 0); } public void testSecurityAckAnyToStandard() { From 2de689e7f0ef29e44704eff84ff14b8ec80a4f41 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 28 Apr 2021 22:53:38 +0300 Subject: [PATCH 07/46] fix enrich tests --- .../elasticsearch/xpack/enrich/EnrichMultiNodeIT.java | 8 ++++++++ .../org/elasticsearch/xpack/enrich/EnrichRestartIT.java | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java index e8fda24229a39..173bae9e90e00 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java @@ -29,6 +29,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.tasks.TaskInfo; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.enrich.EnrichPolicy; import org.elasticsearch.xpack.core.enrich.action.DeleteEnrichPolicyAction; import org.elasticsearch.xpack.core.enrich.action.EnrichStatsAction; @@ -64,6 +65,13 @@ protected Collection> nodePlugins() { return List.of(LocalStateEnrich.class, ReindexPlugin.class, IngestCommonPlugin.class); } + @Override + protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { + return Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings)) + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + .build(); + } + public void testEnrichAPIs() { final int numPolicies = randomIntBetween(2, 4); internalCluster().startNodes(randomIntBetween(2, 3)); diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java index 1c7ac94ca6ec2..436032810b27d 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java @@ -6,9 +6,11 @@ */ package org.elasticsearch.xpack.enrich; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.reindex.ReindexPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.enrich.EnrichPolicy; import org.elasticsearch.xpack.core.enrich.action.GetEnrichPolicyAction; import org.elasticsearch.xpack.core.enrich.action.PutEnrichPolicyAction; @@ -33,6 +35,13 @@ protected Collection> nodePlugins() { return List.of(LocalStateEnrich.class, ReindexPlugin.class); } + @Override + protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { + return Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings)) + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + .build(); + } + public void testRestart() throws Exception { final int numPolicies = randomIntBetween(2, 4); internalCluster().startNode(); From c6549d46b533d8a3884e0de7296fcf5d90dafcbc Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 28 Apr 2021 23:40:46 +0300 Subject: [PATCH 08/46] fix some packaging tests --- .../org/elasticsearch/packaging/test/CertGenCliTests.java | 1 + .../java/org/elasticsearch/packaging/test/DockerTests.java | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java index c83c492106467..0938387153fff 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java @@ -85,6 +85,7 @@ public void test31ExtractCerts() throws Exception { FileUtils.cp(certsDir, installation.config("certs")); } + @AwaitsFix(bugUrl = "Fix Packaging tests") public void test40RunWithCert() throws Exception { // windows 2012 r2 has powershell 4.0, which lacks Expand-Archive assumeFalse(Platforms.OS_NAME.equals("Windows Server 2012 R2")); diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 9a2cef62749ac..5cde8dab27856 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -107,6 +107,10 @@ public void test010Install() { * Check that the /_xpack API endpoint's presence is correct for the type of distribution being tested. */ public void test011PresenceOfXpack() throws Exception { + withCustomConfig(tempConf -> { + // Create a startup problem by adding an invalid YAML line to the config + append(tempConf.resolve("elasticsearch.yml"), "xpack.security.enabled: false\n"); + }); waitForElasticsearch(installation); final int statusCode = Request.Get("http://localhost:9200/_xpack").execute().returnResponse().getStatusLine().getStatusCode(); assertThat(statusCode, equalTo(200)); From 4c94272e87efe35ab27a61ac0a3727f562b79c5e Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 28 Apr 2021 23:41:44 +0300 Subject: [PATCH 09/46] spotless --- .../java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java | 3 ++- .../java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java index 173bae9e90e00..bc79a72e617ed 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java @@ -67,7 +67,8 @@ protected Collection> nodePlugins() { @Override protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings)) + return Settings.builder() + .put(super.nodeSettings(nodeOrdinal, otherSettings)) .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled .build(); } diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java index 436032810b27d..5a63ad8a08dc0 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java @@ -37,7 +37,8 @@ protected Collection> nodePlugins() { @Override protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { - return Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings)) + return Settings.builder() + .put(super.nodeSettings(nodeOrdinal, otherSettings)) .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled .build(); } From 3bdf2727356eb7c533c3b011027ca8cb15b8c1d3 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 13:27:14 +0300 Subject: [PATCH 10/46] Fix archive and docker tests --- .../packaging/test/ConfigurationTests.java | 3 +- .../packaging/test/DockerTests.java | 21 +++++---- .../packaging/util/Archives.java | 2 + .../elasticsearch/packaging/util/Docker.java | 15 +++++++ .../packaging/util/ServerUtils.java | 45 ++++++++++++++++++- 5 files changed, 74 insertions(+), 12 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java index 185e5807ff5c1..076a43d5950a6 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java @@ -33,7 +33,8 @@ public void test60HostnameSubstitution() throws Exception { String hostnameKey = Platforms.WINDOWS ? "COMPUTERNAME" : "HOSTNAME"; sh.getEnv().put(hostnameKey, "mytesthost"); withCustomConfig(confPath -> { - FileUtils.append(confPath.resolve("elasticsearch.yml"), "node.name: ${HOSTNAME}"); + // TODO Run this test with security enabled which is the default behavior + FileUtils.append(confPath.resolve("elasticsearch.yml"), "node.name: ${HOSTNAME}\nxpack.security.enabled: false"); if (distribution.isPackage()) { append(installation.envFile, "HOSTNAME=mytesthost"); } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 5cde8dab27856..11648f3828ce9 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -78,6 +78,8 @@ */ public class DockerTests extends PackagingTestCase { private Path tempDir; + private static final String USERNAME = "elastic"; + private static final String PASSWORD = "nothunter2"; @BeforeClass public static void filterDistros() { @@ -86,7 +88,12 @@ public static void filterDistros() { @Before public void setupTest() throws IOException { - installation = runContainer(distribution(), builder().envVars(Map.of("ingest.geoip.downloader.enabled", "false"))); + installation = runContainer( + distribution(), + builder().envVars( + Map.of("ingest.geoip.downloader.enabled", "false", "xpack.security.enabled", "true", "ELASTIC_PASSWORD", PASSWORD) + ) + ); tempDir = createTempDir(DockerTests.class.getSimpleName()); } @@ -107,12 +114,8 @@ public void test010Install() { * Check that the /_xpack API endpoint's presence is correct for the type of distribution being tested. */ public void test011PresenceOfXpack() throws Exception { - withCustomConfig(tempConf -> { - // Create a startup problem by adding an invalid YAML line to the config - append(tempConf.resolve("elasticsearch.yml"), "xpack.security.enabled: false\n"); - }); waitForElasticsearch(installation); - final int statusCode = Request.Get("http://localhost:9200/_xpack").execute().returnResponse().getStatusLine().getStatusCode(); + final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200/_xpack"), USERNAME, PASSWORD, null); assertThat(statusCode, equalTo(200)); } @@ -163,7 +166,7 @@ public void test050BasicApiTests() throws Exception { assertTrue(existsInContainer(installation.logs.resolve("gc.log"))); - ServerUtils.runElasticsearchTests(); + ServerUtils.runElasticsearchTests(USERNAME, PASSWORD); } /** @@ -191,7 +194,7 @@ public void test070BindMountCustomPathConfAndJvmOptions() throws Exception { waitForElasticsearch(installation); - final JsonNode nodes = getJson("/_nodes").get("nodes"); + final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD).get("nodes"); final String nodeId = nodes.fieldNames().next(); final int heapSize = nodes.at("/" + nodeId + "/jvm/mem/heap_init_in_bytes").intValue(); @@ -219,7 +222,7 @@ public void test071BindMountCustomPathWithDifferentUID() throws Exception { waitForElasticsearch(installation); - final JsonNode nodes = getJson("/_nodes"); + final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD); assertThat(nodes.at("/_nodes/total").intValue(), equalTo(1)); assertThat(nodes.at("/_nodes/successful").intValue(), equalTo(1)); diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java index 516bdbaacfab1..4ef8b4e9fe7d0 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java @@ -107,6 +107,8 @@ public static Installation installArchive(Shell sh, Distribution distribution, P Installation installation = Installation.ofArchive(sh, distribution, fullInstallPath); ServerUtils.disableGeoIpDownloader(installation); + // TODO: Adjust all tests so that they can run with security on, which is the default behavior + ServerUtils.disableSecurityFeatures(installation); return installation; } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java index efa66c8e577c6..edadcdbb0c2ca 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java @@ -567,6 +567,21 @@ public static JsonNode getJson(String path) throws Exception { return mapper.readTree(pluginsResponse); } + public static JsonNode getJson(String path, String user, String password) throws Exception { + path = Objects.requireNonNull(path).trim(); + if (path.isEmpty()) { + throw new IllegalArgumentException("path must be supplied"); + } + if (path.startsWith("/") == false) { + throw new IllegalArgumentException("path must start with /"); + } + final String pluginsResponse = makeRequest(Request.Get("http://localhost:9200" + path), user, password, null); + + ObjectMapper mapper = new ObjectMapper(); + + return mapper.readTree(pluginsResponse); + } + /** * Fetches all the labels for a Docker image * @param distribution required to derive the image name diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index 59148993ba267..ec3b90b265424 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -64,14 +64,17 @@ public class ServerUtils { private static final long requestInterval = TimeUnit.SECONDS.toMillis(5); public static void waitForElasticsearch(Installation installation) throws Exception { - boolean xpackEnabled = false; + boolean xpackEnabled; - // TODO: need a way to check if docker has security enabled, the yml config is not bind mounted so can't look from here if (installation.distribution.isDocker() == false) { Path configFilePath = installation.config("elasticsearch.yml"); // this is fragile, but currently doesn't deviate from a single line enablement and not worth the parsing effort String configFile = Files.readString(configFilePath, StandardCharsets.UTF_8); xpackEnabled = configFile.contains(SECURITY_ENABLED) || configFile.contains(SSL_ENABLED); + } else { + // TODO: need a way to check if docker has security enabled, the yml config is not bind mounted so can't look from here + // we currently enable security in all tests + xpackEnabled = true; } if (xpackEnabled) { @@ -239,6 +242,29 @@ public static void runElasticsearchTests() throws Exception { makeRequest(Request.Delete("http://localhost:9200/library")); } + public static void runElasticsearchTests(String username, String password) throws Exception { + makeRequest( + Request.Post("http://localhost:9200/library/_doc/1?refresh=true&pretty") + .bodyString("{ \"title\": \"Book #1\", \"pages\": 123 }", ContentType.APPLICATION_JSON), + username, + password, + null + ); + + makeRequest( + Request.Post("http://localhost:9200/library/_doc/2?refresh=true&pretty") + .bodyString("{ \"title\": \"Book #2\", \"pages\": 456 }", ContentType.APPLICATION_JSON), + username, + password, + null + ); + + String count = makeRequest(Request.Get("http://localhost:9200/_count?pretty"), username, password, null); + assertThat(count, containsString("\"count\" : 2")); + + makeRequest(Request.Delete("http://localhost:9200/library"), username, password, null); + } + public static String makeRequest(Request request) throws Exception { return makeRequest(request, null, null, null); } @@ -254,6 +280,11 @@ public static String makeRequest(Request request, String username, String passwo return body; } + public static int makeRequestAndGetStatus(Request request, String username, String password, Path caCert) throws Exception { + final HttpResponse response = execute(request, username, password, caCert); + return response.getStatusLine().getStatusCode(); + } + public static void disableGeoIpDownloader(Installation installation) throws IOException { List yaml = Collections.singletonList("ingest.geoip.downloader.enabled: false"); Path yml = installation.config("elasticsearch.yml"); @@ -272,4 +303,14 @@ public static void enableGeoIpDownloader(Installation installation) throws IOExc } Files.write(yml, lines, TRUNCATE_EXISTING); } + + public static void disableSecurityFeatures(Installation installation) throws IOException { + List yaml = Collections.singletonList("xpack.security.enabled: false"); + Path yml = installation.config("elasticsearch.yml"); + try (Stream lines = Files.readAllLines(yml).stream()) { + if (lines.noneMatch(s -> s.startsWith("xpack.security.enabled"))) { + Files.write(yml, yaml, CREATE, APPEND); + } + } + } } From 695332cfdad774290eada03cb533995cabc7a59d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 13:40:49 +0300 Subject: [PATCH 11/46] fix compilation error --- .../RestClearServiceAccountTokenStoreCacheActionTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java index 90b228d01683b..6d781a111277d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/service/RestClearServiceAccountTokenStoreCacheActionTests.java @@ -33,6 +33,7 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; public class RestClearServiceAccountTokenStoreCacheActionTests extends RestActionTestCase { From 676ab57711122e9d774cd46c5dc52f04783fc6b8 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 14:12:01 +0300 Subject: [PATCH 12/46] remove redundant setting --- .../org/elasticsearch/packaging/test/ConfigurationTests.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java index 076a43d5950a6..395d873028379 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java @@ -33,8 +33,6 @@ public void test60HostnameSubstitution() throws Exception { String hostnameKey = Platforms.WINDOWS ? "COMPUTERNAME" : "HOSTNAME"; sh.getEnv().put(hostnameKey, "mytesthost"); withCustomConfig(confPath -> { - // TODO Run this test with security enabled which is the default behavior - FileUtils.append(confPath.resolve("elasticsearch.yml"), "node.name: ${HOSTNAME}\nxpack.security.enabled: false"); if (distribution.isPackage()) { append(installation.envFile, "HOSTNAME=mytesthost"); } From cde3cf1ee2143fd41fd6cb9d38966e641d9f354a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 14:18:18 +0300 Subject: [PATCH 13/46] unused import --- .../org/elasticsearch/packaging/test/ConfigurationTests.java | 1 - 1 file changed, 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java index 395d873028379..58355249722d5 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java @@ -9,7 +9,6 @@ package org.elasticsearch.packaging.test; import org.apache.http.client.fluent.Request; -import org.elasticsearch.packaging.util.FileUtils; import org.elasticsearch.packaging.util.Platforms; import org.junit.Before; From 332d85ad08d11615f900efa72e59e1c369be0b8a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 00:13:11 +0300 Subject: [PATCH 14/46] adjust Docker tests --- .../packaging/test/DockerTests.java | 182 +++++++++++++++--- .../test/KeystoreManagementTests.java | 42 +++- .../packaging/test/PasswordToolsTests.java | 5 +- 3 files changed, 193 insertions(+), 36 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 11648f3828ce9..6a49da0bb7daf 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -90,9 +90,7 @@ public static void filterDistros() { public void setupTest() throws IOException { installation = runContainer( distribution(), - builder().envVars( - Map.of("ingest.geoip.downloader.enabled", "false", "xpack.security.enabled", "true", "ELASTIC_PASSWORD", PASSWORD) - ) + builder().envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) ); tempDir = createTempDir(DockerTests.class.getSimpleName()); } @@ -114,7 +112,15 @@ public void test010Install() { * Check that the /_xpack API endpoint's presence is correct for the type of distribution being tested. */ public void test011PresenceOfXpack() throws Exception { - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200/_xpack"), USERNAME, PASSWORD, null); assertThat(statusCode, equalTo(200)); } @@ -152,7 +158,15 @@ public void test041AmazonCaCertsAreInTheKeystore() { * Check that when the keystore is created on startup, it is created with the correct permissions. */ public void test042KeystorePermissionsAreCorrect() throws Exception { - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } assertPermissionsAndOwnership(installation.config("elasticsearch.keystore"), p660); } @@ -162,7 +176,15 @@ public void test042KeystorePermissionsAreCorrect() throws Exception { * is minimally functional. */ public void test050BasicApiTests() throws Exception { - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } assertTrue(existsInContainer(installation.logs.resolve("gc.log"))); @@ -190,9 +212,30 @@ public void test070BindMountCustomPathConfAndJvmOptions() throws Exception { // Restart the container final Map volumes = Map.of(tempDir, Path.of("/usr/share/elasticsearch/config")); - runContainer(distribution(), builder().volumes(volumes).envVars(Map.of("ES_JAVA_OPTS", "-XX:-UseCompressedOops"))); + runContainer( + distribution(), + builder().volumes(volumes) + .envVars( + Map.of( + "ES_JAVA_OPTS", + "-XX:-UseCompressedOops", + "ingest.geoip.downloader.enabled", + "false", + "ELASTIC_PASSWORD", + PASSWORD + ) + ) + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD).get("nodes"); final String nodeId = nodes.fieldNames().next(); @@ -218,9 +261,20 @@ public void test071BindMountCustomPathWithDifferentUID() throws Exception { // Restart the container final Map volumes = Map.of(tempEsDataDir.toAbsolutePath(), installation.data); - runContainer(distribution(), builder().volumes(volumes)); + runContainer( + distribution(), + builder().volumes(volumes).envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD); @@ -269,9 +323,22 @@ public void test072RunEsAsDifferentUserAndGroup() throws Exception { volumes.put(tempEsLogsDir.toAbsolutePath(), installation.logs); // Restart the container - runContainer(distribution(), builder().volumes(volumes).uid(501, 501)); + runContainer( + distribution(), + builder().volumes(volumes) + .envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + .uid(501, 501) + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } } /** @@ -280,9 +347,22 @@ public void test072RunEsAsDifferentUserAndGroup() throws Exception { */ public void test073RunEsAsDifferentUserAndGroupWithoutBindMounting() throws Exception { // Restart the container - runContainer(distribution(), builder().uid(501, 501).extraArgs("--group-add 0")); + runContainer( + distribution(), + builder().envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + .uid(501, 501) + .extraArgs("--group-add 0") + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } } /** @@ -474,10 +554,7 @@ public void test084SymlinkToFileWithInvalidPermissionsIsRejected() throws Except * `docker exec`, where the Docker image's entrypoint is not executed. */ public void test085EnvironmentVariablesAreRespectedUnderDockerExec() throws Exception { - installation = runContainer( - distribution(), - builder().envVars(Map.of("xpack.security.enabled", "true", "ELASTIC_PASSWORD", "hunter2")) - ); + installation = runContainer(distribution(), builder().envVars(Map.of("ELASTIC_PASSWORD", "hunter2"))); // The tool below requires a keystore, so ensure that ES is fully initialised before proceeding. waitForElasticsearch("green", null, installation, "elastic", "hunter2"); @@ -633,7 +710,15 @@ public void test110OrgOpencontainersLabels() throws Exception { * Check that the container logs contain the expected content for Elasticsearch itself. */ public void test120DockerLogsIncludeElasticsearchLogs() throws Exception { - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final Result containerLogs = getContainerLogs(); assertThat("Container logs should contain full class names", containerLogs.stdout, containsString("org.elasticsearch.node.Node")); @@ -644,9 +729,20 @@ public void test120DockerLogsIncludeElasticsearchLogs() throws Exception { * Check that it is possible to write logs to disk */ public void test121CanUseStackLoggingConfig() throws Exception { - runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file"))); + runContainer( + distribution(), + builder().envVars(Map.of("ES_LOG_STYLE", "file", "ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final Result containerLogs = getContainerLogs(); final List stdout = containerLogs.stdout.lines().collect(Collectors.toList()); @@ -663,9 +759,20 @@ public void test121CanUseStackLoggingConfig() throws Exception { * Check that the default logging config can be explicitly selected. */ public void test122CanUseDockerLoggingConfig() throws Exception { - runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "console"))); + runContainer( + distribution(), + builder().envVars(Map.of("ES_LOG_STYLE", "console", "ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + ); - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } final Result containerLogs = getContainerLogs(); final List stdout = containerLogs.stdout.lines().collect(Collectors.toList()); @@ -716,9 +823,17 @@ public void test131InitProcessHasCorrectPID() { * Check that Elasticsearch reports per-node cgroup information. */ public void test140CgroupOsStatsAreAvailable() throws Exception { - waitForElasticsearch(installation); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } - final JsonNode nodes = getJson("/_nodes/stats/os").get("nodes"); + final JsonNode nodes = getJson("/_nodes/stats/os", USERNAME, PASSWORD).get("nodes"); final String nodeId = nodes.fieldNames().next(); @@ -747,8 +862,21 @@ public void test150MachineDependentHeap() throws Exception { Files.writeString(jvmOptionsPath, String.join("\n", jvmOptions)); // Now run the container, being explicit about the available memory - runContainer(distribution(), builder().memory("942m").volumes(Map.of(jvmOptionsPath, containerJvmOptionsPath))); - waitForElasticsearch(installation); + runContainer( + distribution(), + builder().memory("942m") + .volumes(Map.of(jvmOptionsPath, containerJvmOptionsPath)) + .envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) + ); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } // Grab the container output and find the line where it print the JVM arguments. This will // let us see what the automatic heap sizing calculated. diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java index e982c7609bd2c..36300000244e1 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java @@ -56,6 +56,8 @@ public class KeystoreManagementTests extends PackagingTestCase { public static final String ERROR_CORRUPTED_KEYSTORE = "Keystore has been corrupted or tampered with"; public static final String ERROR_KEYSTORE_NOT_PASSWORD_PROTECTED = "ERROR: Keystore is not password-protected"; public static final String ERROR_KEYSTORE_NOT_FOUND = "ERROR: Elasticsearch keystore not found"; + private static final String USERNAME = "elastic"; + private static final String PASSWORD = "nothunter2"; /** Test initial archive state */ public void test10InstallArchiveDistribution() throws Exception { @@ -260,6 +262,7 @@ public void test51WrongKeystorePasswordFromFile() throws Exception { * Check that we can mount a password-protected keystore to a docker image * and provide a password via an environment variable. */ + @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") public void test60DockerEnvironmentVariablePassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; @@ -269,16 +272,32 @@ public void test60DockerEnvironmentVariablePassword() throws Exception { // restart ES with password and mounted keystore Map volumes = Map.of(localKeystoreFile, dockerKeystore); - Map envVars = Map.of("KEYSTORE_PASSWORD", password, "ingest.geoip.downloader.enabled", "false"); + Map envVars = Map.of( + "KEYSTORE_PASSWORD", + password, + "ingest.geoip.downloader.enabled", + "false", + "ELASTIC_PASSWORD", + PASSWORD + ); runContainer(distribution(), builder().volumes(volumes).envVars(envVars)); - waitForElasticsearch(installation); - ServerUtils.runElasticsearchTests(); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } + ServerUtils.runElasticsearchTests(USERNAME, PASSWORD); } /** * Check that we can mount a password-protected keystore to a docker image * and provide a password via a file, pointed at from an environment variable. */ + @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { assumeTrue(distribution().isDocker()); @@ -301,13 +320,23 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { "KEYSTORE_PASSWORD_FILE", "/run/secrets/" + passwordFilename, "ingest.geoip.downloader.enabled", - "false" + "false", + "ELASTIC_PASSWORD", + PASSWORD ); runContainer(distribution(), builder().volumes(volumes).envVars(envVars)); - waitForElasticsearch(installation); - ServerUtils.runElasticsearchTests(); + try { + waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } + ServerUtils.runElasticsearchTests(USERNAME, PASSWORD); } finally { if (tempDir != null) { rm(tempDir); @@ -319,6 +348,7 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { * Check that if we provide the wrong password for a mounted and password-protected * keystore, Elasticsearch doesn't start. */ + @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") public void test62DockerEnvironmentVariableBadPassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java index c78af7882bbb5..5084503b788dd 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java @@ -17,7 +17,6 @@ import java.nio.file.Files; import java.nio.file.Path; -import java.nio.file.StandardOpenOption; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -43,8 +42,8 @@ public void test010Install() throws Exception { install(); Files.write( installation.config("elasticsearch.yml"), - List.of("xpack.license.self_generated.type: trial", "xpack.security.enabled: true"), - StandardOpenOption.APPEND + // Replace the existing file as it would have security explicitly disabled + List.of("xpack.license.self_generated.type: trial", "xpack.security.enabled: true", "ingest.geoip.downloader.enabled: false") ); } From 643432427209e1627307b022a8f6a6c767b786de Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 00:18:27 +0300 Subject: [PATCH 15/46] Explicitly disable security for package tests --- .../test/java/org/elasticsearch/packaging/util/Packages.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java index 733d46378607b..b697190adba7d 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java @@ -94,6 +94,8 @@ public static Installation installPackage(Shell sh, Distribution distribution) t if (Version.fromString(distribution.baseVersion).onOrAfter(Version.V_7_13_0)) { ServerUtils.disableGeoIpDownloader(installation); } + // TODO Figure out how to run all packaging tests with security enabled which is now the default behavior + ServerUtils.disableSecurityFeatures(installation); return installation; } From 605be3ece3bdd5ace36b58a9ec7effd452fcfca7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 09:09:48 +0300 Subject: [PATCH 16/46] Disable security in TransformInternalIndexIT --- .../elasticsearch/packaging/test/PasswordToolsTests.java | 2 +- .../transform/integration/TransformInternalIndexIT.java | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java index 5084503b788dd..18a0b7696e746 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java @@ -43,7 +43,7 @@ public void test010Install() throws Exception { Files.write( installation.config("elasticsearch.yml"), // Replace the existing file as it would have security explicitly disabled - List.of("xpack.license.self_generated.type: trial", "xpack.security.enabled: true", "ingest.geoip.downloader.enabled: false") + List.of("ingest.geoip.downloader.enabled: false") ); } diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java index daa0c039e8246..97752ccbbe7c2 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java @@ -14,10 +14,12 @@ import org.elasticsearch.action.index.IndexRequest; import org.elasticsearch.action.index.IndexResponse; import org.elasticsearch.action.support.WriteRequest; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentFactory; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.xpack.core.ClientHelper; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.transform.TransformField; import org.elasticsearch.xpack.core.transform.action.GetTransformAction; import org.elasticsearch.xpack.core.transform.action.UpdateTransformAction; @@ -36,6 +38,12 @@ public class TransformInternalIndexIT extends TransformSingleNodeTestCase { private static final String CURRENT_INDEX = TransformInternalIndexConstants.LATEST_INDEX_NAME; private static final String OLD_INDEX = TransformInternalIndexConstants.INDEX_PATTERN + "001"; + @Override + protected Settings nodeSettings() { + // TODO Change this to run with security enabled + return Settings.builder().put(super.nodeSettings()).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + } + public void testUpdateDeletesOldTransformConfig() throws Exception { // The mapping does not need to actually be the "OLD" mapping, we are testing that the old doc gets deleted, and the new one From 825bf4e464da632bef9df12ee705e9a537390323 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 11:13:20 +0300 Subject: [PATCH 17/46] change how tests figure out if security is enabled --- .../java/org/elasticsearch/packaging/util/ServerUtils.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index ec3b90b265424..f3a011dabfe0e 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -55,7 +55,7 @@ public class ServerUtils { private static final Logger logger = LogManager.getLogger(ServerUtils.class); - private static String SECURITY_ENABLED = "xpack.security.enabled: true"; + private static String SECURITY_DISABLED = "xpack.security.enabled: false"; private static String SSL_ENABLED = "xpack.security.http.ssl.enabled: true"; // generous timeout as nested virtualization can be quite slow ... @@ -70,7 +70,7 @@ public static void waitForElasticsearch(Installation installation) throws Except Path configFilePath = installation.config("elasticsearch.yml"); // this is fragile, but currently doesn't deviate from a single line enablement and not worth the parsing effort String configFile = Files.readString(configFilePath, StandardCharsets.UTF_8); - xpackEnabled = configFile.contains(SECURITY_ENABLED) || configFile.contains(SSL_ENABLED); + xpackEnabled = configFile.contains(SECURITY_DISABLED) == false; } else { // TODO: need a way to check if docker has security enabled, the yml config is not bind mounted so can't look from here // we currently enable security in all tests From 1a5ed61444fffa382f06c88a8331a1e0a73b30d7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 6 May 2021 23:00:23 +0300 Subject: [PATCH 18/46] Don't overwrite the whole file when enabling security --- .../elasticsearch/packaging/test/PasswordToolsTests.java | 7 ++----- .../org/elasticsearch/packaging/util/ServerUtils.java | 9 +++++++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java index 18a0b7696e746..39a798ef2d5ac 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java @@ -40,11 +40,8 @@ public void filterDistros() { public void test010Install() throws Exception { install(); - Files.write( - installation.config("elasticsearch.yml"), - // Replace the existing file as it would have security explicitly disabled - List.of("ingest.geoip.downloader.enabled: false") - ); + // Enable security for this test only where it is necessary, until we can enable it for all + ServerUtils.enableSecurityFeatures(installation); } public void test20GeneratePasswords() throws Exception { diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index f3a011dabfe0e..9def32da90a45 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -313,4 +313,13 @@ public static void disableSecurityFeatures(Installation installation) throws IOE } } } + + public static void enableSecurityFeatures(Installation installation) throws IOException { + Path yml = installation.config("elasticsearch.yml"); + List lines; + try (Stream allLines = Files.readAllLines(yml).stream()) { + lines = allLines.filter(s -> s.startsWith("xpack.security.enabled") == false).collect(Collectors.toList()); + } + Files.write(yml, lines, TRUNCATE_EXISTING); + } } From 5083db7b562e40bfb2ac2413b390598989e3d577 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 6 May 2021 23:11:51 +0300 Subject: [PATCH 19/46] adjust new transport action --- .../action/TransportTermsEnumAction.java | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java index d176a49b512bd..978d17331287c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java @@ -30,6 +30,7 @@ import org.elasticsearch.common.bytes.BytesReference; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.io.stream.StreamInput; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsThreadPoolExecutor; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.core.internal.io.IOUtils; @@ -57,6 +58,7 @@ import org.elasticsearch.transport.TransportRequestHandler; import org.elasticsearch.transport.TransportResponseHandler; import org.elasticsearch.transport.TransportService; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; @@ -89,6 +91,7 @@ public class TransportTermsEnumAction extends HandledTransportAction(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(shardId.getIndexName()); - + if (indexAccessControl != null) { final boolean dls = indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions(); if ( dls && licenseChecker.get()) { - // Check to see if any of the roles defined for the current user rewrite to match_all - + // Check to see if any of the roles defined for the current user rewrite to match_all + SecurityContext securityContext = new SecurityContext(clusterService.getSettings(), threadContext); final IndexService indexService = indicesService.indexServiceSafe(shardId.getIndex()); final SearchExecutionContext queryShardContext = indexService.newSearchExecutionContext( @@ -577,7 +582,7 @@ private void asyncNodeOperation(NodeTermsEnumRequest request, Task task, ActionL request.startTimerOnDataNode(); // DLS/FLS check copied from ResizeRequestInterceptor - check permissions and - // any index_filter canMatch checks on network thread before allocating work + // any index_filter canMatch checks on network thread before allocating work ThreadContext threadContext = transportService.getThreadPool().getThreadContext(); final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState(); for (ShardId shardId : request.shardIds().toArray(new ShardId[0])) { @@ -592,13 +597,13 @@ private void asyncNodeOperation(NodeTermsEnumRequest request, Task task, ActionL if (request.shardIds().size() == 0) { listener.onResponse(new NodeTermsEnumResponse(request.nodeId(), Collections.emptyList(), null, true)); } else { - // Use the search threadpool if its queue is empty + // Use the search threadpool if its queue is empty assert transportService.getThreadPool() .executor( ThreadPool.Names.SEARCH ) instanceof EsThreadPoolExecutor : "SEARCH threadpool must be an instance of ThreadPoolExecutor"; EsThreadPoolExecutor ex = (EsThreadPoolExecutor) transportService.getThreadPool().executor(ThreadPool.Names.SEARCH); - final String executorName = ex.getQueue().size() == 0 ? ThreadPool.Names.SEARCH : shardExecutor; + final String executorName = ex.getQueue().size() == 0 ? ThreadPool.Names.SEARCH : shardExecutor; transportService.getThreadPool() .executor(executorName) .execute(ActionRunnable.supply(listener, () -> dataNodeOperation(request, task))); From b8b661a664e5b4a667318945d2c90996685a0cf7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 6 May 2021 23:19:49 +0300 Subject: [PATCH 20/46] unused import --- .../org/elasticsearch/packaging/test/PasswordToolsTests.java | 1 - 1 file changed, 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java index 39a798ef2d5ac..7fc742554b762 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/PasswordToolsTests.java @@ -18,7 +18,6 @@ import java.nio.file.Files; import java.nio.file.Path; import java.util.HashMap; -import java.util.List; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; From 749d472d95d8a22e62064c99a3a65535fc249ca7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 7 May 2021 00:42:21 +0300 Subject: [PATCH 21/46] Fix CertGenCliTests --- .../packaging/test/CertGenCliTests.java | 26 +++- .../packaging/test/DockerTests.java | 120 ++---------------- .../test/KeystoreManagementTests.java | 26 +--- .../elasticsearch/packaging/util/Docker.java | 12 ++ 4 files changed, 53 insertions(+), 131 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java index 0938387153fff..569a7bc35ef84 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java @@ -20,6 +20,8 @@ import java.nio.file.Path; import java.util.ArrayList; import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import static com.carrotsearch.randomizedtesting.RandomizedTest.assumeFalse; import static java.nio.file.StandardOpenOption.APPEND; @@ -46,6 +48,8 @@ public static void cleanupFiles() { public void test10Install() throws Exception { install(); + // Enable security for this test only where it is necessary, until we can enable it for all + ServerUtils.enableSecurityFeatures(installation); } public void test20Help() { @@ -85,7 +89,6 @@ public void test31ExtractCerts() throws Exception { FileUtils.cp(certsDir, installation.config("certs")); } - @AwaitsFix(bugUrl = "Fix Packaging tests") public void test40RunWithCert() throws Exception { // windows 2012 r2 has powershell 4.0, which lacks Expand-Archive assumeFalse(Platforms.OS_NAME.equals("Windows Server 2012 R2")); @@ -109,7 +112,26 @@ public void test40RunWithCert() throws Exception { Files.write(installation.config("elasticsearch.yml"), yaml, CREATE, APPEND); assertWhileRunning( - () -> ServerUtils.makeRequest(Request.Get("https://127.0.0.1:9200"), null, null, installation.config("certs/ca/ca.crt")) + () -> { + final String password = setElasticPassword(); + assertNotNull(password); + ServerUtils.makeRequest( + Request.Get("https://127.0.0.1:9200"), "elastic", password, installation.config("certs/ca/ca.crt")); + } ); } + + private String setElasticPassword() { + final Pattern userpassRegex = Pattern.compile("PASSWORD (\\w+) = ([^\\s]+)"); + Shell.Result result = installation.executables().setupPasswordsTool.run("auto --batch", null); + Matcher matcher = userpassRegex.matcher(result.stdout); + assertNotNull(matcher); + while (matcher.find()) { + if (matcher.group(1).equals("elastic")) { + return matcher.group(2); + } + } + return null; + } + } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 6a49da0bb7daf..ac2f292196247 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -112,15 +112,7 @@ public void test010Install() { * Check that the /_xpack API endpoint's presence is correct for the type of distribution being tested. */ public void test011PresenceOfXpack() throws Exception { - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200/_xpack"), USERNAME, PASSWORD, null); assertThat(statusCode, equalTo(200)); } @@ -158,15 +150,7 @@ public void test041AmazonCaCertsAreInTheKeystore() { * Check that when the keystore is created on startup, it is created with the correct permissions. */ public void test042KeystorePermissionsAreCorrect() throws Exception { - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); assertPermissionsAndOwnership(installation.config("elasticsearch.keystore"), p660); } @@ -176,15 +160,7 @@ public void test042KeystorePermissionsAreCorrect() throws Exception { * is minimally functional. */ public void test050BasicApiTests() throws Exception { - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); assertTrue(existsInContainer(installation.logs.resolve("gc.log"))); @@ -227,15 +203,7 @@ public void test070BindMountCustomPathConfAndJvmOptions() throws Exception { ) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD).get("nodes"); final String nodeId = nodes.fieldNames().next(); @@ -266,15 +234,7 @@ public void test071BindMountCustomPathWithDifferentUID() throws Exception { builder().volumes(volumes).envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final JsonNode nodes = getJson("/_nodes", USERNAME, PASSWORD); @@ -330,15 +290,7 @@ public void test072RunEsAsDifferentUserAndGroup() throws Exception { .uid(501, 501) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); } /** @@ -354,15 +306,7 @@ public void test073RunEsAsDifferentUserAndGroupWithoutBindMounting() throws Exce .extraArgs("--group-add 0") ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); } /** @@ -710,15 +654,7 @@ public void test110OrgOpencontainersLabels() throws Exception { * Check that the container logs contain the expected content for Elasticsearch itself. */ public void test120DockerLogsIncludeElasticsearchLogs() throws Exception { - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final Result containerLogs = getContainerLogs(); assertThat("Container logs should contain full class names", containerLogs.stdout, containsString("org.elasticsearch.node.Node")); @@ -734,15 +670,7 @@ public void test121CanUseStackLoggingConfig() throws Exception { builder().envVars(Map.of("ES_LOG_STYLE", "file", "ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final Result containerLogs = getContainerLogs(); final List stdout = containerLogs.stdout.lines().collect(Collectors.toList()); @@ -764,15 +692,7 @@ public void test122CanUseDockerLoggingConfig() throws Exception { builder().envVars(Map.of("ES_LOG_STYLE", "console", "ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final Result containerLogs = getContainerLogs(); final List stdout = containerLogs.stdout.lines().collect(Collectors.toList()); @@ -823,15 +743,7 @@ public void test131InitProcessHasCorrectPID() { * Check that Elasticsearch reports per-node cgroup information. */ public void test140CgroupOsStatsAreAvailable() throws Exception { - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); final JsonNode nodes = getJson("/_nodes/stats/os", USERNAME, PASSWORD).get("nodes"); @@ -868,15 +780,7 @@ public void test150MachineDependentHeap() throws Exception { .volumes(Map.of(jvmOptionsPath, containerJvmOptionsPath)) .envVars(Map.of("ingest.geoip.downloader.enabled", "false", "ELASTIC_PASSWORD", PASSWORD)) ); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); // Grab the container output and find the line where it print the JVM arguments. This will // let us see what the automatic heap sizing calculated. diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java index 36300000244e1..31eb9c5ad66b5 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java @@ -262,7 +262,7 @@ public void test51WrongKeystorePasswordFromFile() throws Exception { * Check that we can mount a password-protected keystore to a docker image * and provide a password via an environment variable. */ - @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") + @AwaitsFix(bugUrl = "Keystore fails to save with resource busy") public void test60DockerEnvironmentVariablePassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; @@ -281,15 +281,7 @@ public void test60DockerEnvironmentVariablePassword() throws Exception { PASSWORD ); runContainer(distribution(), builder().volumes(volumes).envVars(envVars)); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); ServerUtils.runElasticsearchTests(USERNAME, PASSWORD); } @@ -297,7 +289,7 @@ public void test60DockerEnvironmentVariablePassword() throws Exception { * Check that we can mount a password-protected keystore to a docker image * and provide a password via a file, pointed at from an environment variable. */ - @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") + @AwaitsFix(bugUrl = "Keystore fails to save with resource busy") public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { assumeTrue(distribution().isDocker()); @@ -327,15 +319,7 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { runContainer(distribution(), builder().volumes(volumes).envVars(envVars)); - try { - waitForElasticsearch("green", null, installation, USERNAME, PASSWORD); - } catch (Exception e) { - throw new AssertionError( - "Failed to check whether Elasticsearch had started. This could be because " - + "authentication isn't working properly. Check the container logs", - e - ); - } + waitForElasticsearch(installation, USERNAME, PASSWORD); ServerUtils.runElasticsearchTests(USERNAME, PASSWORD); } finally { if (tempDir != null) { @@ -348,7 +332,7 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { * Check that if we provide the wrong password for a mounted and password-protected * keystore, Elasticsearch doesn't start. */ - @AwaitsFix(bugUrl = "Keystore fails to copy with resource busy") + @AwaitsFix(bugUrl = "Keystore fails to save with resource busy") public void test62DockerEnvironmentVariableBadPassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java index edadcdbb0c2ca..d6cd87bd8575f 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java @@ -525,6 +525,18 @@ public static void waitForElasticsearch(String status, String index, Installatio withLogging(() -> ServerUtils.waitForElasticsearch(status, index, installation, username, password)); } + public static void waitForElasticsearch(Installation installation, String username, String password) { + try { + waitForElasticsearch("green", null, installation, username, password); + } catch (Exception e) { + throw new AssertionError( + "Failed to check whether Elasticsearch had started. This could be because " + + "authentication isn't working properly. Check the container logs", + e + ); + } + } + /** * Runs the provided closure, and captures logging information if an exception is thrown. * @param r the closure to run From 93d5b5d75f07b015e6041bd15dc94865d16973d1 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 7 May 2021 00:44:59 +0300 Subject: [PATCH 22/46] spotless --- .../packaging/test/CertGenCliTests.java | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java index 569a7bc35ef84..b8d4f19ba3ca5 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/CertGenCliTests.java @@ -111,14 +111,11 @@ public void test40RunWithCert() throws Exception { Files.write(installation.config("elasticsearch.yml"), yaml, CREATE, APPEND); - assertWhileRunning( - () -> { - final String password = setElasticPassword(); - assertNotNull(password); - ServerUtils.makeRequest( - Request.Get("https://127.0.0.1:9200"), "elastic", password, installation.config("certs/ca/ca.crt")); - } - ); + assertWhileRunning(() -> { + final String password = setElasticPassword(); + assertNotNull(password); + ServerUtils.makeRequest(Request.Get("https://127.0.0.1:9200"), "elastic", password, installation.config("certs/ca/ca.crt")); + }); } private String setElasticPassword() { From 43181a417dd496147dd9e7823db8da78944396f9 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 7 May 2021 09:12:17 +0300 Subject: [PATCH 23/46] revert unintended change --- .../org/elasticsearch/packaging/test/ConfigurationTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java index 58355249722d5..185e5807ff5c1 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/ConfigurationTests.java @@ -9,6 +9,7 @@ package org.elasticsearch.packaging.test; import org.apache.http.client.fluent.Request; +import org.elasticsearch.packaging.util.FileUtils; import org.elasticsearch.packaging.util.Platforms; import org.junit.Before; @@ -32,6 +33,7 @@ public void test60HostnameSubstitution() throws Exception { String hostnameKey = Platforms.WINDOWS ? "COMPUTERNAME" : "HOSTNAME"; sh.getEnv().put(hostnameKey, "mytesthost"); withCustomConfig(confPath -> { + FileUtils.append(confPath.resolve("elasticsearch.yml"), "node.name: ${HOSTNAME}"); if (distribution.isPackage()) { append(installation.envFile, "HOSTNAME=mytesthost"); } From 12e087a7252fae72e4a3b59a6a6c9a826f04dbd4 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 9 Jun 2021 08:06:38 +0300 Subject: [PATCH 24/46] disable security in new ML tests --- .../integration/TransformNoRemoteClusterClientNodeIT.java | 6 +++++- .../transform/integration/TransformNoTransformNodeIT.java | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java index 0a803cbcb04b4..7ac8da4ac53e4 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java @@ -11,6 +11,7 @@ import org.elasticsearch.action.support.master.AcknowledgedResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.node.NodeRoleSettings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.transform.action.PreviewTransformAction; import org.elasticsearch.xpack.core.transform.action.PutTransformAction; import org.elasticsearch.xpack.core.transform.action.UpdateTransformAction; @@ -28,7 +29,10 @@ public class TransformNoRemoteClusterClientNodeIT extends TransformSingleNodeTestCase { @Override protected Settings nodeSettings() { - return Settings.builder().put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest, transform").build(); + return Settings.builder() + .put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest, transform") + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + .build(); } public void testPreviewTransformWithRemoteIndex() { diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java index 933d35ff07c8e..47ff42c340076 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java @@ -11,6 +11,7 @@ import org.elasticsearch.action.support.master.AcknowledgedResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.node.NodeRoleSettings; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.transform.action.GetTransformAction; import org.elasticsearch.xpack.core.transform.action.GetTransformStatsAction; import org.elasticsearch.xpack.core.transform.action.PreviewTransformAction; @@ -30,7 +31,10 @@ public class TransformNoTransformNodeIT extends TransformSingleNodeTestCase { @Override protected Settings nodeSettings() { - return Settings.builder().put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest").build(); + return Settings.builder() + .put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest") + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + .build(); } public void testGetTransformStats() { From 479704d4df78a7d0c72274bc6f8a27dc7f2e6f46 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 9 Jul 2021 00:58:01 +0300 Subject: [PATCH 25/46] add back checkFeature tests for licenses --- .../license/XPackLicenseStateTests.java | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index 207592213c5ee..7fbfb42b0e136 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -86,6 +86,76 @@ public void testSecurityDefaults() { assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true)); } + public void testSecurityStandard() { + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); + licenseState.update(STANDARD, true, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + + public void testSecurityStandardExpired() { + XPackLicenseState licenseState = new XPackLicenseState( () -> 0); + licenseState.update(STANDARD, false, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + + public void testSecurityGold() { + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); + licenseState.update(GOLD, true, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + + public void testSecurityGoldExpired() { + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); + licenseState.update(GOLD, false, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + + public void testSecurityPlatinum() { + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); + licenseState.update(PLATINUM, true, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + + public void testSecurityPlatinumExpired() { + XPackLicenseState licenseState = new XPackLicenseState(() -> 0); + licenseState.update(PLATINUM, false, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); + } + public void testSecurityAckBasicToNotGoldOrStandard() { OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD); assertAckMessages(XPackField.SECURITY, BASIC, toMode, 0); From 4ac7e402e647c4cd8ba58a6c2d868d80ab67dc27 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 13 Jul 2021 10:03:05 +0300 Subject: [PATCH 26/46] address feedback --- .../packaging/util/ServerUtils.java | 16 ++-- .../license/XPackLicenseStateTests.java | 13 +++ .../ml/MlUpgradeModeActionFilterTests.java | 2 +- .../xpack/security/Security.java | 16 ++-- .../action/filter/SecurityActionFilter.java | 58 ++++-------- .../authz/accesscontrol/OptOutQueryCache.java | 12 +-- .../BulkShardRequestInterceptor.java | 9 +- ...cumentLevelSecurityRequestInterceptor.java | 11 +-- .../IndicesAliasesRequestInterceptor.java | 90 +++++++++---------- .../interceptor/ResizeRequestInterceptor.java | 63 ++++++------- .../interceptor/SearchRequestInterceptor.java | 6 +- .../ShardSearchRequestInterceptor.java | 10 +-- .../interceptor/UpdateRequestInterceptor.java | 5 +- .../security/transport/filter/IPFilter.java | 6 +- .../filter/SecurityActionFilterTests.java | 21 +---- .../accesscontrol/OptOutQueryCacheTests.java | 22 +---- ...IndicesAliasesRequestInterceptorTests.java | 4 +- .../ResizeRequestInterceptorTests.java | 4 +- .../SearchRequestInterceptorTests.java | 5 +- .../ShardSearchRequestInterceptorTests.java | 5 +- 20 files changed, 138 insertions(+), 240 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index b8662ef959012..4b603aeb8c9b7 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -65,20 +65,20 @@ public class ServerUtils { private static final long requestInterval = TimeUnit.SECONDS.toMillis(5); public static void waitForElasticsearch(Installation installation) throws Exception { - boolean xpackEnabled; + boolean securityEnabled; if (installation.distribution.isDocker() == false) { Path configFilePath = installation.config("elasticsearch.yml"); // this is fragile, but currently doesn't deviate from a single line enablement and not worth the parsing effort String configFile = Files.readString(configFilePath, StandardCharsets.UTF_8); - xpackEnabled = configFile.contains(SECURITY_DISABLED) == false; + securityEnabled = configFile.contains(SECURITY_DISABLED) == false; } else { // TODO: need a way to check if docker has security enabled, the yml config is not bind mounted so can't look from here // we currently enable security in all tests - xpackEnabled = true; + securityEnabled = true; } - if (xpackEnabled) { + if (securityEnabled) { // with security enabled, we may or may not have setup a user/pass, so we use a more generic port being available check. // this isn't as good as a health check, but long term all this waiting should go away when node startup does not // make the http port available until the system is really ready to serve requests @@ -306,11 +306,11 @@ public static void enableGeoIpDownloader(Installation installation) throws IOExc } public static void disableSecurityFeatures(Installation installation) throws IOException { - List yaml = Collections.singletonList("xpack.security.enabled: false"); - Path yml = installation.config("elasticsearch.yml"); - try (Stream lines = Files.readAllLines(yml).stream()) { + List configLines = Collections.singletonList("xpack.security.enabled: false"); + Path yamlFile = installation.config("elasticsearch.yml"); + try (Stream lines = Files.readAllLines(yamlFile).stream()) { if (lines.noneMatch(s -> s.startsWith("xpack.security.enabled"))) { - Files.write(yml, yaml, CREATE, APPEND); + Files.write(yamlFile, configLines, CREATE, APPEND); } } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index 7fbfb42b0e136..2c11be1013ab4 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -108,6 +108,19 @@ public void testSecurityStandardExpired() { assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true)); } + public void testSecurityBasic() { + XPackLicenseState licenseState = new XPackLicenseState( () -> 0); + licenseState.update(BASIC, true, Long.MAX_VALUE, null); + + assertThat(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false)); + assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(false)); + } + + + public void testSecurityGold() { XPackLicenseState licenseState = new XPackLicenseState(() -> 0); licenseState.update(GOLD, true, Long.MAX_VALUE, null); diff --git a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java index c82af08b5bc0d..3b11c063f7ffb 100644 --- a/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java +++ b/x-pack/plugin/ml/src/test/java/org/elasticsearch/xpack/ml/MlUpgradeModeActionFilterTests.java @@ -114,7 +114,7 @@ public void testApply_ActionDisallowedInUpgradeModeWithResetModeExemption() { public void testOrder_UpgradeFilterIsExecutedAfterSecurityFilter() { MlUpgradeModeActionFilter upgradeModeFilter = new MlUpgradeModeActionFilter(clusterService); - SecurityActionFilter securityFilter = new SecurityActionFilter(null, null, null, null, mock(ThreadPool.class), null, null, null); + SecurityActionFilter securityFilter = new SecurityActionFilter(null, null, null, null, mock(ThreadPool.class), null, null); ActionFilter[] actionFiltersInOrderOfExecution = new ActionFilters(Sets.newHashSet(upgradeModeFilter, securityFilter)).filters(); assertThat(actionFiltersInOrderOfExecution, is(arrayContaining(securityFilter, upgradeModeFilter))); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 42ec1633a56d3..87e363f101d02 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -564,14 +564,14 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste securityIndex.get().addStateListener(authcService.get()::onSecurityIndexStateChange); Set requestInterceptors = Sets.newHashSet( - new ResizeRequestInterceptor(threadPool, getLicenseState(), settings, auditTrailService), - new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), settings, auditTrailService)); + new ResizeRequestInterceptor(threadPool, getLicenseState(), auditTrailService), + new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), auditTrailService)); if (XPackSettings.DLS_FLS_ENABLED.get(settings)) { requestInterceptors.addAll(Arrays.asList( - new SearchRequestInterceptor(threadPool, getLicenseState(), clusterService, settings), - new ShardSearchRequestInterceptor(threadPool, getLicenseState(), clusterService, settings), - new UpdateRequestInterceptor(threadPool, getLicenseState(), settings), - new BulkShardRequestInterceptor(threadPool, getLicenseState(), settings) + new SearchRequestInterceptor(threadPool, getLicenseState(), clusterService), + new ShardSearchRequestInterceptor(threadPool, getLicenseState(), clusterService), + new UpdateRequestInterceptor(threadPool, getLicenseState()), + new BulkShardRequestInterceptor(threadPool, getLicenseState()) )); } requestInterceptors = Collections.unmodifiableSet(requestInterceptors); @@ -596,7 +596,7 @@ auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEn authzService, getLicenseState(), getSslService(), securityContext.get(), destructiveOperations, clusterService)); securityActionFilter.set(new SecurityActionFilter(authcService.get(), authzService, auditTrailService, getLicenseState(), - threadPool, securityContext.get(), settings, destructiveOperations)); + threadPool, securityContext.get(), destructiveOperations)); components.add(new SecurityUsageServices(realms, allRolesStore, nativeRoleMappingStore, ipFilter.get())); @@ -833,7 +833,7 @@ public void onIndexModule(IndexModule module) { module.forceQueryCacheProvider( (indexSettings, cache) -> { final OptOutQueryCache queryCache = - new OptOutQueryCache(indexSettings, cache, threadContext.get(), settings); + new OptOutQueryCache(indexSettings, cache, threadContext.get()); return queryCache; }); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java index 172878a53b0d9..2a3a7d68ca989 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java @@ -8,7 +8,6 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.elasticsearch.ElasticsearchException; import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.ActionRequest; @@ -22,18 +21,15 @@ import org.elasticsearch.action.support.ContextPreservingActionListener; import org.elasticsearch.action.support.DestructiveOperations; import org.elasticsearch.common.Strings; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.XPackField; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege; -import org.elasticsearch.xpack.core.security.support.Automatons; import org.elasticsearch.xpack.core.security.user.SystemUser; import org.elasticsearch.xpack.security.action.SecurityActionMapper; import org.elasticsearch.xpack.security.audit.AuditTrailService; @@ -47,7 +43,6 @@ public class SecurityActionFilter implements ActionFilter { private static final Predicate LICENSE_EXPIRATION_ACTION_MATCHER = HealthAndStatsPrivilege.INSTANCE.predicate(); - private static final Predicate SECURITY_ACTION_MATCHER = Automatons.predicate("cluster:admin/xpack/security*"); private static final Logger logger = LogManager.getLogger(SecurityActionFilter.class); private final AuthenticationService authcService; @@ -58,18 +53,16 @@ public class SecurityActionFilter implements ActionFilter { private final ThreadContext threadContext; private final SecurityContext securityContext; private final DestructiveOperations destructiveOperations; - private final Settings settings; public SecurityActionFilter(AuthenticationService authcService, AuthorizationService authzService, AuditTrailService auditTrailService, XPackLicenseState licenseState, ThreadPool threadPool, - SecurityContext securityContext, Settings settings, DestructiveOperations destructiveOperations) { + SecurityContext securityContext, DestructiveOperations destructiveOperations) { this.authcService = authcService; this.authzService = authzService; this.auditTrailService = auditTrailService; this.licenseState = licenseState; this.threadContext = threadPool.getThreadContext(); this.securityContext = securityContext; - this.settings = settings; this.destructiveOperations = destructiveOperations; } @@ -92,38 +85,25 @@ public void app throw LicenseUtils.newComplianceException(XPackField.SECURITY); } - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - final ActionListener contextPreservingListener = - ContextPreservingActionListener.wrapPreservingContext(listener, threadContext); - final boolean useSystemUser = AuthorizationUtils.shouldReplaceUserWithSystem(threadContext, action); - try { - if (useSystemUser) { - securityContext.executeAsUser(SystemUser.INSTANCE, (original) -> { - applyInternal(task, chain, action, request, contextPreservingListener); - }, Version.CURRENT); - } else if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(threadContext)) { - AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(threadContext, securityContext, (original) -> { - applyInternal(task, chain, action, request, contextPreservingListener); - }); - } else { - try (ThreadContext.StoredContext ignore = threadContext.newStoredContext(true)) { - applyInternal(task, chain, action, request, contextPreservingListener); - } - } - } catch (Exception e) { - listener.onFailure(e); - } - } else if (SECURITY_ACTION_MATCHER.test(action)) { - if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - listener.onFailure(new ElasticsearchException("Security must be enabled when using a [" + - licenseState.getOperationMode().description() + "] license. " + - "Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " + - "and restart the node.")); + final ActionListener contextPreservingListener = + ContextPreservingActionListener.wrapPreservingContext(listener, threadContext); + final boolean useSystemUser = AuthorizationUtils.shouldReplaceUserWithSystem(threadContext, action); + try { + if (useSystemUser) { + securityContext.executeAsUser(SystemUser.INSTANCE, (original) -> { + applyInternal(task, chain, action, request, contextPreservingListener); + }, Version.CURRENT); + } else if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(threadContext)) { + AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(threadContext, securityContext, (original) -> { + applyInternal(task, chain, action, request, contextPreservingListener); + }); } else { - listener.onFailure(LicenseUtils.newComplianceException(XPackField.SECURITY)); + try (ThreadContext.StoredContext ignore = threadContext.newStoredContext(true)) { + applyInternal(task, chain, action, request, contextPreservingListener); + } } - } else { - chain.proceed(task, action, request, listener); + } catch (Exception e) { + listener.onFailure(e); } } @@ -166,8 +146,6 @@ it to the action without an associated user (not via REST or transport - this is response); l.onResponse(response); })))); - } else if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - listener.onResponse(null); } else { listener.onFailure(new IllegalStateException("no authentication present but auth is allowed")); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java index eeeaadc967d5b..27ff050bd97ba 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java @@ -10,13 +10,11 @@ import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; import org.elasticsearch.ElasticsearchException; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.AbstractIndexComponent; import org.elasticsearch.index.IndexSettings; import org.elasticsearch.index.cache.query.QueryCache; import org.elasticsearch.indices.IndicesQueryCache; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; @@ -32,18 +30,15 @@ public final class OptOutQueryCache extends AbstractIndexComponent implements Qu private final IndicesQueryCache indicesQueryCache; private final ThreadContext context; private final String indexName; - private final Settings settings; public OptOutQueryCache( final IndexSettings indexSettings, final IndicesQueryCache indicesQueryCache, - final ThreadContext context, - final Settings settings) { + final ThreadContext context) { super(indexSettings); this.indicesQueryCache = indicesQueryCache; this.context = Objects.requireNonNull(context, "threadContext must not be null"); this.indexName = indexSettings.getIndex().getName(); - this.settings = Objects.requireNonNull(settings, "settings must not be null"); } @Override @@ -60,11 +55,6 @@ public void clear(final String reason) { @Override public Weight doCache(Weight weight, QueryCachingPolicy policy) { - if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - logger.debug("not opting out of the query cache; authorization is not allowed"); - return indicesQueryCache.doCache(weight, policy); - } - IndicesAccessControl indicesAccessControl = context.getTransient( AuthorizationServiceField.INDICES_PERMISSIONS_KEY); if (indicesAccessControl == null) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java index 5f21be6a0927f..6b1a3faaa1f39 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java @@ -14,13 +14,11 @@ import org.elasticsearch.action.bulk.BulkShardRequest; import org.elasticsearch.action.update.UpdateRequest; import org.elasticsearch.core.MemoizedSupplier; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -36,20 +34,17 @@ public class BulkShardRequestInterceptor implements RequestInterceptor { private final ThreadContext threadContext; private final XPackLicenseState licenseState; - private final Settings settings; - public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings) { + public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) { this.threadContext = threadPool.getThreadContext(); this.licenseState = licenseState; - this.settings = settings; } @Override public void intercept(RequestInfo requestInfo, AuthorizationEngine authzEngine, AuthorizationInfo authorizationInfo, ActionListener listener) { - boolean shouldIntercept = XPackSettings.SECURITY_ENABLED.get(settings); var licenseChecker = new MemoizedSupplier<>(() -> licenseState.checkFeature(Feature.SECURITY_DLS_FLS)); - if (requestInfo.getRequest() instanceof BulkShardRequest && shouldIntercept) { + if (requestInfo.getRequest() instanceof BulkShardRequest) { IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); BulkShardRequest bulkShardRequest = (BulkShardRequest) requestInfo.getRequest(); // this uses the {@code BulkShardRequest#index()} because the {@code bulkItemRequest#index()} diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java index 5cf669ff61cd0..418d4909f726e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java @@ -11,12 +11,10 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.core.MemoizedSupplier; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.transport.TransportActionProxy; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -34,13 +32,11 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor implements Reques private final ThreadContext threadContext; private final XPackLicenseState licenseState; - private final Settings settings; private final Logger logger; - FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, Settings settings) { + FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState) { this.threadContext = threadContext; this.licenseState = licenseState; - this.settings = settings; this.logger = LogManager.getLogger(getClass()); } @@ -49,9 +45,8 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization ActionListener listener) { if (requestInfo.getRequest() instanceof IndicesRequest && false == TransportActionProxy.isProxyAction(requestInfo.getAction())) { IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequest(); - // TODO: should we check is DLS/FLS feature allowed here as part of shouldIntercept - boolean shouldIntercept = XPackSettings.SECURITY_ENABLED.get(settings); - if (supports(indicesRequest) && shouldIntercept) { + // TODO: should we check is DLS/FLS feature allowed here + if (supports(indicesRequest)) { var licenseChecker = new MemoizedSupplier<>(() -> licenseState.checkFeature(Feature.SECURITY_DLS_FLS)); final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java index 7f882ce2b8401..adc0096c2a8e0 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.java @@ -11,12 +11,10 @@ import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.core.MemoizedSupplier; import org.elasticsearch.core.Tuple; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -39,14 +37,12 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto private final ThreadContext threadContext; private final XPackLicenseState licenseState; - private final Settings settings; private final AuditTrailService auditTrailService; - public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, Settings settings, + public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState, AuditTrailService auditTrailService) { this.threadContext = threadContext; this.licenseState = licenseState; - this.settings = settings; this.auditTrailService = auditTrailService; } @@ -57,55 +53,51 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization final IndicesAliasesRequest request = (IndicesAliasesRequest) requestInfo.getRequest(); final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState(); final AuditTrail auditTrail = auditTrailService.get(); - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); - IndicesAccessControl indicesAccessControl = - threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) { - if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) { - for (String index : aliasAction.indices()) { - IndicesAccessControl.IndexAccessControl indexAccessControl = - indicesAccessControl.getIndexPermissions(index); - if (indexAccessControl != null) { - final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); - final boolean dls = indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions(); - if ((fls || dls) && licenseChecker.get()) { - listener.onFailure(new ElasticsearchSecurityException("Alias requests are not allowed for " + - "users who have field or document level security enabled on one of the indices", - RestStatus.BAD_REQUEST)); - return; - } + var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); + IndicesAccessControl indicesAccessControl = + threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) { + if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) { + for (String index : aliasAction.indices()) { + IndicesAccessControl.IndexAccessControl indexAccessControl = + indicesAccessControl.getIndexPermissions(index); + if (indexAccessControl != null) { + final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); + final boolean dls = indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions(); + if ((fls || dls) && licenseChecker.get()) { + listener.onFailure(new ElasticsearchSecurityException("Alias requests are not allowed for " + + "users who have field or document level security enabled on one of the indices", + RestStatus.BAD_REQUEST)); + return; } } } } - - Map> indexToAliasesMap = request.getAliasActions().stream() - .filter(aliasAction -> aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) - .flatMap(aliasActions -> - Arrays.stream(aliasActions.indices()) - .map(indexName -> new Tuple<>(indexName, Arrays.asList(aliasActions.aliases())))) - .collect(Collectors.toMap(Tuple::v1, Tuple::v2, (existing, toMerge) -> { - List list = new ArrayList<>(existing.size() + toMerge.size()); - list.addAll(existing); - list.addAll(toMerge); - return list; - })); - authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, indexToAliasesMap, - wrapPreservingContext(ActionListener.wrap(authzResult -> { - if (authzResult.isGranted()) { - // do not audit success again - listener.onResponse(null); - } else { - auditTrail.accessDenied(AuditUtil.extractRequestId(threadContext), requestInfo.getAuthentication(), - requestInfo.getAction(), request, authorizationInfo); - listener.onFailure(Exceptions.authorizationError("Adding an alias is not allowed when the alias " + - "has more permissions than any of the indices")); - } - }, listener::onFailure), threadContext)); - } else { - listener.onResponse(null); } + + Map> indexToAliasesMap = request.getAliasActions().stream() + .filter(aliasAction -> aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) + .flatMap(aliasActions -> + Arrays.stream(aliasActions.indices()) + .map(indexName -> new Tuple<>(indexName, Arrays.asList(aliasActions.aliases())))) + .collect(Collectors.toMap(Tuple::v1, Tuple::v2, (existing, toMerge) -> { + List list = new ArrayList<>(existing.size() + toMerge.size()); + list.addAll(existing); + list.addAll(toMerge); + return list; + })); + authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, indexToAliasesMap, + wrapPreservingContext(ActionListener.wrap(authzResult -> { + if (authzResult.isGranted()) { + // do not audit success again + listener.onResponse(null); + } else { + auditTrail.accessDenied(AuditUtil.extractRequestId(threadContext), requestInfo.getAuthentication(), + requestInfo.getAction(), request, authorizationInfo); + listener.onFailure(Exceptions.authorizationError("Adding an alias is not allowed when the alias " + + "has more permissions than any of the indices")); + } + }, listener::onFailure), threadContext)); } else { listener.onResponse(null); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java index 4f901f94235f9..9df287982bf6f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.java @@ -10,13 +10,11 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.admin.indices.shrink.ResizeRequest; import org.elasticsearch.core.MemoizedSupplier; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo; @@ -35,14 +33,11 @@ public final class ResizeRequestInterceptor implements RequestInterceptor { private final ThreadContext threadContext; private final XPackLicenseState licenseState; - private final Settings settings; private final AuditTrailService auditTrailService; - public ResizeRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings, - AuditTrailService auditTrailService) { + public ResizeRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, AuditTrailService auditTrailService) { this.threadContext = threadPool.getThreadContext(); this.licenseState = licenseState; - this.settings = settings; this.auditTrailService = auditTrailService; } @@ -53,39 +48,35 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization final ResizeRequest request = (ResizeRequest) requestInfo.getRequest(); final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState(); final AuditTrail auditTrail = auditTrailService.get(); - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); - IndicesAccessControl indicesAccessControl = - threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - IndicesAccessControl.IndexAccessControl indexAccessControl = - indicesAccessControl.getIndexPermissions(request.getSourceIndex()); - if (indexAccessControl != null) { - final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); - final boolean dls = indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions(); - if ((fls || dls) && licenseChecker.get()) { - listener.onFailure(new ElasticsearchSecurityException("Resize requests are not allowed for users when " + - "field or document level security is enabled on the source index", RestStatus.BAD_REQUEST)); - return; - } + var licenseChecker = new MemoizedSupplier<>(() -> frozenLicenseState.checkFeature(Feature.SECURITY_DLS_FLS)); + IndicesAccessControl indicesAccessControl = + threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + IndicesAccessControl.IndexAccessControl indexAccessControl = + indicesAccessControl.getIndexPermissions(request.getSourceIndex()); + if (indexAccessControl != null) { + final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); + final boolean dls = indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions(); + if ((fls || dls) && licenseChecker.get()) { + listener.onFailure(new ElasticsearchSecurityException("Resize requests are not allowed for users when " + + "field or document level security is enabled on the source index", RestStatus.BAD_REQUEST)); + return; } + } - authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, - Collections.singletonMap(request.getSourceIndex(), Collections.singletonList(request.getTargetIndexRequest().index())), - wrapPreservingContext(ActionListener.wrap(authzResult -> { - if (authzResult.isGranted()) { - listener.onResponse(null); - } else { - if (authzResult.isAuditable()) { - auditTrail.accessDenied(extractRequestId(threadContext), requestInfo.getAuthentication(), - requestInfo.getAction(), request, authorizationInfo); - } - listener.onFailure(Exceptions.authorizationError("Resizing an index is not allowed when the target index " + - "has more permissions than the source index")); + authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, + Collections.singletonMap(request.getSourceIndex(), Collections.singletonList(request.getTargetIndexRequest().index())), + wrapPreservingContext(ActionListener.wrap(authzResult -> { + if (authzResult.isGranted()) { + listener.onResponse(null); + } else { + if (authzResult.isAuditable()) { + auditTrail.accessDenied(extractRequestId(threadContext), requestInfo.getAuthentication(), + requestInfo.getAction(), request, authorizationInfo); } - }, listener::onFailure), threadContext)); - } else { - listener.onResponse(null); - } + listener.onFailure(Exceptions.authorizationError("Resizing an index is not allowed when the target index " + + "has more permissions than the source index")); + } + }, listener::onFailure), threadContext)); } else { listener.onResponse(null); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java index f9933abcb987d..b84eace0c1d9d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptor.java @@ -11,7 +11,6 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.search.SearchRequest; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.RestStatus; @@ -29,9 +28,8 @@ public class SearchRequestInterceptor extends FieldAndDocumentLevelSecurityReque public static final Version VERSION_SHARD_SEARCH_INTERCEPTOR = Version.V_7_11_2; private final ClusterService clusterService; - public SearchRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, ClusterService clusterService, - Settings settings) { - super(threadPool.getThreadContext(), licenseState, settings); + public SearchRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, ClusterService clusterService) { + super(threadPool.getThreadContext(), licenseState); this.clusterService = clusterService; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptor.java index 98deaebc64e38..b6dc3a21181ac 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptor.java @@ -12,7 +12,6 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.cluster.service.ClusterService; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.search.internal.ShardSearchRequest; import org.elasticsearch.threadpool.ThreadPool; @@ -30,13 +29,8 @@ public class ShardSearchRequestInterceptor extends FieldAndDocumentLevelSecurity private final ClusterService clusterService; - public ShardSearchRequestInterceptor( - ThreadPool threadPool, - XPackLicenseState licenseState, - ClusterService clusterService, - Settings settings - ) { - super(threadPool.getThreadContext(), licenseState, settings); + public ShardSearchRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, ClusterService clusterService) { + super(threadPool.getThreadContext(), licenseState); this.clusterService = clusterService; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java index dcdb2a9551d98..f3b1a76328e35 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/UpdateRequestInterceptor.java @@ -10,7 +10,6 @@ import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.update.UpdateRequest; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.threadpool.ThreadPool; @@ -27,8 +26,8 @@ */ public class UpdateRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor { - public UpdateRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState, Settings settings) { - super(threadPool.getThreadContext(), licenseState, settings); + public UpdateRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) { + super(threadPool.getThreadContext(), licenseState); } @Override diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java index 5365741e6b4ae..64c06a1cfa642 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java @@ -20,7 +20,6 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.transport.TransportSettings; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.audit.AuditTrail; import org.elasticsearch.xpack.security.audit.AuditTrailService; @@ -148,7 +147,6 @@ public IpFilterRuleType ruleType() { private final AuditTrailService auditTrailService; private final XPackLicenseState licenseState; - private final Settings settings; private final boolean alwaysAllowBoundAddresses; private volatile Map rules = Collections.emptyMap(); @@ -169,7 +167,6 @@ public IPFilter(final Settings settings, AuditTrailService auditTrailService, Cl XPackLicenseState licenseState) { this.auditTrailService = auditTrailService; this.licenseState = licenseState; - this.settings = settings; this.alwaysAllowBoundAddresses = ALLOW_BOUND_ADDRESSES_SETTING.get(settings); httpDenyFilter = HTTP_FILTER_DENY_SETTING.get(settings); httpAllowFilter = HTTP_FILTER_ALLOW_SETTING.get(settings); @@ -248,8 +245,7 @@ private void setHttpFiltering(boolean enabled) { } public boolean accept(String profile, InetSocketAddress peerAddress) { - if (XPackSettings.SECURITY_ENABLED.get(settings) == false || - licenseState.checkFeature(Feature.SECURITY_IP_FILTERING) == false) { + if (licenseState.checkFeature(Feature.SECURITY_IP_FILTERING) == false) { return true; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java index 422c2125a4d75..7fdf76b51fcb2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java @@ -30,7 +30,6 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportRequest; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -60,7 +59,6 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; -import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.when; public class SecurityActionFilterTests extends ESTestCase { @@ -71,7 +69,6 @@ public class SecurityActionFilterTests extends ESTestCase { private ActionFilterChain chain; private XPackLicenseState licenseState; private SecurityActionFilter filter; - private SecurityActionFilter filterWithSecurityDisabled; private ThreadContext threadContext; private boolean failDestructiveOperations; @@ -90,9 +87,6 @@ public void init() throws Exception { failDestructiveOperations = randomBoolean(); Settings settings = Settings.builder() .put(DestructiveOperations.REQUIRES_NAME_SETTING.getKey(), failDestructiveOperations).build(); - Settings disabledSecurity = Settings.builder() - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) - .put(DestructiveOperations.REQUIRES_NAME_SETTING.getKey(), failDestructiveOperations).build(); DestructiveOperations destructiveOperations = new DestructiveOperations(settings, new ClusterSettings(settings, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))); ClusterState state = mock(ClusterState.class); @@ -104,9 +98,7 @@ public void init() throws Exception { SecurityContext securityContext = new SecurityContext(settings, threadContext); filter = new SecurityActionFilter(authcService, authzService, auditTrailService, licenseState, threadPool, - securityContext, settings, destructiveOperations); - filterWithSecurityDisabled = new SecurityActionFilter(authcService, authzService, auditTrailService, licenseState, threadPool, - securityContext, disabledSecurity, destructiveOperations); + securityContext, destructiveOperations); } public void testApply() throws Exception { @@ -277,17 +269,6 @@ public void testActionProcessException() throws Exception { verifyNoMoreInteractions(chain); } - public void testApplyUnlicensed() throws Exception { - ActionRequest request = mock(ActionRequest.class); - ActionListener listener = mock(ActionListener.class); - ActionFilterChain chain = mock(ActionFilterChain.class); - Task task = mock(Task.class); - filterWithSecurityDisabled.apply(task, "_action", request, listener, chain); - verifyZeroInteractions(authcService); - verifyZeroInteractions(authzService); - verify(chain).proceed(eq(task), eq("_action"), eq(request), eq(listener)); - } - private void mockAuthentication(ActionRequest request, Authentication authentication, String requestId) { doAnswer(i -> { final Object[] args = i.getArguments(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java index f9c6f7786b3b4..ad0b7c0057725 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java @@ -24,7 +24,6 @@ import org.elasticsearch.index.IndexSettings; import org.elasticsearch.indices.IndicesQueryCache; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; @@ -125,23 +124,6 @@ public void testOptOutQueryCacheSafetyCheck() throws IOException { assertFalse(OptOutQueryCache.cachingIsSafe(weight, permissions)); } - public void testOptOutQueryCacheAuthIsNotAllowed() { - final Settings.Builder settings = Settings.builder() - .put("index.version.created", Version.CURRENT) - .put("index.number_of_shards", 1) - .put("index.number_of_replicas", 0) - .put(XPackSettings.SECURITY_ENABLED.getKey(), false); - final IndexMetadata indexMetadata = IndexMetadata.builder("index").settings(settings).build(); - final IndexSettings indexSettings = new IndexSettings(indexMetadata, Settings.EMPTY); - final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class); - final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, settings.build()); - final Weight weight = mock(Weight.class); - final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); - cache.doCache(weight, policy); - verify(indicesQueryCache).doCache(same(weight), same(policy)); - } - public void testOptOutQueryCacheNoIndicesPermissions() { final Settings.Builder settings = Settings.builder() .put("index.version.created", Version.CURRENT) @@ -151,7 +133,7 @@ public void testOptOutQueryCacheNoIndicesPermissions() { final IndexSettings indexSettings = new IndexSettings(indexMetadata, Settings.EMPTY); final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class); final ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, Settings.EMPTY); + final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext); final Weight weight = mock(Weight.class); final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); final Weight w = cache.doCache(weight, policy); @@ -173,7 +155,7 @@ public void testOptOutQueryCacheIndexDoesNotHaveFieldLevelSecurity() { final IndicesAccessControl indicesAccessControl = mock(IndicesAccessControl.class); when(indicesAccessControl.getIndexPermissions("index")).thenReturn(indexAccessControl); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); - final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, Settings.EMPTY); + final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext); final Weight weight = mock(Weight.class); final QueryCachingPolicy policy = mock(QueryCachingPolicy.class); cache.doCache(weight, policy); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java index 0159999b42528..69287369ad209 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java @@ -74,7 +74,7 @@ public void testInterceptorThrowsWhenFLSDLSEnabled() { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); IndicesAliasesRequestInterceptor interceptor = - new IndicesAliasesRequestInterceptor(threadContext, licenseState, Settings.EMPTY, auditTrailService); + new IndicesAliasesRequestInterceptor(threadContext, licenseState, auditTrailService); IndicesAliasesRequest indicesAliasesRequest = new IndicesAliasesRequest(); if (randomBoolean()) { @@ -115,7 +115,7 @@ public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Except IndicesAccessControl accessControl = new IndicesAccessControl(true, Collections.emptyMap()); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); IndicesAliasesRequestInterceptor interceptor = - new IndicesAliasesRequestInterceptor(threadContext, licenseState, Settings.EMPTY, auditTrailService); + new IndicesAliasesRequestInterceptor(threadContext, licenseState, auditTrailService); final IndicesAliasesRequest indicesAliasesRequest = new IndicesAliasesRequest(); if (randomBoolean()) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java index 4037150392d6d..4c7d413587792 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java @@ -79,7 +79,7 @@ public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); ResizeRequestInterceptor resizeRequestInterceptor = - new ResizeRequestInterceptor(threadPool, licenseState, Settings.EMPTY, auditTrailService); + new ResizeRequestInterceptor(threadPool, licenseState, auditTrailService); PlainActionFuture plainActionFuture = new PlainActionFuture<>(); RequestInfo requestInfo = new RequestInfo(authentication, new ResizeRequest("bar", "foo"), action); @@ -117,7 +117,7 @@ public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() IndicesAccessControl accessControl = new IndicesAccessControl(true, Collections.emptyMap()); threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, accessControl); ResizeRequestInterceptor resizeRequestInterceptor = - new ResizeRequestInterceptor(threadPool, licenseState, Settings.EMPTY, auditTrailService); + new ResizeRequestInterceptor(threadPool, licenseState, auditTrailService); AuthorizationEngine mockEngine = mock(AuthorizationEngine.class); { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptorTests.java index 7139ba980fab1..6005d28fd8874 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/SearchRequestInterceptorTests.java @@ -13,7 +13,6 @@ import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.cluster.node.DiscoveryNodes; import org.elasticsearch.cluster.service.ClusterService; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.ArrayUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.search.builder.SearchSourceBuilder; @@ -21,7 +20,6 @@ import org.elasticsearch.test.VersionUtils; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.xpack.core.XPackSettings; import org.junit.After; import org.junit.Before; @@ -51,8 +49,7 @@ public void init() { licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS)).thenReturn(true); clusterService = mock(ClusterService.class); - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); - interceptor = new SearchRequestInterceptor(threadPool, licenseState, clusterService, settings); + interceptor = new SearchRequestInterceptor(threadPool, licenseState, clusterService); } @After diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptorTests.java index 1b38e608f2fa3..41018b87e5b66 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ShardSearchRequestInterceptorTests.java @@ -13,14 +13,12 @@ import org.elasticsearch.cluster.node.DiscoveryNodes; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.bytes.BytesArray; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.shard.ShardId; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.search.internal.ShardSearchRequest; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.TestThreadPool; import org.elasticsearch.threadpool.ThreadPool; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions; @@ -48,8 +46,7 @@ public void init() { licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS)).thenReturn(true); clusterService = mock(ClusterService.class); - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); - interceptor = new ShardSearchRequestInterceptor(threadPool, licenseState, clusterService, settings); + interceptor = new ShardSearchRequestInterceptor(threadPool, licenseState, clusterService); } @After From 539f3002ac21993f5903d0bd8415b13ebe68a4dd Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 13 Jul 2021 10:49:43 +0300 Subject: [PATCH 27/46] explicitly disable security for AbstractMultiClustersTestCase --- .../org/elasticsearch/test/AbstractMultiClustersTestCase.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java index 480ff7c7d4663..b26c866b75173 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java @@ -194,6 +194,8 @@ public void close() throws IOException { static NodeConfigurationSource nodeConfigurationSource(Settings nodeSettings, Collection> nodePlugins) { final Settings.Builder builder = Settings.builder(); + // TODO Ensure that tests extending AbstractMultiClustersTestCase run with security enabled when possible + builder.put("xpack.security.enabled", false); builder.putList(DISCOVERY_SEED_HOSTS_SETTING.getKey()); // empty list disables a port scan for other nodes builder.putList(DISCOVERY_SEED_PROVIDERS_SETTING.getKey(), "file"); builder.put(NetworkModule.TRANSPORT_TYPE_KEY, getTestTransportType()); From 7ff9ad121cb2df139725eae3f44d1ac5a1bbe533 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 13 Jul 2021 13:17:50 +0300 Subject: [PATCH 28/46] Move log message indicating if security is enabled to Security --- .../xpack/security/Security.java | 1 + .../xpack/security/SecurityTests.java | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 87e363f101d02..91bbd807b8458 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -427,6 +427,7 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, Environment environment, IndexNameExpressionResolver expressionResolver) throws Exception { + logger.info("Security is {}", enabled ? "enabled" : "disabled"); if (enabled == false) { return Collections.singletonList(new SecurityUsageServices(null, null, null, null)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index a844083fb5c03..3389fbc56611d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -581,6 +581,35 @@ public void testSecurityRestHandlerWrapperCanBeInstalled() throws IllegalAccessE } } + public void testSecurityStatusMessageInLog() throws Exception{ + final Logger mockLogger = LogManager.getLogger(Security.class); + boolean securityEnabled = true; + Loggers.setLevel(mockLogger, Level.INFO); + final MockLogAppender appender = new MockLogAppender(); + Loggers.addAppender(mockLogger, appender); + appender.start(); + + Settings.Builder settings = Settings.builder() + .put("path.home", createTempDir()); + if (randomBoolean()) { + // randomize explicit vs implicit configuration + securityEnabled = randomBoolean(); + settings.put("xpack.security.enabled", securityEnabled); + } + + try { + appender.addExpectation(new MockLogAppender.SeenEventExpectation( + "message", Security.class.getName(), Level.INFO, + "Security is " + (securityEnabled ? "enabled" : "disabled") + )); + createComponents(settings.build()); + appender.assertAllExpectationsMatched(); + } finally { + appender.stop(); + Loggers.removeAppender(mockLogger, appender); + } + } + private void logAndFail(Exception e) { logger.error("unexpected exception", e); fail("unexpected exception " + e.getMessage()); From 1810af5c1bb8c816c0c024728b8eeb1ecd65052b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 13 Jul 2021 15:39:05 +0300 Subject: [PATCH 29/46] Disable security only when we can/need --- .../test/AbstractMultiClustersTestCase.java | 10 ++++++---- .../xpack/core/termsenum/CCSTermsEnumIT.java | 7 +++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java index b26c866b75173..138d330884d83 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/AbstractMultiClustersTestCase.java @@ -57,6 +57,10 @@ protected Collection> nodePlugins(String clusterAlias) { return Collections.emptyList(); } + protected Settings nodeSettings() { + return Settings.EMPTY; + } + protected final Client client() { return client(LOCAL_CLUSTER); } @@ -92,8 +96,8 @@ public final void startClusters() throws Exception { final List> mockPlugins = List.of(MockHttpTransport.TestPlugin.class, MockTransportService.TestPlugin.class, MockNioTransportPlugin.class); final Collection> nodePlugins = nodePlugins(clusterAlias); - final Settings nodeSettings = Settings.EMPTY; - final NodeConfigurationSource nodeConfigurationSource = nodeConfigurationSource(nodeSettings, nodePlugins); + + final NodeConfigurationSource nodeConfigurationSource = nodeConfigurationSource(nodeSettings(), nodePlugins); final InternalTestCluster cluster = new InternalTestCluster(randomLong(), createTempDir(), true, true, numberOfNodes, numberOfNodes, clusterName, nodeConfigurationSource, 0, clusterName + "-", mockPlugins, Function.identity()); cluster.beforeTest(random()); @@ -194,8 +198,6 @@ public void close() throws IOException { static NodeConfigurationSource nodeConfigurationSource(Settings nodeSettings, Collection> nodePlugins) { final Settings.Builder builder = Settings.builder(); - // TODO Ensure that tests extending AbstractMultiClustersTestCase run with security enabled when possible - builder.put("xpack.security.enabled", false); builder.putList(DISCOVERY_SEED_HOSTS_SETTING.getKey()); // empty list disables a port scan for other nodes builder.putList(DISCOVERY_SEED_PROVIDERS_SETTING.getKey(), "file"); builder.put(NetworkModule.TRANSPORT_TYPE_KEY, getTestTransportType()); diff --git a/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java b/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java index b03f7e3ee3e93..c321f655875a0 100644 --- a/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java +++ b/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java @@ -11,6 +11,7 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.AbstractMultiClustersTestCase; import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.termsenum.action.TermsEnumAction; import org.elasticsearch.xpack.core.termsenum.action.TermsEnumRequest; import org.elasticsearch.xpack.core.termsenum.action.TermsEnumResponse; @@ -29,6 +30,12 @@ protected Collection remoteClusterAlias() { return List.of("remote_cluster"); } + @Override + protected Settings nodeSettings() { + // TODO Ensure that the tests run correctly with security enabled + return Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + } + @Override protected Collection> nodePlugins(String clusterAlias) { final List> plugins = new ArrayList<>(super.nodePlugins(clusterAlias)); From 60854ebd8fc753957f05d50e8c1b2eea65caeae8 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 13 Jul 2021 18:17:43 +0300 Subject: [PATCH 30/46] fix test --- .../SecurityInfoTransportActionTests.java | 2 +- .../xpack/security/SecurityTests.java | 49 ++++++++++--------- 2 files changed, 27 insertions(+), 24 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java index f443fb066d9ea..3353023d40d79 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java @@ -88,7 +88,7 @@ public void testEnabled() { public void testUsage() throws Exception { final boolean explicitlyDisabled = randomBoolean(); - final boolean enabled = explicitlyDisabled == false && randomBoolean(); + final boolean enabled = explicitlyDisabled == false; final boolean operatorPrivilegesAvailable = randomBoolean(); when(licenseState.isAllowed(XPackLicenseState.Feature.OPERATOR_PRIVILEGES)).thenReturn(operatorPrivilegesAvailable); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 3389fbc56611d..39a179affb529 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -68,6 +68,8 @@ import org.hamcrest.Matchers; import org.junit.After; +import java.nio.file.Files; +import java.nio.file.Path; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -145,17 +147,6 @@ protected SSLService getSslService() { xContentRegistry(), env, TestIndexNameExpressionResolver.newInstance(threadContext)); } - private Collection createComponentsWithSecurityNotExplicitlyEnabled(Settings testSettings, SecurityExtension... extensions) - throws Exception { - if (security != null) { - throw new IllegalStateException("Security object already exists (" + security + ")"); - } - Settings settings = Settings.builder() - .put(testSettings) - .put("path.home", createTempDir()).build(); - return createComponentsUtil(settings, extensions); - } - private Collection createComponents(Settings testSettings, SecurityExtension... extensions) throws Exception { if (security != null) { throw new IllegalStateException("Security object already exists (" + security + ")"); @@ -499,26 +490,36 @@ public void testValidateForFipsNoErrorsForDefaultSettings() { } public void testLicenseUpdateFailureHandlerUpdate() throws Exception { - Settings settings = Settings.builder(). - put("xpack.security.authc.api_key.enabled", "true"). - build(); - Collection components = createComponentsWithSecurityNotExplicitlyEnabled(settings); + final Path kerbKeyTab = createTempFile("es", "keytab"); + Files.write(kerbKeyTab, new byte[0]); + Settings settings = Settings.builder() + .put("xpack.security.authc.api_key.enabled", "true") + .put("xpack.security.authc.realms.kerberos.kb.enabled", true) + .put("xpack.security.authc.realms.kerberos.kb.order", 2) + .put("xpack.security.authc.realms.kerberos.kb.keytab.path", kerbKeyTab) + .build(); + Collection components = createComponents(settings); AuthenticationService service = findComponent(AuthenticationService.class, components); assertNotNull(service); RestRequest request = new FakeRestRequest(); final AtomicBoolean completed = new AtomicBoolean(false); service.authenticate(request, ActionListener.wrap(result -> { assertTrue(completed.compareAndSet(false, true)); - }, this::logAndFail)); - assertTrue(completed.compareAndSet(true, false)); + }, e -> { + // On trial license, kerberos is allowed and the WWW-Authenticate response header should reflect that + verifyHasAuthenticationHeaderValue(e, "Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"", "Negotiate", "ApiKey"); + })); threadContext.stashContext(); licenseState.update( - randomFrom(License.OperationMode.GOLD, License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM), + randomFrom(License.OperationMode.GOLD, License.OperationMode.BASIC), true, Long.MAX_VALUE, null); service.authenticate(request, ActionListener.wrap(result -> { assertTrue(completed.compareAndSet(false, true)); - }, this::VerifyBasicAuthenticationHeader)); - if(completed.get()){ + }, e -> { + // On basic or gold license, kerberos is not allowed and the WWW-Authenticate response header should also reflect that + verifyHasAuthenticationHeaderValue(e, "Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"", "ApiKey"); + })); + if (completed.get()) { fail("authentication succeeded but it shouldn't"); } } @@ -615,10 +616,12 @@ private void logAndFail(Exception e) { fail("unexpected exception " + e.getMessage()); } - private void VerifyBasicAuthenticationHeader(Exception e) { + private void verifyHasAuthenticationHeaderValue(Exception e, String... expectedValues) { assertThat(e, instanceOf(ElasticsearchSecurityException.class)); assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate"), notNullValue()); - assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate"), - hasItem("Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"")); + assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate").size(), equalTo(expectedValues.length)); + for (String v: expectedValues) { + assertThat(((ElasticsearchSecurityException) e).getHeader("WWW-Authenticate"), hasItem(v)); + } } } From 045ec1ab2169856ae910d2da10af3ff5758a409e Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 19 Jul 2021 11:16:37 +0300 Subject: [PATCH 31/46] address feedback --- .../java/org/elasticsearch/packaging/util/Archives.java | 2 +- .../test/java/org/elasticsearch/packaging/util/Docker.java | 4 ++-- .../java/org/elasticsearch/packaging/util/Packages.java | 2 +- .../java/org/elasticsearch/packaging/util/ServerUtils.java | 6 +++++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java index 4ef8b4e9fe7d0..74b3112e36d09 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java @@ -108,7 +108,7 @@ public static Installation installArchive(Shell sh, Distribution distribution, P Installation installation = Installation.ofArchive(sh, distribution, fullInstallPath); ServerUtils.disableGeoIpDownloader(installation); // TODO: Adjust all tests so that they can run with security on, which is the default behavior - ServerUtils.disableSecurityFeatures(installation); + ServerUtils.possiblyDisableSecurityFeatures(installation); return installation; } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java index 9ee0ae9cf96cd..30fb961a96474 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java @@ -570,7 +570,7 @@ public static String getContainerId() { * @return the parsed response */ public static JsonNode getJson(String path) throws Exception { - path = Objects.requireNonNull(path).trim(); + path = Objects.requireNonNull(path, "path can not be null").trim(); if (path.isEmpty()) { throw new IllegalArgumentException("path must be supplied"); } @@ -585,7 +585,7 @@ public static JsonNode getJson(String path) throws Exception { } public static JsonNode getJson(String path, String user, String password) throws Exception { - path = Objects.requireNonNull(path).trim(); + path = Objects.requireNonNull(path, "path can not be null").trim(); if (path.isEmpty()) { throw new IllegalArgumentException("path must be supplied"); } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java index b697190adba7d..fb3dcca4bf1ba 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java @@ -95,7 +95,7 @@ public static Installation installPackage(Shell sh, Distribution distribution) t ServerUtils.disableGeoIpDownloader(installation); } // TODO Figure out how to run all packaging tests with security enabled which is now the default behavior - ServerUtils.disableSecurityFeatures(installation); + ServerUtils.possiblyDisableSecurityFeatures(installation); return installation; } diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index 4b603aeb8c9b7..5a29292f169a3 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -305,7 +305,11 @@ public static void enableGeoIpDownloader(Installation installation) throws IOExc Files.write(yml, lines, TRUNCATE_EXISTING); } - public static void disableSecurityFeatures(Installation installation) throws IOException { + /** + * Explicitly disables security if the existing configuration didn't already have an explicit value for the + * xpack.security.enabled setting + */ + public static void possiblyDisableSecurityFeatures(Installation installation) throws IOException { List configLines = Collections.singletonList("xpack.security.enabled: false"); Path yamlFile = installation.config("elasticsearch.yml"); try (Stream lines = Files.readAllLines(yamlFile).stream()) { From 928798a44ea8fe10939722d6961e227dc3e04420 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 15:11:51 +0300 Subject: [PATCH 32/46] address feedback --- .../packaging/test/DockerTests.java | 31 +++++++++---------- .../packaging/util/ServerUtils.java | 14 ++++++--- .../SecurityIndexReaderWrapper.java | 9 ++---- ...ityIndexReaderWrapperIntegrationTests.java | 4 +-- .../SecurityIndexReaderWrapperUnitTests.java | 7 ++--- .../xpack/security/Security.java | 3 +- .../security/audit/AuditTrailService.java | 5 +-- .../SecurityServerTransportInterceptor.java | 16 +++++----- .../transport/ServerTransportFilter.java | 8 +---- .../xpack/security/SecurityTests.java | 5 +++ .../transport/ServerTransportFilterTests.java | 2 +- 11 files changed, 48 insertions(+), 56 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index e53402a10d5b2..5703b6134edbf 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -111,12 +111,18 @@ public void test010Install() { } /** - * Check that the /_xpack API endpoint's presence is correct for the type of distribution being tested. + * Check that security is enabled */ - public void test011PresenceOfXpack() throws Exception { + public void test011SecurityEnabledStatus() throws Exception { waitForElasticsearch(installation, USERNAME, PASSWORD); - final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200/_xpack"), USERNAME, PASSWORD, null); + final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200"), USERNAME, PASSWORD, null); assertThat(statusCode, equalTo(200)); + + // restart container with security disabled + runContainer(distribution(), builder().envVars(Map.of("xpack.security.enabled", "false"))); + waitForElasticsearch(installation); + final int unauthStatusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200"), null, null, null); + assertThat(unauthStatusCode, equalTo(200)); } /** @@ -323,10 +329,7 @@ public void test080ConfigurePasswordThroughEnvironmentVariableFile() throws Exce Map envVars = Map.of( "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + passwordFilename, - // Enable security so that we can test that the password has been used - "xpack.security.enabled", - "true" + "/run/secrets/" + passwordFilename ); // File permissions need to be secured in order for the ES wrapper to accept @@ -377,10 +380,7 @@ public void test081SymlinksAreFollowedWithEnvironmentVariableFiles() throws Exce Map envVars = Map.of( "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + symlinkFilename, - // Enable security so that we can test that the password has been used - "xpack.security.enabled", - "true" + "/run/secrets/" + symlinkFilename ); // File permissions need to be secured in order for the ES wrapper to accept @@ -469,10 +469,7 @@ public void test084SymlinkToFileWithInvalidPermissionsIsRejected() throws Except Map envVars = Map.of( "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + symlinkFilename, - // Enable security so that we can test that the password has been used - "xpack.security.enabled", - "true" + "/run/secrets/" + symlinkFilename ); // Set invalid permissions on the file that the symlink targets @@ -762,12 +759,12 @@ public void test123CannotUseUnknownLoggingConfig() { public void test124CanRestartContainerWithStackLoggingConfig() throws Exception { runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file"))); - waitForElasticsearch(installation); + waitForElasticsearch(installation, USERNAME, PASSWORD); restartContainer(); // If something went wrong running Elasticsearch the second time, this will fail. - waitForElasticsearch(installation); + waitForElasticsearch(installation, USERNAME, PASSWORD); } /** diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java index 5a29292f169a3..453ace7ea39d7 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java @@ -38,6 +38,7 @@ import java.util.Collections; import java.util.List; import java.util.Objects; +import java.util.Optional; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -49,6 +50,7 @@ import static java.nio.file.StandardOpenOption.APPEND; import static java.nio.file.StandardOpenOption.CREATE; import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING; +import static org.elasticsearch.packaging.util.Docker.sh; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.containsString; @@ -57,7 +59,6 @@ public class ServerUtils { private static final Logger logger = LogManager.getLogger(ServerUtils.class); private static String SECURITY_DISABLED = "xpack.security.enabled: false"; - private static String SSL_ENABLED = "xpack.security.http.ssl.enabled: true"; // generous timeout as nested virtualization can be quite slow ... private static final long waitTime = TimeUnit.MINUTES.toMillis(3); @@ -73,9 +74,14 @@ public static void waitForElasticsearch(Installation installation) throws Except String configFile = Files.readString(configFilePath, StandardCharsets.UTF_8); securityEnabled = configFile.contains(SECURITY_DISABLED) == false; } else { - // TODO: need a way to check if docker has security enabled, the yml config is not bind mounted so can't look from here - // we currently enable security in all tests - securityEnabled = true; + final Optional commandLine = sh.run("bash -c 'COLUMNS=2000 ps ax'").stdout.lines() + .filter(line -> line.contains("org.elasticsearch.bootstrap.Elasticsearch")) + .findFirst(); + if (commandLine.isPresent() == false) { + throw new RuntimeException("Installation distribution is docker but a docker container is not running"); + } + // security is enabled by default, the only way for it to be disabled is to be explicitly disabled + securityEnabled = commandLine.get().contains("-Expack.security.enabled=false") == false; } if (securityEnabled) { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java index b67c3e81a1f8d..fa304a468f900 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java @@ -14,7 +14,6 @@ import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.core.CheckedFunction; import org.elasticsearch.common.logging.LoggerMessageFormat; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.query.SearchExecutionContext; import org.elasticsearch.index.shard.ShardId; @@ -22,7 +21,6 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.script.ScriptService; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions; @@ -52,23 +50,20 @@ public class SecurityIndexReaderWrapper implements CheckedFunction searchExecutionContextProvider, DocumentSubsetBitsetCache bitsetCache, SecurityContext securityContext, - XPackLicenseState licenseState, ScriptService scriptService, Settings settings) { + XPackLicenseState licenseState, ScriptService scriptService) { this.scriptService = scriptService; this.searchExecutionContextProvider = searchExecutionContextProvider; this.bitsetCache = bitsetCache; this.securityContext = securityContext; this.licenseState = licenseState; - this.settings = settings; } @Override public DirectoryReader apply(final DirectoryReader reader) { - if (XPackSettings.SECURITY_ENABLED.get(settings) == false || - licenseState.checkFeature(Feature.SECURITY_DLS_FLS) == false) { + if (licenseState.checkFeature(Feature.SECURITY_DLS_FLS) == false) { return reader; } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java index 77a8dbed283ff..e7a05304a7dc4 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java @@ -145,7 +145,7 @@ null, null, null, mappingLookup, null, null, xContentRegistry(), writableRegistr FieldPermissions(), DocumentPermissions.filteredBy(singleton(new BytesArray(termQuery)))); SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> searchExecutionContext, - bitsetCache, securityContext, licenseState, scriptService, Settings.EMPTY) { + bitsetCache, securityContext, licenseState, scriptService) { @Override protected IndicesAccessControl getIndicesAccessControl() { @@ -224,7 +224,7 @@ null, null, null, mappingLookup, null, null, xContentRegistry(), writableRegistr XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> searchExecutionContext, - bitsetCache, securityContext, licenseState, scriptService, Settings.EMPTY) { + bitsetCache, securityContext, licenseState, scriptService) { @Override protected IndicesAccessControl getIndicesAccessControl() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java index f8c120891a9fa..c427a043bb6df 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java @@ -87,7 +87,7 @@ public void tearDown() throws Exception { public void testDefaultMetaFields() throws Exception { securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService, Settings.EMPTY) { + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService) { @Override protected IndicesAccessControl getIndicesAccessControl() { IndicesAccessControl.IndexAccessControl indexAccessControl = new IndicesAccessControl.IndexAccessControl(true, @@ -117,7 +117,7 @@ protected IndicesAccessControl getIndicesAccessControl() { public void testWrapReaderWhenFeatureDisabled() throws Exception { when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(false); securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService, Settings.EMPTY); + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService); DirectoryReader reader = securityIndexReaderWrapper.apply(esIn); assertThat(reader, sameInstance(esIn)); } @@ -151,8 +151,7 @@ private void assertResolved(FieldPermissions permissions, Set expected, public void testFieldPermissionsWithFieldExceptions() throws Exception { securityIndexReaderWrapper = - new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, null, - Settings.EMPTY); + new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, null); String[] grantedFields = new String[]{}; String[] deniedFields; Set expected = new HashSet<>(META_FIELDS); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 91bbd807b8458..ba2526d2403f1 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -824,8 +824,7 @@ public void onIndexModule(IndexModule module) { dlsBitsetCache.get(), securityContext.get(), getLicenseState(), - indexService.getScriptService(), - settings)); + indexService.getScriptService())); /* * We need to forcefully overwrite the query cache implementation to use security's opt-out query cache implementation. This * implementation disables the query cache if field level security is used for a particular request. We have to forcefully diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java index dddb800c6a38d..0059ff888f4b8 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java @@ -15,7 +15,6 @@ import org.elasticsearch.rest.RestRequest; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportResponse; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo; @@ -35,18 +34,16 @@ public class AuditTrailService { private static final AuditTrail NOOP_AUDIT_TRAIL = new NoopAuditTrail(); private final CompositeAuditTrail compositeAuditTrail; private final XPackLicenseState licenseState; - private final Settings settings; private final Duration minLogPeriod = Duration.ofMinutes(30); protected AtomicReference nextLogInstantAtomic = new AtomicReference<>(Instant.EPOCH); public AuditTrailService(List auditTrails, XPackLicenseState licenseState, Settings settings) { this.compositeAuditTrail = new CompositeAuditTrail(Collections.unmodifiableList(auditTrails)); this.licenseState = licenseState; - this.settings = settings; } public AuditTrail get() { - if (compositeAuditTrail.isEmpty() == false && XPackSettings.SECURITY_ENABLED.get(settings)) { + if (compositeAuditTrail.isEmpty() == false) { if (licenseState.checkFeature(Feature.SECURITY_AUDITING)) { return compositeAuditTrail; } else { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java index dc86206185516..128ef87a8fc7e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java @@ -100,20 +100,20 @@ public void sendRequest(Transport.Connection conne if (AuthorizationUtils.shouldReplaceUserWithSystem(threadPool.getThreadContext(), action)) { securityContext.executeAsUser(SystemUser.INSTANCE, (original) -> sendWithUser(connection, action, request, options, new ContextRestoreResponseHandler<>(threadPool.getThreadContext().wrapRestorable(original) - , handler), sender, requireAuth), minVersion); + , handler), sender), minVersion); } else if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(threadPool.getThreadContext())) { AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(threadPool.getThreadContext(), securityContext, (original) -> sendWithUser(connection, action, request, options, new ContextRestoreResponseHandler<>(threadPool.getThreadContext().wrapRestorable(original) - , handler), sender, requireAuth)); + , handler), sender)); } else if (securityContext.getAuthentication() != null && securityContext.getAuthentication().getVersion().equals(minVersion) == false) { // re-write the authentication since we want the authentication version to match the version of the connection securityContext.executeAfterRewritingAuthentication(original -> sendWithUser(connection, action, request, options, - new ContextRestoreResponseHandler<>(threadPool.getThreadContext().wrapRestorable(original), handler), sender, - requireAuth), minVersion); + new ContextRestoreResponseHandler<>(threadPool.getThreadContext().wrapRestorable(original), handler), sender), + minVersion); } else { - sendWithUser(connection, action, request, options, handler, sender, requireAuth); + sendWithUser(connection, action, request, options, handler, sender); } } }; @@ -121,8 +121,8 @@ public void sendRequest(Transport.Connection conne private void sendWithUser(Transport.Connection connection, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler handler, - AsyncSender sender, final boolean requireAuthentication) { - if (securityContext.getAuthentication() == null && requireAuthentication) { + AsyncSender sender) { + if (securityContext.getAuthentication() == null) { // we use an assertion here to ensure we catch this in our testing infrastructure, but leave the ISE for cases we do not catch // in tests and may be hit by a user assertNoAuthentication(action); @@ -160,7 +160,7 @@ private Map initializeProfileFilters(DestructiveO final SSLConfiguration profileConfiguration = entry.getValue(); final boolean extractClientCert = transportSSLEnabled && sslService.isSSLClientAuthEnabled(profileConfiguration); profileFilters.put(entry.getKey(), new ServerTransportFilter(authcService, authzService, threadPool.getThreadContext(), - extractClientCert, destructiveOperations, securityContext, settings)); + extractClientCert, destructiveOperations, securityContext)); } return Collections.unmodifiableMap(profileFilters); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java index 57ffdce30238a..8e5b47ef48486 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java @@ -15,7 +15,6 @@ import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction; import org.elasticsearch.action.admin.indices.open.OpenIndexAction; import org.elasticsearch.action.support.DestructiveOperations; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.transport.TaskTransportChannel; import org.elasticsearch.transport.TcpChannel; @@ -25,7 +24,6 @@ import org.elasticsearch.transport.TransportService; import org.elasticsearch.transport.netty4.Netty4TcpChannel; import org.elasticsearch.transport.nio.NioTcpChannel; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.user.SystemUser; @@ -48,18 +46,16 @@ final class ServerTransportFilter { private final boolean extractClientCert; private final DestructiveOperations destructiveOperations; private final SecurityContext securityContext; - private final Settings settings; ServerTransportFilter(AuthenticationService authcService, AuthorizationService authzService, ThreadContext threadContext, boolean extractClientCert, DestructiveOperations destructiveOperations, - SecurityContext securityContext, Settings settings) { + SecurityContext securityContext) { this.authcService = authcService; this.authzService = authzService; this.threadContext = threadContext; this.extractClientCert = extractClientCert; this.destructiveOperations = destructiveOperations; this.securityContext = securityContext; - this.settings = settings; } /** @@ -112,8 +108,6 @@ requests from all the nodes are attached with a user (either a serialize } else { authzService.authorize(authentication, securityAction, request, listener); } - } else if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - listener.onResponse(null); } else { listener.onFailure(new IllegalStateException("no authentication present but auth is allowed")); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 39a179affb529..2313315ed44aa 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -393,6 +393,11 @@ public void testGetFieldFilterSecurityEnabledLicenseNoFLS() throws Exception { assertSame(MapperPlugin.NOOP_FIELD_PREDICATE, fieldFilter.apply(randomAlphaOfLengthBetween(3, 6))); } + public void testSecurityIndexWrapperDisabledSecurityDisabled() throws Exception { + createComponents(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build()); + + } + public void testValidateRealmsWhenSettingsAreInvalid() { final Settings settings = Settings.builder() .put(RealmSettings.PREFIX + "my_pki.type", "pki") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java index aa1963de326f0..9df962f296492 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterTests.java @@ -197,6 +197,6 @@ private ServerTransportFilter getNodeFilter() { Settings settings = Settings.builder().put("path.home", createTempDir()).build(); ThreadContext threadContext = new ThreadContext(settings); return new ServerTransportFilter(authcService, authzService, threadContext, false, destructiveOperations, - new SecurityContext(settings, threadContext), settings); + new SecurityContext(settings, threadContext)); } } From 67eace781ddccd19e8be8245c29278712ce99b8a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 15:50:34 +0300 Subject: [PATCH 33/46] add tracking meta issue for enabling security in tests --- .../test/java/org/elasticsearch/packaging/util/Archives.java | 1 + .../test/java/org/elasticsearch/packaging/util/Packages.java | 1 + .../elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java | 3 ++- .../org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java | 4 +++- .../java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java | 4 +++- .../java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java | 1 + .../elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java | 1 + .../org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java | 1 + .../xpack/transform/integration/TransformInternalIndexIT.java | 1 + .../integration/TransformNoRemoteClusterClientNodeIT.java | 4 +++- .../transform/integration/TransformNoTransformNodeIT.java | 4 +++- 11 files changed, 20 insertions(+), 5 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java index ce8ed815e0bec..99252690509bf 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Archives.java @@ -108,6 +108,7 @@ public static Installation installArchive(Shell sh, Distribution distribution, P Installation installation = Installation.ofArchive(sh, distribution, fullInstallPath); ServerUtils.disableGeoIpDownloader(installation); // TODO: Adjust all tests so that they can run with security on, which is the default behavior + // https://github.com/elastic/elasticsearch/issues/75940 ServerUtils.possiblyDisableSecurityFeatures(installation); return installation; diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java index fb3dcca4bf1ba..02f96a99684bf 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Packages.java @@ -94,6 +94,7 @@ public static Installation installPackage(Shell sh, Distribution distribution) t if (Version.fromString(distribution.baseVersion).onOrAfter(Version.V_7_13_0)) { ServerUtils.disableGeoIpDownloader(installation); } + // https://github.com/elastic/elasticsearch/issues/75940 // TODO Figure out how to run all packaging tests with security enabled which is now the default behavior ServerUtils.possiblyDisableSecurityFeatures(installation); return installation; diff --git a/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java b/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java index c321f655875a0..b54d747470b47 100644 --- a/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java +++ b/x-pack/plugin/core/src/internalClusterTest/java/org/elasticsearch/xpack/core/termsenum/CCSTermsEnumIT.java @@ -32,7 +32,8 @@ protected Collection remoteClusterAlias() { @Override protected Settings nodeSettings() { - // TODO Ensure that the tests run correctly with security enabled + // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 return Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); } diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java index bc79a72e617ed..9e15cf5fb360c 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichMultiNodeIT.java @@ -69,7 +69,9 @@ protected Collection> nodePlugins() { protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal, otherSettings)) - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java index 5a63ad8a08dc0..1fb2315da1ec9 100644 --- a/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java +++ b/x-pack/plugin/enrich/src/internalClusterTest/java/org/elasticsearch/xpack/enrich/EnrichRestartIT.java @@ -39,7 +39,9 @@ protected Collection> nodePlugins() { protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal, otherSettings)) - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java index b8cbb2d60fc89..8416103e2f18f 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/BasicEnrichTests.java @@ -68,6 +68,7 @@ protected boolean resetNodeAfterTest() { protected Settings nodeSettings() { return Settings.builder() // TODO Fix the test so that it runs with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java index 5cde4c8f3b461..3b8d2b36845c2 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichPolicyUpdateTests.java @@ -41,6 +41,7 @@ protected Collection> getPlugins() { protected Settings nodeSettings() { return Settings.builder() // TODO Fix the test so that it runs with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java index d93426c6abbd7..4799bc6b03016 100644 --- a/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java +++ b/x-pack/plugin/enrich/src/test/java/org/elasticsearch/xpack/enrich/EnrichResiliencyTests.java @@ -53,6 +53,7 @@ protected Settings nodeSettings() { .put(EnrichPlugin.COORDINATOR_PROXY_MAX_LOOKUPS_PER_REQUEST.getKey(), 1) .put(EnrichPlugin.COORDINATOR_PROXY_QUEUE_CAPACITY.getKey(), 10) // TODO Fix the test so that it runs with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java index 97752ccbbe7c2..99a625a35dcf2 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformInternalIndexIT.java @@ -41,6 +41,7 @@ public class TransformInternalIndexIT extends TransformSingleNodeTestCase { @Override protected Settings nodeSettings() { // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 return Settings.builder().put(super.nodeSettings()).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); } diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java index 7ac8da4ac53e4..f3e5b79dada6e 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoRemoteClusterClientNodeIT.java @@ -31,7 +31,9 @@ public class TransformNoRemoteClusterClientNodeIT extends TransformSingleNodeTes protected Settings nodeSettings() { return Settings.builder() .put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest, transform") - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } diff --git a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java index 47ff42c340076..f4a6f4556bd9e 100644 --- a/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java +++ b/x-pack/plugin/transform/src/internalClusterTest/java/org/elasticsearch/xpack/transform/integration/TransformNoTransformNodeIT.java @@ -33,7 +33,9 @@ public class TransformNoTransformNodeIT extends TransformSingleNodeTestCase { protected Settings nodeSettings() { return Settings.builder() .put(NodeRoleSettings.NODE_ROLES_SETTING.getKey(), "master, data, ingest") - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) // TODO Change this to run with security enabled + // TODO Change this to run with security enabled + // https://github.com/elastic/elasticsearch/issues/75940 + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) .build(); } From 05b463664961f48c16f2266c5a4f629047f929be Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 16:06:48 +0300 Subject: [PATCH 34/46] More SecurityServerTransportInterceptor cleanup --- .../xpack/security/Security.java | 2 +- .../SecurityServerTransportInterceptor.java | 96 +++++++------- ...curityServerTransportInterceptorTests.java | 118 ++---------------- 3 files changed, 51 insertions(+), 165 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 9ff464e0de061..1f855011d0b9e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -595,7 +595,7 @@ auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEn components.add(ipFilter.get()); DestructiveOperations destructiveOperations = new DestructiveOperations(settings, clusterService.getClusterSettings()); securityInterceptor.set(new SecurityServerTransportInterceptor(settings, threadPool, authcService.get(), - authzService, getLicenseState(), getSslService(), securityContext.get(), destructiveOperations, clusterService)); + authzService, getSslService(), securityContext.get(), destructiveOperations, clusterService)); securityActionFilter.set(new SecurityActionFilter(authcService.get(), authzService, auditTrailService, getLicenseState(), threadPool, securityContext.get(), destructiveOperations)); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java index 669317848b72d..d5f0cbca0836f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java @@ -17,7 +17,6 @@ import org.elasticsearch.common.util.concurrent.RunOnce; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.gateway.GatewayService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.SendRequestTransportException; @@ -55,7 +54,6 @@ public class SecurityServerTransportInterceptor implements TransportInterceptor private final AuthorizationService authzService; private final SSLService sslService; private final Map profileFilters; - private final XPackLicenseState licenseState; private final ThreadPool threadPool; private final Settings settings; private final SecurityContext securityContext; @@ -66,7 +64,6 @@ public SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authcService, AuthorizationService authzService, - XPackLicenseState licenseState, SSLService sslService, SecurityContext securityContext, DestructiveOperations destructiveOperations, @@ -75,7 +72,6 @@ public SecurityServerTransportInterceptor(Settings settings, this.threadPool = threadPool; this.authcService = authcService; this.authzService = authzService; - this.licenseState = licenseState; this.sslService = sslService; this.securityContext = securityContext; this.profileFilters = initializeProfileFilters(destructiveOperations); @@ -88,7 +84,6 @@ public AsyncSender interceptSender(AsyncSender sender) { @Override public void sendRequest(Transport.Connection connection, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler handler) { - final boolean requireAuth = XPackSettings.SECURITY_ENABLED.get(settings); // the transport in core normally does this check, BUT since we are serializing to a string header we need to do it // ourselves otherwise we wind up using a version newer than what we can actually send final Version minVersion = Version.min(connection.getVersion(), Version.CURRENT); @@ -169,7 +164,6 @@ public static class ProfileSecuredRequestHandler imp private final String action; private final TransportRequestHandler handler; private final Map profileFilters; - private final Settings settings; private final ThreadContext threadContext; private final String executorName; private final ThreadPool threadPool; @@ -184,7 +178,6 @@ public static class ProfileSecuredRequestHandler imp this.executorName = executorName; this.handler = handler; this.profileFilters = profileFilters; - this.settings = settings; this.threadContext = threadPool.getThreadContext(); this.threadPool = threadPool; this.forceExecution = forceExecution; @@ -233,57 +226,54 @@ public String toString() { @Override public void messageReceived(T request, TransportChannel channel, Task task) { try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) { - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - String profile = channel.getProfileName(); - ServerTransportFilter filter = profileFilters.get(profile); - - if (filter == null) { - if (TransportService.DIRECT_RESPONSE_PROFILE.equals(profile)) { - // apply the default filter to local requests. We never know what the request is or who sent it... - filter = profileFilters.get("default"); - } else { - String msg = "transport profile [" + profile + "] is not associated with a transport filter"; - throw new IllegalStateException(msg); - } + String profile = channel.getProfileName(); + ServerTransportFilter filter = profileFilters.get(profile); + + if (filter == null) { + if (TransportService.DIRECT_RESPONSE_PROFILE.equals(profile)) { + // apply the default filter to local requests. We never know what the request is or who sent it... + filter = profileFilters.get("default"); + } else { + String msg = "transport profile [" + profile + "] is not associated with a transport filter"; + throw new IllegalStateException(msg); } - assert filter != null; - - final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task); - final ActionListener filterListener; - if (ThreadPool.Names.SAME.equals(executorName)) { - filterListener = new AbstractFilterListener(receiveMessage) { - @Override - public void onResponse(Void unused) { + } + assert filter != null; + + final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task); + final ActionListener filterListener; + if (ThreadPool.Names.SAME.equals(executorName)) { + filterListener = new AbstractFilterListener(receiveMessage) { + @Override + public void onResponse(Void unused) { + receiveMessage.run(); + } + }; + } else { + final Thread executingThread = Thread.currentThread(); + filterListener = new AbstractFilterListener(receiveMessage) { + @Override + public void onResponse(Void unused) { + if (executingThread == Thread.currentThread()) { + // only fork off if we get called on another thread this means we moved to + // an async execution and in this case we need to go back to the thread pool + // that was actually executing it. it's also possible that the + // thread-pool we are supposed to execute on is `SAME` in that case + // the handler is OK with executing on a network thread and we can just continue even if + // we are on another thread due to async operations receiveMessage.run(); - } - }; - } else { - final Thread executingThread = Thread.currentThread(); - filterListener = new AbstractFilterListener(receiveMessage) { - @Override - public void onResponse(Void unused) { - if (executingThread == Thread.currentThread()) { - // only fork off if we get called on another thread this means we moved to - // an async execution and in this case we need to go back to the thread pool - // that was actually executing it. it's also possible that the - // thread-pool we are supposed to execute on is `SAME` in that case - // the handler is OK with executing on a network thread and we can just continue even if - // we are on another thread due to async operations - receiveMessage.run(); - } else { - try { - threadPool.executor(executorName).execute(receiveMessage); - } catch (Exception e) { - onFailure(e); - } + } else { + try { + threadPool.executor(executorName).execute(receiveMessage); + } catch (Exception e) { + onFailure(e); } } - }; - } - filter.inbound(action, request, channel, filterListener); - } else { - getReceiveRunnable(request, channel, task).run(); + } + }; } + filter.inbound(action, request, channel, filterListener); + } } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java index 0f6ca3bb1f04b..239cd8e0acf02 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java @@ -9,16 +9,11 @@ import org.elasticsearch.Version; import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction; import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest; -import org.elasticsearch.action.main.MainAction; import org.elasticsearch.action.support.DestructiveOperations; -import org.elasticsearch.cluster.ClusterState; -import org.elasticsearch.cluster.block.ClusterBlocks; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.gateway.GatewayService; -import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.tasks.Task; import org.elasticsearch.test.ClusterServiceUtils; import org.elasticsearch.test.ESTestCase; @@ -35,7 +30,6 @@ import org.elasticsearch.transport.TransportResponse.Empty; import org.elasticsearch.transport.TransportResponseHandler; import org.elasticsearch.transport.TransportService; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -54,8 +48,6 @@ import java.util.concurrent.atomic.AtomicReference; import java.util.function.Consumer; -import static org.hamcrest.Matchers.is; -import static org.hamcrest.Matchers.nullValue; import static org.mockito.Matchers.any; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.doAnswer; @@ -63,7 +55,6 @@ import static org.mockito.Mockito.never; import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.when; public class SecurityServerTransportInterceptorTests extends ESTestCase { @@ -71,7 +62,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase { private Settings settings; private ThreadPool threadPool; private ThreadContext threadContext; - private XPackLicenseState xPackLicenseState; private SecurityContext securityContext; private ClusterService clusterService; @@ -83,7 +73,6 @@ public void setUp() throws Exception { clusterService = ClusterServiceUtils.createClusterService(threadPool); threadContext = threadPool.getThreadContext(); securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext())); - xPackLicenseState = mock(XPackLicenseState.class); } @After @@ -92,95 +81,6 @@ public void stopThreadPool() throws Exception { terminate(threadPool); } - public void testSendAsyncUserActionWhenUnlicensed() { - Settings securityDisabledSettings = Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), - securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, - Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); - ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener - AtomicBoolean calledWrappedSender = new AtomicBoolean(false); - AtomicReference sendingUser = new AtomicReference<>(); - AsyncSender sender = interceptor.interceptSender(new AsyncSender() { - @Override - public void sendRequest(Transport.Connection connection, String action, TransportRequest request, - TransportRequestOptions options, TransportResponseHandler handler) { - if (calledWrappedSender.compareAndSet(false, true) == false) { - fail("sender called more than once!"); - } - sendingUser.set(securityContext.getUser()); - } - }); - Connection connection = mock(Connection.class); - when(connection.getVersion()).thenReturn(Version.CURRENT); - sender.sendRequest(connection, MainAction.NAME, null, null, null); - assertTrue(calledWrappedSender.get()); - assertThat(sendingUser.get(), nullValue()); - verifyNoMoreInteractions(xPackLicenseState); - } - - public void testSendAsyncInternalActionWhenUnlicensed() { - Settings securityDisabledSettings = Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), - securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, - Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); - ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener - AtomicBoolean calledWrappedSender = new AtomicBoolean(false); - AtomicReference sendingUser = new AtomicReference<>(); - AsyncSender sender = interceptor.interceptSender(new AsyncSender() { - @Override - public void sendRequest(Transport.Connection connection, String action, TransportRequest request, - TransportRequestOptions options, TransportResponseHandler handler) { - if (calledWrappedSender.compareAndSet(false, true) == false) { - fail("sender called more than once!"); - } - sendingUser.set(securityContext.getUser()); - } - }); - Connection connection = mock(Connection.class); - when(connection.getVersion()).thenReturn(Version.CURRENT); - sender.sendRequest(connection, "internal:foo", null, null, null); - assertTrue(calledWrappedSender.get()); - assertThat(sendingUser.get(), is(SystemUser.INSTANCE)); - verify(securityContext).executeAsUser(any(User.class), anyConsumer(), eq(Version.CURRENT)); - verifyNoMoreInteractions(xPackLicenseState); - }any(Consumer.class) - - public void testSendAsyncWithStateNotRecovered() { - final boolean authAllowed = randomBoolean(); - Settings securityDisabledSettings = - Settings.builder().put(settings).put(XPackSettings.SECURITY_ENABLED.getKey(), authAllowed).build(); - SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(securityDisabledSettings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), - securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, - Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); - ClusterState notRecovered = ClusterState.builder(clusterService.state()) - .blocks(ClusterBlocks.builder().addGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK).build()) - .build(); - ClusterServiceUtils.setState(clusterService, notRecovered); - assertTrue(clusterService.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)); - - AtomicBoolean calledWrappedSender = new AtomicBoolean(false); - AtomicReference sendingUser = new AtomicReference<>(); - AsyncSender sender = interceptor.interceptSender(new AsyncSender() { - @Override - public void sendRequest(Transport.Connection connection, String action, TransportRequest request, - TransportRequestOptions options, TransportResponseHandler handler) { - if (calledWrappedSender.compareAndSet(false, true) == false) { - fail("sender called more than once!"); - } - sendingUser.set(securityContext.getUser()); - } - }); - Connection connection = mock(Connection.class); - when(connection.getVersion()).thenReturn(Version.CURRENT); - sender.sendRequest(connection, "internal:foo", null, null, null); - assertTrue(calledWrappedSender.get()); - assertEquals(SystemUser.INSTANCE, sendingUser.get()); - verify(securityContext).executeAsUser(any(User.class), anyConsumer(), eq(Version.CURRENT)); - verifyNoMoreInteractions(xPackLicenseState); - } public void testSendAsync() throws Exception { final User authUser = randomBoolean() ? new User("authenticator") : null; @@ -188,7 +88,7 @@ public void testSendAsync() throws Exception { final Authentication authentication = new Authentication(user, new RealmRef("ldap", "foo", "node1"), null); authentication.writeToContext(threadContext); SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), + mock(AuthenticationService.class), mock(AuthorizationService.class), mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener @@ -212,7 +112,6 @@ public void sendRequest(Transport.Connection conne assertEquals(user, sendingUser.get()); assertEquals(user, securityContext.getUser()); verify(securityContext, never()).executeAsUser(any(User.class), anyConsumer(), any(Version.class)); - verifyNoMoreInteractions(xPackLicenseState); } public void testSendAsyncSwitchToSystem() throws Exception { @@ -223,7 +122,7 @@ public void testSendAsyncSwitchToSystem() throws Exception { threadContext.putTransient(AuthorizationServiceField.ORIGINATING_ACTION_KEY, "indices:foo"); SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), + mock(AuthenticationService.class), mock(AuthorizationService.class), mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener @@ -248,12 +147,11 @@ public void sendRequest(Transport.Connection conne assertEquals(SystemUser.INSTANCE, sendingUser.get()); assertEquals(user, securityContext.getUser()); verify(securityContext).executeAsUser(any(User.class), anyConsumer(), eq(Version.CURRENT)); - verifyNoMoreInteractions(xPackLicenseState); } public void testSendWithoutUser() throws Exception { SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), + mock(AuthenticationService.class), mock(AuthorizationService.class), mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService) { @Override @@ -277,7 +175,6 @@ public void sendRequest(Transport.Connection conne assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage()); assertNull(securityContext.getUser()); verify(securityContext, never()).executeAsUser(any(User.class), anyConsumer(), any(Version.class)); - verifyNoMoreInteractions(xPackLicenseState); } public void testSendToNewerVersionSetsCorrectVersion() throws Exception { @@ -288,7 +185,7 @@ public void testSendToNewerVersionSetsCorrectVersion() throws Exception { threadContext.putTransient(AuthorizationServiceField.ORIGINATING_ACTION_KEY, "indices:foo"); SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), + mock(AuthenticationService.class), mock(AuthorizationService.class), mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener @@ -329,7 +226,7 @@ public void testSendToOlderVersionSetsCorrectVersion() throws Exception { threadContext.putTransient(AuthorizationServiceField.ORIGINATING_ACTION_KEY, "indices:foo"); SecurityServerTransportInterceptor interceptor = new SecurityServerTransportInterceptor(settings, threadPool, - mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class), + mock(AuthenticationService.class), mock(AuthorizationService.class), mock(SSLService.class), securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY, Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService); ClusterServiceUtils.setState(clusterService, clusterService.state()); // force state update to trigger listener @@ -444,11 +341,10 @@ public void testProfileSecuredRequestHandlerDecrementsRefCountOnFailure() throws threadContext, randomBoolean(), destructiveOperations, - securityContext, - xPackLicenseState + securityContext ) ), - xPackLicenseState, + settings, threadPool ); final TransportChannel channel = mock(TransportChannel.class); From eafef85d7f3cae285c759ec32eb80fdcd174d03b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 17:29:02 +0300 Subject: [PATCH 35/46] spotless and a test fix --- .../packaging/test/DockerTests.java | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 5703b6134edbf..fbb4a13134267 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -327,10 +327,7 @@ public void test080ConfigurePasswordThroughEnvironmentVariableFile() throws Exce // ELASTIC_PASSWORD_FILE Files.writeString(tempDir.resolve(passwordFilename), xpackPassword + "\n"); - Map envVars = Map.of( - "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + passwordFilename - ); + Map envVars = Map.of("ELASTIC_PASSWORD_FILE", "/run/secrets/" + passwordFilename); // File permissions need to be secured in order for the ES wrapper to accept // them for populating env var values @@ -378,10 +375,7 @@ public void test081SymlinksAreFollowedWithEnvironmentVariableFiles() throws Exce // it won't resolve inside the container. Files.createSymbolicLink(tempDir.resolve(symlinkFilename), Path.of(passwordFilename)); - Map envVars = Map.of( - "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + symlinkFilename - ); + Map envVars = Map.of("ELASTIC_PASSWORD_FILE", "/run/secrets/" + symlinkFilename); // File permissions need to be secured in order for the ES wrapper to accept // them for populating env var values. The wrapper will resolve the symlink @@ -467,10 +461,7 @@ public void test084SymlinkToFileWithInvalidPermissionsIsRejected() throws Except // it won't resolve inside the container. Files.createSymbolicLink(tempDir.resolve(symlinkFilename), Path.of(passwordFilename)); - Map envVars = Map.of( - "ELASTIC_PASSWORD_FILE", - "/run/secrets/" + symlinkFilename - ); + Map envVars = Map.of("ELASTIC_PASSWORD_FILE", "/run/secrets/" + symlinkFilename); // Set invalid permissions on the file that the symlink targets Files.setPosixFilePermissions(tempDir.resolve(passwordFilename), p775); @@ -757,7 +748,7 @@ public void test123CannotUseUnknownLoggingConfig() { * Check that it when configuring logging to write to disk, the container can be restarted. */ public void test124CanRestartContainerWithStackLoggingConfig() throws Exception { - runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file"))); + runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file","ELASTIC_PASSWORD", PASSWORD))); waitForElasticsearch(installation, USERNAME, PASSWORD); From b2f26a0419da17e99b32229254b89f10487dfb78 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 17:57:26 +0300 Subject: [PATCH 36/46] moar spotless violations --- .../test/java/org/elasticsearch/packaging/test/DockerTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index fbb4a13134267..66d05a45f5eca 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -748,7 +748,7 @@ public void test123CannotUseUnknownLoggingConfig() { * Check that it when configuring logging to write to disk, the container can be restarted. */ public void test124CanRestartContainerWithStackLoggingConfig() throws Exception { - runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file","ELASTIC_PASSWORD", PASSWORD))); + runContainer(distribution(), builder().envVars(Map.of("ES_LOG_STYLE", "file", "ELASTIC_PASSWORD", PASSWORD))); waitForElasticsearch(installation, USERNAME, PASSWORD); From 364a984092068f458ab95de97cff9d91ac073e80 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 2 Aug 2021 23:05:24 +0300 Subject: [PATCH 37/46] Attempt to fix KeystoreManagementTests and other feedback --- .../test/KeystoreManagementTests.java | 22 ++++++++----------- .../elasticsearch/packaging/util/Docker.java | 2 +- .../InferencePipelineAggregationBuilder.java | 2 +- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java index f8c91f945416f..65e7c443d77ba 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java @@ -266,12 +266,11 @@ public void test51WrongKeystorePasswordFromFile() throws Exception { public void test60DockerEnvironmentVariablePassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; - Path dockerKeystore = installation.config("elasticsearch.keystore"); - Path localKeystoreFile = getKeystoreFileFromDockerContainer(password, dockerKeystore); + Path localConfigDir = getMountedLocalConfDirWithKeystore(password, installation.config); // restart ES with password and mounted keystore - Map volumes = Map.of(localKeystoreFile, dockerKeystore); + Map volumes = Map.of(localConfigDir, installation.config); Map envVars = Map.of( "KEYSTORE_PASSWORD", password, @@ -302,12 +301,10 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { Files.writeString(tempDir.resolve(passwordFilename), password + "\n"); Files.setPosixFilePermissions(tempDir.resolve(passwordFilename), p600); - Path dockerKeystore = installation.config("elasticsearch.keystore"); - - Path localKeystoreFile = getKeystoreFileFromDockerContainer(password, dockerKeystore); + Path localConfigDir = getMountedLocalConfDirWithKeystore(password, installation.config); // restart ES with password and mounted keystore - Map volumes = Map.of(localKeystoreFile, dockerKeystore, tempDir, Path.of("/run/secrets")); + Map volumes = Map.of(localConfigDir, installation.config, tempDir, Path.of("/run/secrets")); Map envVars = Map.of( "KEYSTORE_PASSWORD_FILE", "/run/secrets/" + passwordFilename, @@ -336,12 +333,11 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { public void test62DockerEnvironmentVariableBadPassword() throws Exception { assumeTrue(distribution().isDocker()); String password = "keystore-password"; - Path dockerKeystore = installation.config("elasticsearch.keystore"); - Path localKeystoreFile = getKeystoreFileFromDockerContainer(password, dockerKeystore); + Path localConfigPath = getMountedLocalConfDirWithKeystore(password, installation.config); - // restart ES with password and mounted keystore - Map volumes = Map.of(localKeystoreFile, dockerKeystore); + // restart ES with password and mounted config dir + Map volumes = Map.of(localConfigPath, installation.config); Map envVars = Map.of("KEYSTORE_PASSWORD", "wrong"); Shell.Result r = runContainerExpectingFailure(distribution(), builder().volumes(volumes).envVars(envVars)); assertThat(r.stderr, containsString(ERROR_INCORRECT_PASSWORD)); @@ -354,7 +350,7 @@ public void test62DockerEnvironmentVariableBadPassword() throws Exception { * the keystore, and then returns the path of the file that appears in the * mounted directory (now accessible from the local filesystem). */ - private Path getKeystoreFileFromDockerContainer(String password, Path dockerKeystore) throws IOException { + private Path getMountedLocalConfDirWithKeystore(String password, Path dockerKeystore) throws IOException { // Mount a temporary directory for copying the keystore Path dockerTemp = Path.of("/usr/tmp/keystore-tmp"); Path tempDirectory = createTempDir(KeystoreManagementTests.class.getSimpleName()); @@ -388,7 +384,7 @@ private Path getKeystoreFileFromDockerContainer(String password, Path dockerKeys // copy keystore to temp file to make it available to docker host sh.run("cp " + dockerKeystore + " " + dockerTemp); - return tempDirectory.resolve("elasticsearch.keystore"); + return tempDirectory; } /** Create a keystore. Provide a password to password-protect it, otherwise use null */ diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java index af4b25654afd3..6c80d52ca7573 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/util/Docker.java @@ -189,7 +189,7 @@ private static void waitForElasticsearchToExit() { } catch (Exception e) { logger.warn("Caught exception while waiting for ES to exit", e); } - } while (attempt++ < 5); + } while (attempt++ < 8); if (isElasticsearchRunning) { final Shell.Result dockerLogs = getContainerLogs(); diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/aggs/inference/InferencePipelineAggregationBuilder.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/aggs/inference/InferencePipelineAggregationBuilder.java index 19eca6c14dfc1..8550eff30248c 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/aggs/inference/InferencePipelineAggregationBuilder.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/aggs/inference/InferencePipelineAggregationBuilder.java @@ -242,7 +242,7 @@ public InferencePipelineAggregationBuilder rewrite(QueryRewriteContext context) context.registerAsyncAction((client, listener) -> { if (XPackSettings.SECURITY_ENABLED.get(settings)) { // check the user has ml privileges - SecurityContext securityContext = new SecurityContext(Settings.EMPTY, client.threadPool().getThreadContext()); + SecurityContext securityContext = new SecurityContext(settings, client.threadPool().getThreadContext()); useSecondaryAuthIfAvailable(securityContext, () -> { final String username = securityContext.getUser().principal(); final HasPrivilegesRequest privRequest = new HasPrivilegesRequest(); From 5a008fa3b415f74276ad224e2bd4eb980c26fb09 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 3 Aug 2021 10:36:52 +0300 Subject: [PATCH 38/46] remove redundant checks --- .../elasticsearch/xpack/security/authc/Realms.java | 9 ++------- .../authc/support/DelegatedAuthorizationSupport.java | 5 +---- .../xpack/security/authc/RealmsTests.java | 12 ------------ 3 files changed, 3 insertions(+), 23 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 25073aa9c137e..6418120cbb75f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -74,6 +74,7 @@ public Realms(Settings settings, Environment env, Map fac this.licenseState = licenseState; this.threadContext = threadContext; this.reservedRealm = reservedRealm; + assert XPackSettings.SECURITY_ENABLED.get(settings) : "security must be enabled"; assert factories.get(ReservedRealm.TYPE) == null; final List realmConfigs = buildRealmConfigs(); this.realms = initRealms(realmConfigs); @@ -114,10 +115,6 @@ public Iterator iterator() { */ public List getUnlicensedRealms() { final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState(); - // If auth is not allowed, then everything is unlicensed - if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { - return Collections.unmodifiableList(realms); - } // If all realms are allowed, then nothing is unlicensed if (licenseStateSnapshot.checkFeature(Feature.SECURITY_ALL_REALMS)) { @@ -141,9 +138,7 @@ public Stream stream() { public List asList() { final XPackLicenseState licenseStateSnapshot = licenseState.copyCurrentLicenseState(); - if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { - return Collections.emptyList(); - } + if (licenseStateSnapshot.checkFeature(Feature.SECURITY_ALL_REALMS)) { return realms; } else if (licenseStateSnapshot.checkFeature(Feature.SECURITY_STANDARD_REALMS)) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java index 3f954ec0c11cb..1fc4efd4d91e3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java @@ -17,7 +17,6 @@ import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; @@ -43,7 +42,6 @@ public class DelegatedAuthorizationSupport { private final RealmUserLookup lookup; private final Logger logger; private final XPackLicenseState licenseState; - private final Settings settings; /** * Resolves the {@link DelegatedAuthorizationSettings#AUTHZ_REALMS} setting from {@code config} and calls @@ -66,7 +64,6 @@ protected DelegatedAuthorizationSupport(Iterable allRealms, Lis this.lookup = new RealmUserLookup(resolvedLookupRealms, threadContext); this.logger = LogManager.getLogger(getClass()); this.licenseState = licenseState; - this.settings = settings; } /** @@ -85,7 +82,7 @@ public boolean hasDelegation() { * with a meaningful diagnostic message. */ public void resolve(String username, ActionListener resultListener) { - boolean authzOk = XPackSettings.SECURITY_ENABLED.get(settings) && licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM); + boolean authzOk = licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_REALM); if (authzOk == false) { resultListener.onResponse(AuthenticationResult.unsuccessful( DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX + " are not permitted", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 606a4e1e22dd1..96d5470c08c9d 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -16,7 +16,6 @@ import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationToken; import org.elasticsearch.xpack.core.security.authc.Realm; @@ -481,17 +480,6 @@ public void testDisabledRealmsAreNotAdded() throws Exception { assertThat(realms.getUnlicensedRealms(), hasSize(orderToIndex.size())); } - public void testAuthcAuthzDisabled() throws Exception { - Settings settings = Settings.builder() - .put("path.home", createTempDir()) - .put(XPackSettings.SECURITY_ENABLED.getKey(), false) - .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".realm_1.order", 0) - .build(); - Environment env = TestEnvironment.newEnvironment(settings); - Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); - assertThat(realms.iterator().hasNext(), is(false)); - } - @SuppressWarnings("unchecked") public void testUsageStats() throws Exception { // test realms with duplicate values From 1c98a3c6a1143d462f9163779574d71b8fd94549 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 3 Aug 2021 15:03:09 +0300 Subject: [PATCH 39/46] add test for Security#onIndexModule --- .../xpack/security/SecurityTests.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 2313315ed44aa..9abcba9b3e45e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -32,6 +32,11 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; +import org.elasticsearch.index.Index; +import org.elasticsearch.index.IndexModule; +import org.elasticsearch.index.IndexSettings; +import org.elasticsearch.index.analysis.AnalysisRegistry; +import org.elasticsearch.index.engine.InternalEngineFactory; import org.elasticsearch.indices.TestIndexNameExpressionResolver; import org.elasticsearch.license.License; import org.elasticsearch.license.TestUtils; @@ -40,6 +45,7 @@ import org.elasticsearch.rest.RestRequest; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.test.IndexSettingsModule; import org.elasticsearch.test.MockLogAppender; import org.elasticsearch.test.VersionUtils; import org.elasticsearch.test.rest.FakeRestRequest; @@ -84,6 +90,7 @@ import java.util.function.Predicate; import java.util.stream.Collectors; +import static java.util.Collections.emptyMap; import static org.elasticsearch.cluster.metadata.IndexMetadata.INDEX_FORMAT_SETTING; import static org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames.SECURITY_MAIN_ALIAS; import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_MAIN_INDEX_FORMAT; @@ -94,6 +101,7 @@ import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.notNullValue; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.when; public class SecurityTests extends ESTestCase { @@ -236,6 +244,24 @@ public void testSettingFilter() throws Exception { assertThat(filter, hasItem("transport.profiles.*.xpack.security.*")); } + public void testOnIndexModuleIsNoOpWithSecurityDisabled() throws Exception { + Settings settings = Settings.builder() + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) + .put("path.home", createTempDir()) + .build(); + createComponents(settings); + IndexSettings indexSettings = IndexSettingsModule.newIndexSettings("foo", Settings.EMPTY); + ThreadPool threadPool = mock(ThreadPool.class); + when(threadPool.getThreadContext()).thenReturn(threadContext); + AnalysisRegistry emptyAnalysisRegistry = new AnalysisRegistry(TestEnvironment.newEnvironment(settings), emptyMap(), emptyMap(), + emptyMap(), emptyMap(), emptyMap(), emptyMap(), emptyMap(), emptyMap(), emptyMap()); + IndexModule indexModule = new IndexModule(indexSettings, emptyAnalysisRegistry, new InternalEngineFactory(), Collections.emptyMap(), + () -> true, TestIndexNameExpressionResolver.newInstance(threadPool.getThreadContext()), Collections.emptyMap()); + security.onIndexModule(indexModule); + // indexReaderWrapper is a SetOnce so if Security#onIndexModule had already set an ReaderWrapper we would get an exception here + indexModule.setReaderWrapper(null); + } + public void testFilteredSettings() throws Exception { createComponents(Settings.EMPTY); final List> realmSettings = security.getSettings().stream() From 528bb2c7b74edcbe812ff22a69d92e21be2e1ae4 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 3 Aug 2021 15:37:17 +0300 Subject: [PATCH 40/46] minor fixes --- .../java/org/elasticsearch/xpack/security/SecurityTests.java | 2 -- .../security/rest/action/apikey/RestQueryApiKeyActionTests.java | 2 -- 2 files changed, 4 deletions(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 9abcba9b3e45e..bf62f60336a58 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -32,7 +32,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.env.TestEnvironment; -import org.elasticsearch.index.Index; import org.elasticsearch.index.IndexModule; import org.elasticsearch.index.IndexSettings; import org.elasticsearch.index.analysis.AnalysisRegistry; @@ -101,7 +100,6 @@ import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.notNullValue; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.when; public class SecurityTests extends ESTestCase { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestQueryApiKeyActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestQueryApiKeyActionTests.java index 93bda06846806..d07a1d45fa751 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestQueryApiKeyActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/apikey/RestQueryApiKeyActionTests.java @@ -38,7 +38,6 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; public class RestQueryApiKeyActionTests extends ESTestCase { @@ -51,7 +50,6 @@ public void setUp() throws Exception { super.setUp(); settings = Settings.builder().put("path.home", createTempDir().toString()).put("node.name", "test-" + getTestName()) .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toString()).build(); - when(mockLicenseState.isSecurityEnabled()).thenReturn(true); threadPool = new ThreadPool(settings); } From 36f4e5e0a48132346a54cc6573199bec40ed5d74 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 3 Aug 2021 23:03:56 +0300 Subject: [PATCH 41/46] incorporate Albert's fixes for packaging tests --- .../packaging/test/KeystoreManagementTests.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java index 81e1b184aa5e1..4d22d6cacf118 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/KeystoreManagementTests.java @@ -269,8 +269,8 @@ public void test60DockerEnvironmentVariablePassword() throws Exception { Path localConfigDir = getMountedLocalConfDirWithKeystore(password, installation.config); - // restart ES with password and mounted keystore - Map volumes = Map.of(localConfigDir, installation.config); + // restart ES with password and mounted config dir containing password protected keystore + Map volumes = Map.of(localConfigDir.resolve("config"), installation.config); Map envVars = Map.of( "KEYSTORE_PASSWORD", password, @@ -294,7 +294,7 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { Path tempDir = null; try { - tempDir = createTempDir(DockerTests.class.getSimpleName()); + tempDir = createTempDir(KeystoreManagementTests.class.getSimpleName()); String password = "keystore-password"; String passwordFilename = "password.txt"; @@ -303,8 +303,8 @@ public void test61DockerEnvironmentVariablePasswordFromFile() throws Exception { Path localConfigDir = getMountedLocalConfDirWithKeystore(password, installation.config); - // restart ES with password and mounted keystore - Map volumes = Map.of(localConfigDir, installation.config, tempDir, Path.of("/run/secrets")); + // restart ES with password and mounted config dir containing password protected keystore + Map volumes = Map.of(localConfigDir.resolve("config"), installation.config, tempDir, Path.of("/run/secrets")); Map envVars = Map.of( "KEYSTORE_PASSWORD_FILE", "/run/secrets/" + passwordFilename, @@ -336,8 +336,8 @@ public void test62DockerEnvironmentVariableBadPassword() throws Exception { Path localConfigPath = getMountedLocalConfDirWithKeystore(password, installation.config); - // restart ES with password and mounted config dir - Map volumes = Map.of(localConfigPath, installation.config); + // restart ES with password and mounted config dir containing password protected keystore + Map volumes = Map.of(localConfigPath.resolve("config"), installation.config); Map envVars = Map.of("KEYSTORE_PASSWORD", "wrong"); Shell.Result r = runContainerExpectingFailure(distribution(), builder().volumes(volumes).envVars(envVars)); assertThat(r.stderr, containsString(ERROR_INCORRECT_PASSWORD)); @@ -383,7 +383,7 @@ private Path getMountedLocalConfDirWithKeystore(String password, Path dockerKeys sh.run("bash " + dockerTemp.resolve("set-pass.sh")); // copy keystore to temp file to make it available to docker host - sh.run("cp " + dockerKeystore + " " + dockerTemp); + sh.run("cp -arf" + dockerKeystore + " " + dockerTemp); return tempDirectory; } From d3b362c246f43b784e1e4583fe7c24c99db65fd6 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 4 Aug 2021 07:21:16 +0300 Subject: [PATCH 42/46] change security check test --- .../java/org/elasticsearch/packaging/test/DockerTests.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java index 53e2006696d2d..1c9faa8af8cc1 100644 --- a/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java +++ b/qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java @@ -115,8 +115,8 @@ public void test010Install() { */ public void test011SecurityEnabledStatus() throws Exception { waitForElasticsearch(installation, USERNAME, PASSWORD); - final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200"), USERNAME, PASSWORD, null); - assertThat(statusCode, equalTo(200)); + final int statusCode = ServerUtils.makeRequestAndGetStatus(Request.Get("http://localhost:9200"), USERNAME, "wrong_password", null); + assertThat(statusCode, equalTo(401)); // restart container with security disabled runContainer(distribution(), builder().envVars(Map.of("xpack.security.enabled", "false"))); From 5e4af06593f4de9b06451a2956ee4fe0f874a8c0 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 4 Aug 2021 11:12:47 +0300 Subject: [PATCH 43/46] Remove moar redundant checks for whether security is enabled in components that are only loaded when security _is_ enabled --- .../SecuritySearchOperationListenerTests.java | 29 ++-------- .../xpack/security/Security.java | 11 ++-- .../security/audit/AuditTrailService.java | 3 +- .../xpack/security/authc/ApiKeyService.java | 6 +- .../xpack/security/authc/TokenService.java | 6 +- .../security/authz/AuthorizationService.java | 5 +- .../DlsFlsRequestCacheDifferentiator.java | 10 +--- .../SecuritySearchOperationListener.java | 56 ++++++++----------- .../security/rest/SecurityRestFilter.java | 51 +++++++---------- .../xpack/security/SecurityTests.java | 5 -- .../audit/AuditTrailServiceTests.java | 3 +- .../authc/AuthenticationServiceTests.java | 2 +- .../support/SecondaryAuthenticatorTests.java | 2 +- .../authz/AuthorizationServiceTests.java | 2 +- ...DlsFlsRequestCacheDifferentiatorTests.java | 13 +---- ...IndicesAliasesRequestInterceptorTests.java | 4 +- .../ResizeRequestInterceptorTests.java | 4 +- .../rest/SecurityRestFilterTests.java | 16 +----- .../transport/filter/IPFilterTests.java | 2 +- .../IpFilterRemoteAddressFilterTests.java | 2 +- .../transport/nio/NioIPFilterTests.java | 2 +- 21 files changed, 75 insertions(+), 159 deletions(-) diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java index 379e9cb033b05..4df04655d6e49 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java @@ -19,13 +19,11 @@ import org.elasticsearch.search.SearchContextMissingException; import org.elasticsearch.search.internal.InternalScrollSearchRequest; import org.elasticsearch.search.internal.LegacyReaderContext; -import org.elasticsearch.search.internal.SearchContext; import org.elasticsearch.search.internal.ShardSearchContextId; import org.elasticsearch.search.internal.ShardSearchRequest; import org.elasticsearch.test.ESSingleNodeTestCase; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest.Empty; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -64,25 +62,6 @@ public void setupShard() { shard = indexService.getShard(0); } - public void testUnlicensed() { - final ShardSearchRequest shardSearchRequest = mock(ShardSearchRequest.class); - when(shardSearchRequest.scroll()).thenReturn(new Scroll(TimeValue.timeValueMinutes(between(1, 10)))); - try (LegacyReaderContext readerContext = - new LegacyReaderContext(new ShardSearchContextId(UUIDs.randomBase64UUID(), 0L), indexService, shard, - shard.acquireSearcherSupplier(), shardSearchRequest, Long.MAX_VALUE)) { - ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); - AuditTrailService auditTrailService = mock(AuditTrailService.class); - SearchContext searchContext = mock(SearchContext.class); - Settings disabledSecurity = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); - SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, disabledSecurity, auditTrailService); - listener.onNewScrollContext(readerContext); - listener.validateReaderContext(readerContext, Empty.INSTANCE); - verifyZeroInteractions(auditTrailService, searchContext); - } - } - public void testOnNewContextSetsAuthentication() throws Exception { final ShardSearchRequest shardSearchRequest = mock(ShardSearchRequest.class); when(shardSearchRequest.scroll()).thenReturn(new Scroll(TimeValue.timeValueMinutes(between(1, 10)))); @@ -98,7 +77,7 @@ public void testOnNewContextSetsAuthentication() throws Exception { threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); + new SecuritySearchOperationListener(securityContext, auditTrailService); listener.onNewScrollContext(readerContext); Authentication contextAuth = readerContext.getFromContext(AuthenticationField.AUTHENTICATION_KEY); @@ -125,10 +104,10 @@ public void testValidateSearchContext() throws Exception { final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); AuditTrail auditTrail = mock(AuditTrail.class); AuditTrailService auditTrailService = - new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); + new AuditTrailService(Collections.singletonList(auditTrail), licenseState); SecuritySearchOperationListener listener = - new SecuritySearchOperationListener(securityContext, Settings.EMPTY, auditTrailService); + new SecuritySearchOperationListener(securityContext, auditTrailService); try (StoredContext ignore = threadContext.newStoredContext(false)) { Authentication authentication = new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null); authentication.writeToContext(threadContext); @@ -215,7 +194,7 @@ public void testEnsuredAuthenticatedUserIsSame() { XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); AuditTrail auditTrail = mock(AuditTrail.class); - AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); final String auditId = randomAlphaOfLengthBetween(8, 20); ensureAuthenticatedUserIsSame(original, current, auditTrailService, contextId, action, request, auditId, diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 13a84307d6cfd..3578a4423aa11 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -459,7 +459,7 @@ Collection createComponents(Client client, ThreadPool threadPool, Cluste final List auditTrails = XPackSettings.AUDIT_ENABLED.get(settings) ? Collections.singletonList(new LoggingAuditTrail(settings, clusterService, threadPool)) : Collections.emptyList(); - final AuditTrailService auditTrailService = new AuditTrailService(auditTrails, getLicenseState(), settings); + final AuditTrailService auditTrailService = new AuditTrailService(auditTrails, getLicenseState()); components.add(auditTrailService); this.auditTrailService.set(auditTrailService); @@ -849,7 +849,7 @@ public void onIndexModule(IndexModule module) { // attaches information to the scroll context so that we can validate the user that created the scroll against // the user that is executing a scroll operation module.addSearchOperationListener( - new SecuritySearchOperationListener(securityContext.get(), settings, auditTrailService.get())); + new SecuritySearchOperationListener(securityContext.get(), auditTrailService.get())); } } @@ -1151,7 +1151,7 @@ public UnaryOperator getRestHandlerWrapper(ThreadContext threadCont } else { extractClientCertificate = false; } - return handler -> new SecurityRestFilter(settings, threadContext, authcService.get(), secondayAuthc.get(), + return handler -> new SecurityRestFilter(threadContext, authcService.get(), secondayAuthc.get(), handler, extractClientCertificate); } @@ -1184,9 +1184,6 @@ public Function> getFieldFilter() { if (enabled) { return index -> { XPackLicenseState licenseState = getLicenseState(); - if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - return MapperPlugin.NOOP_FIELD_PREDICATE; - } IndicesAccessControl indicesAccessControl = threadContext.get().getTransient( AuthorizationServiceField.INDICES_PERMISSIONS_KEY); if (indicesAccessControl == null) { @@ -1881,6 +1878,6 @@ public CheckedBiConsumer getReque if (enabled == false) { return null; } - return new DlsFlsRequestCacheDifferentiator(getLicenseState(), securityContext, scriptServiceReference, settings); + return new DlsFlsRequestCacheDifferentiator(getLicenseState(), securityContext, scriptServiceReference); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java index 0059ff888f4b8..43945e30e0987 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java @@ -8,7 +8,6 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; @@ -37,7 +36,7 @@ public class AuditTrailService { private final Duration minLogPeriod = Duration.ofMinutes(30); protected AtomicReference nextLogInstantAtomic = new AtomicReference<>(Instant.EPOCH); - public AuditTrailService(List auditTrails, XPackLicenseState licenseState, Settings settings) { + public AuditTrailService(List auditTrails, XPackLicenseState licenseState) { this.compositeAuditTrail = new CompositeAuditTrail(Collections.unmodifiableList(auditTrails)); this.licenseState = licenseState; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index e65cb7820a465..04497b02e0a10 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -71,7 +71,6 @@ import org.elasticsearch.core.Tuple; import org.elasticsearch.index.query.BoolQueryBuilder; import org.elasticsearch.index.query.QueryBuilders; -import org.elasticsearch.license.LicenseUtils; import org.elasticsearch.search.SearchHit; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.xpack.core.XPackSettings; @@ -786,13 +785,10 @@ private Instant getApiKeyExpiration(Instant now, CreateApiKeyRequest request) { } private boolean isEnabled() { - return enabled && XPackSettings.SECURITY_ENABLED.get(settings); + return enabled; } public void ensureEnabled() { - if ( XPackSettings.SECURITY_ENABLED.get(settings) == false) { - throw LicenseUtils.newComplianceException("security is not enabled"); - } if (enabled == false) { throw new FeatureNotEnabledException(Feature.API_KEY_SERVICE, "api keys are not enabled"); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index 1a3f8d1bbb6d0..cb2c2081ece56 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -1586,13 +1586,11 @@ private static String getTokenIdFromDocumentId(String docId) { } private boolean isEnabled() { - return enabled && XPackSettings.SECURITY_ENABLED.get(settings) && - licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE); + return enabled && licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE); } private void ensureEnabled() { - if ( XPackSettings.SECURITY_ENABLED.get(settings) == false || - licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) { + if (licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) { throw LicenseUtils.newComplianceException("security tokens"); } if (enabled == false) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index 8198212184461..edb953863c89d 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -41,7 +41,6 @@ import org.elasticsearch.transport.TransportActionProxy; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xpack.core.MigrateToDataStreamAction; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.action.CreateDataStreamAction; import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyAction; import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest; @@ -417,8 +416,8 @@ AuthorizationEngine getAuthorizationEngine(final Authentication authentication) } private AuthorizationEngine getAuthorizationEngineForUser(final User user) { - if (rbacEngine != authorizationEngine && XPackSettings.SECURITY_ENABLED.get(settings) && - licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_ENGINE)) { + if (rbacEngine != authorizationEngine + && licenseState.checkFeature(Feature.SECURITY_AUTHORIZATION_ENGINE)) { if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternal(user)) { return rbacEngine; } else { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiator.java index 10acd1f54f2ee..8c079d9ad71c6 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiator.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiator.java @@ -11,13 +11,11 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.util.SetOnce; import org.elasticsearch.common.CheckedBiConsumer; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.core.MemoizedSupplier; import org.elasticsearch.common.io.stream.StreamOutput; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.script.ScriptService; import org.elasticsearch.search.internal.ShardSearchRequest; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; @@ -32,23 +30,17 @@ public class DlsFlsRequestCacheDifferentiator implements CheckedBiConsumer securityContextHolder; private final SetOnce scriptServiceReference; - private final Settings settings; public DlsFlsRequestCacheDifferentiator(XPackLicenseState licenseState, SetOnce securityContextReference, - SetOnce scriptServiceReference, - Settings settings) { + SetOnce scriptServiceReference) { this.licenseState = licenseState; this.securityContextHolder = securityContextReference; this.scriptServiceReference = scriptServiceReference; - this.settings = settings; } @Override public void accept(ShardSearchRequest request, StreamOutput out) throws IOException { - if (XPackSettings.SECURITY_ENABLED.get(settings) == false) { - return; - } var licenseChecker = new MemoizedSupplier<>(() -> licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS)); final SecurityContext securityContext = securityContextHolder.get(); final IndicesAccessControl indicesAccessControl = diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index 723bb37311a4d..f1da24fa70395 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authz; import org.elasticsearch.ElasticsearchSecurityException; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.index.shard.SearchOperationListener; import org.elasticsearch.search.SearchContextMissingException; @@ -16,7 +15,6 @@ import org.elasticsearch.search.internal.SearchContext; import org.elasticsearch.search.internal.ShardSearchContextId; import org.elasticsearch.transport.TransportRequest; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.AuthenticationField; @@ -42,11 +40,9 @@ public final class SecuritySearchOperationListener implements SearchOperationLis private final SecurityContext securityContext; private final AuditTrailService auditTrailService; - private final Settings settings; - public SecuritySearchOperationListener(SecurityContext securityContext, Settings settings, AuditTrailService auditTrail) { + public SecuritySearchOperationListener(SecurityContext securityContext, AuditTrailService auditTrail) { this.securityContext = securityContext; - this.settings = settings; this.auditTrailService = auditTrail; } @@ -55,15 +51,13 @@ public SecuritySearchOperationListener(SecurityContext securityContext, Settings */ @Override public void onNewScrollContext(ReaderContext readerContext) { - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - readerContext.putInContext(AuthenticationField.AUTHENTICATION_KEY, securityContext.getAuthentication()); - // store the DLS and FLS permissions of the initial search request that created the scroll - // this is then used to assert the DLS/FLS permission for the scroll search action - IndicesAccessControl indicesAccessControl = - securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - assert indicesAccessControl != null : "thread context does not contain index access control"; - readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); - } + readerContext.putInContext(AuthenticationField.AUTHENTICATION_KEY, securityContext.getAuthentication()); + // store the DLS and FLS permissions of the initial search request that created the scroll + // this is then used to assert the DLS/FLS permission for the scroll search action + IndicesAccessControl indicesAccessControl = + securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + assert indicesAccessControl != null : "thread context does not contain index access control"; + readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl); } /** @@ -72,23 +66,21 @@ public void onNewScrollContext(ReaderContext readerContext) { */ @Override public void validateReaderContext(ReaderContext readerContext, TransportRequest request) { - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - if (readerContext.scrollContext() != null) { - final Authentication originalAuth = readerContext.getFromContext(AuthenticationField.AUTHENTICATION_KEY); - final Authentication current = securityContext.getAuthentication(); - final ThreadContext threadContext = securityContext.getThreadContext(); - final String action = threadContext.getTransient(ORIGINATING_ACTION_KEY); - ensureAuthenticatedUserIsSame(originalAuth, current, auditTrailService, readerContext.id(), action, request, - AuditUtil.extractRequestId(threadContext), threadContext.getTransient(AUTHORIZATION_INFO_KEY)); - // piggyback on context validation to assert the DLS/FLS permissions on the thread context of the scroll search handler - if (null == securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY)) { - // fill in the DLS and FLS permissions for the scroll search action from the scroll context - IndicesAccessControl scrollIndicesAccessControl = - readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - assert scrollIndicesAccessControl != null : "scroll does not contain index access control"; - securityContext.getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, - scrollIndicesAccessControl); - } + if (readerContext.scrollContext() != null) { + final Authentication originalAuth = readerContext.getFromContext(AuthenticationField.AUTHENTICATION_KEY); + final Authentication current = securityContext.getAuthentication(); + final ThreadContext threadContext = securityContext.getThreadContext(); + final String action = threadContext.getTransient(ORIGINATING_ACTION_KEY); + ensureAuthenticatedUserIsSame(originalAuth, current, auditTrailService, readerContext.id(), action, request, + AuditUtil.extractRequestId(threadContext), threadContext.getTransient(AUTHORIZATION_INFO_KEY)); + // piggyback on context validation to assert the DLS/FLS permissions on the thread context of the scroll search handler + if (null == securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY)) { + // fill in the DLS and FLS permissions for the scroll search action from the scroll context + IndicesAccessControl scrollIndicesAccessControl = + readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + assert scrollIndicesAccessControl != null : "scroll does not contain index access control"; + securityContext.getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, + scrollIndicesAccessControl); } } } @@ -104,7 +96,7 @@ public void onPreQueryPhase(SearchContext searchContext) { } void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) { - if (XPackSettings.SECURITY_ENABLED.get(settings) && searchContext.readerContext().scrollContext() != null) { + if (searchContext.readerContext().scrollContext() != null) { IndicesAccessControl threadIndicesAccessControl = securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); if (null == threadIndicesAccessControl) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java index 40473bf6fe8ae..f44d93c2d9f27 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java @@ -13,7 +13,6 @@ import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.Maps; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.MediaType; @@ -26,7 +25,6 @@ import org.elasticsearch.rest.RestRequest.Method; import org.elasticsearch.rest.RestRequestFilter; import org.elasticsearch.rest.RestStatus; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator; import org.elasticsearch.xpack.security.transport.SSLEngineUtils; @@ -42,13 +40,11 @@ public class SecurityRestFilter implements RestHandler { private final RestHandler restHandler; private final AuthenticationService authenticationService; private final SecondaryAuthenticator secondaryAuthenticator; - private final Settings settings; private final ThreadContext threadContext; private final boolean extractClientCertificate; - public SecurityRestFilter(Settings settings, ThreadContext threadContext, AuthenticationService authenticationService, + public SecurityRestFilter(ThreadContext threadContext, AuthenticationService authenticationService, SecondaryAuthenticator secondaryAuthenticator, RestHandler restHandler, boolean extractClientCertificate) { - this.settings = settings; this.threadContext = threadContext; this.authenticationService = authenticationService; this.secondaryAuthenticator = secondaryAuthenticator; @@ -68,34 +64,29 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c restHandler.handleRequest(request, channel, client); return; } - - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - if (extractClientCertificate) { + if (extractClientCertificate) { HttpChannel httpChannel = request.getHttpChannel(); SSLEngineUtils.extractClientCertificates(logger, threadContext, httpChannel); - } - - final String requestUri = request.uri(); - authenticationService.authenticate(maybeWrapRestRequest(request), ActionListener.wrap( - authentication -> { - if (authentication == null) { - logger.trace("No authentication available for REST request [{}]", requestUri); - } else { - logger.trace("Authenticated REST request [{}] as {}", requestUri, authentication); - } - secondaryAuthenticator.authenticateAndAttachToContext(request, ActionListener.wrap( - secondaryAuthentication -> { - if (secondaryAuthentication != null) { - logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, requestUri); - } - RemoteHostHeader.process(request, threadContext); - restHandler.handleRequest(request, channel, client); - }, - e -> handleException("Secondary authentication", request, channel, e))); - }, e -> handleException("Authentication", request, channel, e))); - } else { - restHandler.handleRequest(request, channel, client); } + + final String requestUri = request.uri(); + authenticationService.authenticate(maybeWrapRestRequest(request), ActionListener.wrap( + authentication -> { + if (authentication == null) { + logger.trace("No authentication available for REST request [{}]", requestUri); + } else { + logger.trace("Authenticated REST request [{}] as {}", requestUri, authentication); + } + secondaryAuthenticator.authenticateAndAttachToContext(request, ActionListener.wrap( + secondaryAuthentication -> { + if (secondaryAuthentication != null) { + logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, requestUri); + } + RemoteHostHeader.process(request, threadContext); + restHandler.handleRequest(request, channel, client); + }, + e -> handleException("Secondary authentication", request, channel, e))); + }, e -> handleException("Authentication", request, channel, e))); } private void handleException(String actionType, RestRequest request, RestChannel channel, Exception e) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index bf62f60336a58..cd65fd0e96c69 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -417,11 +417,6 @@ public void testGetFieldFilterSecurityEnabledLicenseNoFLS() throws Exception { assertSame(MapperPlugin.NOOP_FIELD_PREDICATE, fieldFilter.apply(randomAlphaOfLengthBetween(3, 6))); } - public void testSecurityIndexWrapperDisabledSecurityDisabled() throws Exception { - createComponents(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build()); - - } - public void testValidateRealmsWhenSettingsAreInvalid() { final Settings settings = Settings.builder() .put(RealmSettings.PREFIX + "my_pki.type", "pki") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java index d4775c78e9af3..a585206585679 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java @@ -10,7 +10,6 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.elasticsearch.common.logging.Loggers; -import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; @@ -59,7 +58,7 @@ public void init() throws Exception { } auditTrails = unmodifiableList(auditTrailsBuilder); licenseState = mock(XPackLicenseState.class); - service = new AuditTrailService(auditTrails, licenseState, Settings.EMPTY); + service = new AuditTrailService(auditTrails, licenseState); isAuditingAllowed = randomBoolean(); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed); token = mock(AuthenticationToken.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index 5c3f377c9738c..0100528e6f6ad 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -229,7 +229,7 @@ public void init() throws Exception { Collections.singletonList(firstRealm))); auditTrail = mock(AuditTrail.class); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, settings); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); client = mock(Client.class); threadPool = new ThreadPool(settings, new FixedExecutorBuilder(settings, THREAD_POOL_NAME, 1, 1000, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java index 4807315ca86fd..c3f0ebdab5efa 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java @@ -104,7 +104,7 @@ public void setupMocks() throws Exception { when(realms.asList()).thenReturn(List.of(realm)); when(realms.getUnlicensedRealms()).thenReturn(List.of()); - final AuditTrailService auditTrail = new AuditTrailService(Collections.emptyList(), null, Settings.EMPTY); + final AuditTrailService auditTrail = new AuditTrailService(Collections.emptyList(), null); final AuthenticationFailureHandler failureHandler = new DefaultAuthenticationFailureHandler(Map.of()); final AnonymousUser anonymous = new AnonymousUser(settings); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index b4dd401d45816..c5cd0f5e687d7 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -239,7 +239,7 @@ public void setup() { auditTrail = mock(AuditTrail.class); XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); threadContext = new ThreadContext(settings); threadPool = mock(ThreadPool.class); when(threadPool.getThreadContext()).thenReturn(threadContext); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiatorTests.java index f4276c2e06165..22f9be8367c82 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiatorTests.java @@ -18,7 +18,6 @@ import org.elasticsearch.script.ScriptService; import org.elasticsearch.search.internal.ShardSearchRequest; import org.elasticsearch.test.ESTestCase; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; @@ -55,9 +54,8 @@ public void init() throws IOException { threadContext = new ThreadContext(Settings.EMPTY); out = new BytesStreamOutput(); final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); differentiator = new DlsFlsRequestCacheDifferentiator( - licenseState, new SetOnce<>(securityContext), new SetOnce<>(mock(ScriptService.class)), settings); + licenseState, new SetOnce<>(securityContext), new SetOnce<>(mock(ScriptService.class))); shardSearchRequest = mock(ShardSearchRequest.class); indexName = randomAlphaOfLengthBetween(3, 8); dlsIndexName = "dls-" + randomAlphaOfLengthBetween(3, 8); @@ -98,13 +96,4 @@ public void testWillDoNothingIfNoDlsFls() throws IOException { assertThat(out.position(), equalTo(0L)); } - public void testWillDoNothingIfSecurityIsNotEnabled() throws IOException { - final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext); - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); - differentiator = new DlsFlsRequestCacheDifferentiator( - licenseState, new SetOnce<>(securityContext), new SetOnce<>(mock(ScriptService.class)), settings); - when(shardSearchRequest.shardId()).thenReturn(new ShardId(dlsFlsIndexName, randomAlphaOfLength(10), randomIntBetween(0, 3))); - differentiator.accept(shardSearchRequest, out); - assertThat(out.position(), equalTo(0L)); - } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java index 1e5be5eecf28f..80f0ffc12b1af 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptorTests.java @@ -53,7 +53,7 @@ public void testInterceptorThrowsWhenFLSDLSEnabled() { when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(true); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), new RealmRef(null, null, null)); final FieldPermissions fieldPermissions; @@ -112,7 +112,7 @@ public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Except when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_DLS_FLS)).thenReturn(randomBoolean()); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), new RealmRef(null, null, null)); final String action = IndicesAliasesAction.NAME; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java index fdf1e742db589..1a11dc823003c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptorTests.java @@ -59,7 +59,7 @@ public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() { ThreadPool threadPool = mock(ThreadPool.class); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); when(threadPool.getThreadContext()).thenReturn(threadContext); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); final Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), null); final FieldPermissions fieldPermissions; final boolean useFls = randomBoolean(); @@ -111,7 +111,7 @@ public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() ThreadPool threadPool = mock(ThreadPool.class); ThreadContext threadContext = new ThreadContext(Settings.EMPTY); when(threadPool.getThreadContext()).thenReturn(threadContext); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); final Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null), null); Role role = Role.builder() .add(IndexPrivilege.ALL, "target") diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index 882d812f58df2..0de28f1af5157 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -28,7 +28,6 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.test.rest.FakeRestRequest; -import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -77,7 +76,7 @@ public void init() throws Exception { restHandler = mock(RestHandler.class); threadContext = new ThreadContext(Settings.EMPTY); secondaryAuthenticator = new SecondaryAuthenticator(Settings.EMPTY, threadContext, authcService); - filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); } public void testProcess() throws Exception { @@ -139,17 +138,8 @@ public void testProcessSecondaryAuthentication() throws Exception { assertThat(secondaryAuthRef.get().getAuthentication(), sameInstance(secondaryAuthentication)); } - public void testProcessWithSecurityDisabled() throws Exception { - Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); - filter = new SecurityRestFilter(settings, threadContext, authcService, secondaryAuthenticator, restHandler, false); - RestRequest request = mock(RestRequest.class); - filter.handleRequest(request, channel, null); - verify(restHandler).handleRequest(request, channel, null); - verifyZeroInteractions(channel, authcService); - } - public void testProcessAuthenticationFailedNoTrace() throws Exception { - filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + "cause", new ElasticsearchException("cause")), RestStatus.UNAUTHORIZED, true, true, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + @@ -230,7 +220,7 @@ public Set getFilteredFields() { callback.onResponse(new Authentication(XPackUser.INSTANCE, new RealmRef("test", "test", "t"), null)); return Void.TYPE; }).when(authcService).authenticate(any(RestRequest.class), anyActionListener()); - filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); filter.handleRequest(restRequest, channel, null); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java index 881542b29eb52..7bdfc7670698f 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java @@ -64,7 +64,7 @@ public void init() { when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); when(licenseState.checkFeature(Feature.SECURITY_AUDITING)).thenReturn(true); auditTrail = mock(AuditTrail.class); - auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState, Settings.EMPTY); + auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState); clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList( IPFilter.HTTP_FILTER_ALLOW_SETTING, IPFilter.HTTP_FILTER_DENY_SETTING, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java index 4ae0412e89f0d..7fe30c5c43806 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java @@ -59,7 +59,7 @@ public void init() throws Exception { IPFilter.PROFILE_FILTER_DENY_SETTING))); XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); if (isHttpEnabled) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java index 3dee5d8996bd9..0ab94868a9764 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java @@ -62,7 +62,7 @@ public void init() throws Exception { IPFilter.PROFILE_FILTER_DENY_SETTING))); XPackLicenseState licenseState = mock(XPackLicenseState.class); when(licenseState.checkFeature(Feature.SECURITY_IP_FILTERING)).thenReturn(true); - AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState, Settings.EMPTY); + AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState); ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState); ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses()); if (isHttpEnabled) { From a6bf19cf62f996073a8decdcbf039631a65fec17 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 4 Aug 2021 11:30:59 +0300 Subject: [PATCH 44/46] SecurityRestFilter is always installed, even with security disabled --- .../xpack/security/Security.java | 2 +- .../security/rest/SecurityRestFilter.java | 51 +++++++++++-------- .../rest/SecurityRestFilterTests.java | 16 ++++-- 3 files changed, 44 insertions(+), 25 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 3578a4423aa11..fcb755088abba 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -1151,7 +1151,7 @@ public UnaryOperator getRestHandlerWrapper(ThreadContext threadCont } else { extractClientCertificate = false; } - return handler -> new SecurityRestFilter(threadContext, authcService.get(), secondayAuthc.get(), + return handler -> new SecurityRestFilter(settings, threadContext, authcService.get(), secondayAuthc.get(), handler, extractClientCertificate); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java index f44d93c2d9f27..40473bf6fe8ae 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java @@ -13,6 +13,7 @@ import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.Maps; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.MediaType; @@ -25,6 +26,7 @@ import org.elasticsearch.rest.RestRequest.Method; import org.elasticsearch.rest.RestRequestFilter; import org.elasticsearch.rest.RestStatus; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.security.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator; import org.elasticsearch.xpack.security.transport.SSLEngineUtils; @@ -40,11 +42,13 @@ public class SecurityRestFilter implements RestHandler { private final RestHandler restHandler; private final AuthenticationService authenticationService; private final SecondaryAuthenticator secondaryAuthenticator; + private final Settings settings; private final ThreadContext threadContext; private final boolean extractClientCertificate; - public SecurityRestFilter(ThreadContext threadContext, AuthenticationService authenticationService, + public SecurityRestFilter(Settings settings, ThreadContext threadContext, AuthenticationService authenticationService, SecondaryAuthenticator secondaryAuthenticator, RestHandler restHandler, boolean extractClientCertificate) { + this.settings = settings; this.threadContext = threadContext; this.authenticationService = authenticationService; this.secondaryAuthenticator = secondaryAuthenticator; @@ -64,29 +68,34 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c restHandler.handleRequest(request, channel, client); return; } - if (extractClientCertificate) { + + if (XPackSettings.SECURITY_ENABLED.get(settings)) { + if (extractClientCertificate) { HttpChannel httpChannel = request.getHttpChannel(); SSLEngineUtils.extractClientCertificates(logger, threadContext, httpChannel); + } + + final String requestUri = request.uri(); + authenticationService.authenticate(maybeWrapRestRequest(request), ActionListener.wrap( + authentication -> { + if (authentication == null) { + logger.trace("No authentication available for REST request [{}]", requestUri); + } else { + logger.trace("Authenticated REST request [{}] as {}", requestUri, authentication); + } + secondaryAuthenticator.authenticateAndAttachToContext(request, ActionListener.wrap( + secondaryAuthentication -> { + if (secondaryAuthentication != null) { + logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, requestUri); + } + RemoteHostHeader.process(request, threadContext); + restHandler.handleRequest(request, channel, client); + }, + e -> handleException("Secondary authentication", request, channel, e))); + }, e -> handleException("Authentication", request, channel, e))); + } else { + restHandler.handleRequest(request, channel, client); } - - final String requestUri = request.uri(); - authenticationService.authenticate(maybeWrapRestRequest(request), ActionListener.wrap( - authentication -> { - if (authentication == null) { - logger.trace("No authentication available for REST request [{}]", requestUri); - } else { - logger.trace("Authenticated REST request [{}] as {}", requestUri, authentication); - } - secondaryAuthenticator.authenticateAndAttachToContext(request, ActionListener.wrap( - secondaryAuthentication -> { - if (secondaryAuthentication != null) { - logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, requestUri); - } - RemoteHostHeader.process(request, threadContext); - restHandler.handleRequest(request, channel, client); - }, - e -> handleException("Secondary authentication", request, channel, e))); - }, e -> handleException("Authentication", request, channel, e))); } private void handleException(String actionType, RestRequest request, RestChannel channel, Exception e) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index 0de28f1af5157..882d812f58df2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -28,6 +28,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.SecuritySettingsSourceField; import org.elasticsearch.test.rest.FakeRestRequest; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.SecurityContext; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef; @@ -76,7 +77,7 @@ public void init() throws Exception { restHandler = mock(RestHandler.class); threadContext = new ThreadContext(Settings.EMPTY); secondaryAuthenticator = new SecondaryAuthenticator(Settings.EMPTY, threadContext, authcService); - filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); } public void testProcess() throws Exception { @@ -138,8 +139,17 @@ public void testProcessSecondaryAuthentication() throws Exception { assertThat(secondaryAuthRef.get().getAuthentication(), sameInstance(secondaryAuthentication)); } + public void testProcessWithSecurityDisabled() throws Exception { + Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), false).build(); + filter = new SecurityRestFilter(settings, threadContext, authcService, secondaryAuthenticator, restHandler, false); + RestRequest request = mock(RestRequest.class); + filter.handleRequest(request, channel, null); + verify(restHandler).handleRequest(request, channel, null); + verifyZeroInteractions(channel, authcService); + } + public void testProcessAuthenticationFailedNoTrace() throws Exception { - filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + "cause", new ElasticsearchException("cause")), RestStatus.UNAUTHORIZED, true, true, false); testProcessAuthenticationFailed(randomBoolean() ? authenticationError("failed authn") : authenticationError("failed authn with " + @@ -220,7 +230,7 @@ public Set getFilteredFields() { callback.onResponse(new Authentication(XPackUser.INSTANCE, new RealmRef("test", "test", "t"), null)); return Void.TYPE; }).when(authcService).authenticate(any(RestRequest.class), anyActionListener()); - filter = new SecurityRestFilter(threadContext, authcService, secondaryAuthenticator, restHandler, false); + filter = new SecurityRestFilter(Settings.EMPTY, threadContext, authcService, secondaryAuthenticator, restHandler, false); filter.handleRequest(restRequest, channel, null); From 00758afd5d6e5b048452005b8795e21a5b6a4574 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 4 Aug 2021 14:12:19 +0300 Subject: [PATCH 45/46] Re-enable QA test for enabling security on an existing cluster --- .../qa/basic-enable-security/build.gradle | 75 +++++++ .../EnableSecurityOnBasicLicenseIT.java | 186 ++++++++++++++++++ .../src/javaRestTest/resources/roles.yml | 14 ++ .../resources/ssl/README.asciidoc | 30 +++ .../src/javaRestTest/resources/ssl/ca.crt | 20 ++ .../src/javaRestTest/resources/ssl/ca.key | 30 +++ .../javaRestTest/resources/ssl/transport.crt | 22 +++ .../javaRestTest/resources/ssl/transport.key | 30 +++ 8 files changed, 407 insertions(+) create mode 100644 x-pack/plugin/security/qa/basic-enable-security/build.gradle create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt create mode 100644 x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key diff --git a/x-pack/plugin/security/qa/basic-enable-security/build.gradle b/x-pack/plugin/security/qa/basic-enable-security/build.gradle new file mode 100644 index 0000000000000..410eab6fb104f --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/build.gradle @@ -0,0 +1,75 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import org.elasticsearch.gradle.testclusters.StandaloneRestIntegTestTask +import org.elasticsearch.gradle.internal.info.BuildParams + +apply plugin: 'elasticsearch.java-rest-test' + +dependencies { + javaRestTestImplementation(testArtifact(project(xpackModule('security')))) + javaRestTestImplementation(testArtifact(project(xpackModule('core')))) +} + +tasks.named("javaRestTest").configure { + description = "Run tests against a cluster that has security disabled" + systemProperty 'tests.has_security', 'false' +} + +if (BuildParams.inFipsJvm){ + // This test cluster is using a BASIC license and FIPS 140 mode is not supported in BASIC + tasks.named("javaRestTest").configure{enabled = false } +} + +testClusters { + javaRestTest { + testDistribution = 'DEFAULT' + numberOfNodes = 2 + setting 'xpack.ml.enabled', 'false' + setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.enabled', 'false' + } +} + +tasks.register("javaRestTestWithSecurityEnabled", StandaloneRestIntegTestTask) { + mustRunAfter("javaRestTest") + description = "Run tests against a cluster that has security enabled" + dependsOn "javaRestTest" + useCluster testClusters.javaRestTest + systemProperty 'tests.has_security', 'true' + testClassesDirs = sourceSets.javaRestTest.output.classesDirs + classpath = sourceSets.javaRestTest.runtimeClasspath + onlyIf { + BuildParams.inFipsJvm == false + } + doFirst { + testClusters.javaRestTest { + // TODO Rene: revisit if using dedicated new cluster definitions would be more efficient. + // Reconfigure cluster to enable security + setting 'xpack.security.enabled', 'true' + setting 'xpack.security.authc.anonymous.roles', 'anonymous' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.transport.ssl.certificate', 'transport.crt' + setting 'xpack.security.transport.ssl.key', 'transport.key' + setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password' + setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' + + extraConfigFile 'transport.key', file('src/javaRestTest/resources/ssl/transport.key') + extraConfigFile 'transport.crt', file('src/javaRestTest/resources/ssl/transport.crt') + extraConfigFile 'ca.crt', file('src/javaRestTest/resources/ssl/ca.crt') + extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml') + + user username: "admin_user", password: "admin-password" + user username: "security_test_user", password: "security-test-password", role: "security_test_role" + + restart() + } + nonInputProperties.systemProperty 'tests.rest.cluster', "${-> testClusters.javaRestTest.getAllHttpSocketURI().join(",")}" + } +} +tasks.named("check").configure { dependsOn("javaRestTestWithSecurityEnabled") } + diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java index e69de29bb2d1d..8a40e93f67e41 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java @@ -0,0 +1,186 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +package org.elasticsearch.xpack.security; + +import org.apache.http.HttpHost; +import org.apache.http.util.EntityUtils; +import org.elasticsearch.Version; +import org.elasticsearch.client.Request; +import org.elasticsearch.client.Response; +import org.elasticsearch.client.ResponseException; +import org.elasticsearch.client.RestClient; +import org.elasticsearch.client.RestClientBuilder; +import org.elasticsearch.core.Booleans; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.test.rest.ESRestTestCase; +import org.elasticsearch.test.rest.yaml.ObjectPath; +import org.elasticsearch.xpack.security.authc.InternalRealms; +import org.hamcrest.Matchers; +import org.junit.BeforeClass; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +import static org.hamcrest.Matchers.contains; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.notNullValue; + +public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { + + private static boolean securityEnabled; + + @BeforeClass + public static void checkTestMode() { + final String hasSecurity = System.getProperty("tests.has_security"); + securityEnabled = Booleans.parseBoolean(hasSecurity); + } + + @Override + protected Settings restAdminSettings() { + String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + + @Override + protected boolean preserveClusterUponCompletion() { + // If this is the first run (security is disabled), then don't clean up afterwards because we want to test restart + // with data + return securityEnabled == false; + } + + @Override + protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { + RestClientBuilder builder = RestClient.builder(hosts); + configureClient(builder, settings); + return builder.build(); + } + + + public void testSecuritySetup() throws Exception { + logger.info("Security status: {}", securityEnabled); + logger.info("Cluster:\n{}", getClusterInfo()); + logger.info("Indices:\n{}", getIndices()); + checkBasicLicenseType(); + + checkSecurityStatus(securityEnabled); + if (securityEnabled) { + checkAuthentication(); + } + + checkAllowedWrite("index_allowed"); + // Security runs second, and should see the docs from the first (non-security) run + final int expectedIndexCount = securityEnabled ? 2 : 1; + checkIndexCount("index_allowed", expectedIndexCount); + + final String otherIndex = "index_" + randomAlphaOfLengthBetween(2, 6).toLowerCase(Locale.ROOT); + if (securityEnabled) { + checkDeniedWrite(otherIndex); + } else { + checkAllowedWrite(otherIndex); + } + checkSecurityDisabledWarning(); + } + + public void checkSecurityDisabledWarning() throws Exception { + final Request request = new Request("GET", "/_cat/indices"); + Response response = client().performRequest(request); + List warningHeaders = response.getWarnings(); + assertThat (warningHeaders, Matchers.empty()); + } + + private String getClusterInfo() throws IOException { + Map info = getAsMap("/"); + assertThat(info, notNullValue()); + return info.toString(); + } + + private String getIndices() throws IOException { + final Request request = new Request("GET", "/_cat/indices"); + Response response = client().performRequest(request); + return EntityUtils.toString(response.getEntity()); + } + + private void checkBasicLicenseType() throws Exception { + assertBusy(() -> { + try { + Map license = getAsMap("/_license"); + assertThat(license, notNullValue()); + assertThat(ObjectPath.evaluate(license, "license.type"), equalTo("basic")); + } catch (ResponseException e) { + throw new AssertionError(e); + } + }); + } + + private void checkSecurityStatus(boolean expectEnabled) throws IOException { + Map usage = getAsMap("/_xpack/usage"); + assertThat(usage, notNullValue()); + assertThat(ObjectPath.evaluate(usage, "security.available"), equalTo(true)); + assertThat(ObjectPath.evaluate(usage, "security.enabled"), equalTo(expectEnabled)); + if (expectEnabled) { + for (String realm : Arrays.asList("file", "native")) { + assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".available"), equalTo(true)); + assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".enabled"), equalTo(true)); + } + for (String realm : InternalRealms.getConfigurableRealmsTypes()) { + if (realm.equals("file") == false && realm.equals("native") == false) { + assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".available"), equalTo(false)); + assertThat(ObjectPath.evaluate(usage, "security.realms." + realm + ".enabled"), equalTo(false)); + } + } + } + } + + private void checkAuthentication() throws IOException { + final Map auth = getAsMap("/_security/_authenticate"); + // From file realm, configured in build.gradle + assertThat(ObjectPath.evaluate(auth, "username"), equalTo("security_test_user")); + // The anonymous role is granted by anonymous access enabled in build.gradle + assertThat(ObjectPath.evaluate(auth, "roles"), contains("security_test_role", "anonymous")); + } + + private void checkAllowedWrite(String indexName) throws IOException { + final Request request = new Request("POST", "/" + indexName + "/_doc"); + request.setJsonEntity("{ \"key\" : \"value\" }"); + Response response = client().performRequest(request); + final Map result = entityAsMap(response); + assertThat(ObjectPath.evaluate(result, "_index"), equalTo(indexName)); + assertThat(ObjectPath.evaluate(result, "result"), equalTo("created")); + } + + private void checkDeniedWrite(String indexName) { + final Request request = new Request("POST", "/" + indexName + "/_doc"); + request.setJsonEntity("{ \"key\" : \"value\" }"); + ResponseException e = expectThrows(ResponseException.class, () -> client().performRequest(request)); + assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(403)); + assertThat(e.getMessage(), containsString("unauthorized for user [security_test_user]")); + } + + private void checkIndexCount(String indexName, int expectedCount) throws IOException { + final Request request = new Request("POST", "/" + indexName + "/_refresh"); + adminClient().performRequest(request); + + final Map result = getAsMap("/" + indexName + "/_count"); + assertThat(ObjectPath.evaluate(result, "count"), equalTo(expectedCount)); + } +} diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml new file mode 100644 index 0000000000000..39c693290adba --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/roles.yml @@ -0,0 +1,14 @@ +# A basic role that is used to test security +security_test_role: + cluster: + - monitor + - "cluster:admin/xpack/license/*" + indices: + - names: [ "index_allowed" ] + privileges: [ "read", "write", "create_index" ] + - names: [ "*" ] + privileges: [ "monitor" ] + +anonymous: + cluster: + - monitor diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc new file mode 100644 index 0000000000000..b3729f42d17b0 --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/README.asciidoc @@ -0,0 +1,30 @@ += Keystore Details + +This document details the steps used to create the certificate and keystore files in this directory. + +== Instructions on generating certificates +The certificates in this directory have been generated using elasticsearch-certutil (7.0.0 SNAPSHOT) + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil ca --pem --out=ca.zip --pass="ca-password" --days=3500 +unzip ca.zip +mv ca/ca.* ./ + +rm ca.zip +rmdir ca +----------------------------------------------------------------------------------------------------------- + +[source,shell] +----------------------------------------------------------------------------------------------------------- +elasticsearch-certutil cert --pem --name=transport --out=transport.zip --pass="transport-password" --days=3500 \ + --ca-cert=ca.crt --ca-key=ca.key --ca-pass="ca-password" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 + +unzip transport.zip +mv transport/transport.* ./ + +rm transport.zip +rmdir transport +----------------------------------------------------------------------------------------------------------- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt new file mode 100644 index 0000000000000..95068217a612a --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIVAL0RCyWTbBDd2ntuWoqRwW0IE9+9MA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTE5MDQzMDAzNTQwN1oXDTI4MTEyODAzNTQwN1owNDEyMDAG +A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA4VwADiyl+Xl15D27gtpS +TXZfHt40MUx12FY0MEd3A3hU+Fp4PaLE2ejECx04yrq8Rfc0Yltux/Fc5zE98XM8 +dY4j0QN/e6C/f0mrBI0KaJ25nv0MWFvoqS/D3vWvDFLUP1a3OZICWWoBDG+zCHe5 +Aq0qwge+FU9IUc7G2WPJeUp4e0+EzLxFInls3rTX1xkyq8Q6PT3gi0RZKvHqIudL +DAXDVEGWNxEX9KwQ1nMtRkDZICx/W665kZiBD4XC3WuEkYlDL1ISVw3cmsbYdhb4 +IusIK5zNERi4ewTgDDxic8TbRpkQW189/M3IglrQipH5ixfF6oNSyoRVAa3KZqj5 +AgMBAAGjUzBRMB0GA1UdDgQWBBRI4mOaeunbu60GfjWTpHcvhb6/YTAfBgNVHSME +GDAWgBRI4mOaeunbu60GfjWTpHcvhb6/YTAPBgNVHRMBAf8EBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQCUOXddlGoU+Ni85D0cRjYYxyx8a5Rwngp+kztttT/5l3Ch +5JMZyl/xcaTryh37BG3+NuqKR1zHtcLpq/+xaCrwBQ8glJofF+1n9w4zBL9nrH5c +O5NgG7+u/sfB+xdqMVdoBBqfm1Roq7O1T/kBXis1+5ZtBlj+7WIKeWWTZGLTrHV+ +MW5RDOmMoLkqT5qzpR9Yf7UChPVrvKGs4Kd+fYJeb0R5W6mvZQ6/FrsLwAWLC2Q1 +rW1u4zIkO0ih5qd52dl/73u7SWqzWxPy1ynwqJefD4AA0uaJYtMlXHK2vYjutHvY +K7301gzc5fueqo1YMmPgsjjsj+ErR1t0ve7faOBy +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key new file mode 100644 index 0000000000000..a6de1f9958d32 --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,0F6B57727499DA47 + +OmK77UnFtk/zNEbNTxNJz73D2XWFDWLyHCDZPEXkX55vch/pXkkfVbWbPBFv35nA +LKni0j802Qnc1D4V3BUSmVWHk9SfjI5nlcDkSELbgCOpuZkf6Bmk8FgLfV42BFxn +lAiY+oBB4VV+rxA+HUV6CiWWrTgSjkvFyXCBZzcTEPdF2ifWerjsWKOjQZJtmvMX +J5DhYCCp1/n4R/OQpYxQiOqJdUxbKx4k0h139ySK2PggdL17w1a7AuQnHwJO3+ic +1IntPKD/ZhpAPPzq8A5R5jZyvrSj9Dgv94PXAQ5xTZWnZd2nuJtbkrYJ47pBR3Re +R2aZdF/N8ljG1TYHuJXdiL3A80Y3AS00TFNgSAZKSz5Ktt6zI2EAZu9xdHd8EfUm +m3qJmfce9P9cCBzo7DLGHwRMfu9hEFWN9dRD8KWNcB+ahQ1/jItzi25yZM6vD6+S +ZVUzegybeYlMwPks3YObX9IdUSwAd9F76SVwHCsziKQW4RfETaShG/oRNqq04nqA +E//KUl5bfTuv8jumyMlg6iiqIDQAUvzI74mWe2lIy6rglm2rR39SN4NxSrnTwoz4 +KAf+kHWJVyxFqEYs+dqboRWpRfQac3+iYoIlZFob/nRhNyKnccTkHtjh7+1C8CXI +sYXhuJZLCoiXh990M9t1ct0hqfWLNALlEsJesfRG8/fvi+LZd9i3fyCjrM+z96/G +/2zQzdga4bOs3ZEBluYFYkhHRJw1rAF3LTcWYvjP0gjZYVQki7AsLb0me1selS6O +P1bXaLaSUvMsAVO0wOtHMXAoBgEybP4+OonLiMScjdQZ2KRQ8L8OwzuGt0yguPRy +7wQv4NrH8LQu+X7tlQox28kascZUNHxORbh9M/wWx/2htw88uXWb5vxbDe30Rras +mTg0Gxky/88ZWvYxr7PlhBRrrfkJQ9sF/RyygUFhpQaXTwspkpF+MZv+1X6ROHqR +OueSa606FrptZ5n4RRPjq0hVZQgWKMAlIxNSum+gFn/Z7Q9I6gKrGFxjkD65L1kK +BbvbHAomiTyphrMtBRP52VqsFr4NxCWzxr/ZSlwaxTEid2vYg3zm7ls4dHYjUiNR +cs/JZJTkXn2aVaILSQkr9/I0eOOH9t/APSXHY8urQuYsDdmOOL7J2tlh3w1ivP8A +vVeomdUr2jgn53pBzbaLlTfsZ9+UneuLcztLfqN+BydQq1bKWvn2j3GvUkmhE//M ++fpo+uGlslMLh8rjtRH1y9rtCKhLgIxLO4U/ZJksFcJAqF3mR+Xxkrf82LUrAg8x +Oj++3QhOJE7f+vKog8b0gGrySSwzII2Ar7KiJDVJaZpmbbXToBlcC7xoksN3Ra0E +15WxKBSRqb7gi2+ml02rwtFMzq93H05Uoa9mG8uf1QH8t/+o6fniFx5N5kKWmPMy +shXjaYg7NzEBAkxI4VO41faMxEj/CUV0klQDPbnAsTCrcYu7CS2lml3e0zVf6RB8 +plXee99DiWpHZTRoGzpInK3DpnGRP1Frgl1KyhT+HayFZeYSMHfVSFPk3CKKmtEp +r+J/SrpGnEx0NKK3f+MxflZfnMIvgjGxkHdgSaDpz9iTjveq176Bq1GmNLALotOq +-----END RSA PRIVATE KEY----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt new file mode 100644 index 0000000000000..8ffb02e3d5794 --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIVAOSHUsKiRx+ekWEEmfI2Q2q3B5hoMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTE5MDQzMDAzNTU0NloXDTI4MTEyODAzNTU0NlowFDESMBAG +A1UEAxMJdHJhbnNwb3J0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +wBaoGJ9vv9yFxCOg24CsVfwSThOPnea8oujexGZYDgKkCdtcVn03tlyomjOra/dL +PJ0zOvUyktTxv022VQNhkJ/PO+w/NKpHBHaAVZE0o2zvUf8xQqXoHw0S6rAhurs5 +50r8QRkh1Z3ky3uOcFs0pXYCR/2ZVmQNSBhqmhUSK5y0VURot1MtPMw1SeqyabZQ +upDTJ6um/zk2LalfChKJ3vGQGEW7AGfv10eIWSmqQx6rLWAGO4MDelbZhUUr5iFc +D4fW0/MNUXJHTBO5Dyq6n63Wsm0jTYK72bSVw8LZS+uabQCtcHtKUZh38uUEUCjp +MDVY7YmDv0i8qx/MvWasbwIDAQABo4HgMIHdMB0GA1UdDgQWBBQwoESvk9jbbTax +/+c5MCAFEvWW5TAfBgNVHSMEGDAWgBRI4mOaeunbu60GfjWTpHcvhb6/YTCBjwYD +VR0RBIGHMIGEgglsb2NhbGhvc3SCF2xvY2FsaG9zdDYubG9jYWxkb21haW42hwR/ +AAABhxAAAAAAAAAAAAAAAAAAAAABggpsb2NhbGhvc3Q0ggpsb2NhbGhvc3Q2ghVs +b2NhbGhvc3QubG9jYWxkb21haW6CF2xvY2FsaG9zdDQubG9jYWxkb21haW40MAkG +A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAIQ8/PLfsZ1eKOWW74a4h/Uh5eh8 +u9Led1v+U9tszmULN8JoYSEgyql6zy2pJOuIVLwI9cUvrcypUSDL53NmWhTGAjEL +jbww/G1cngBh5cBzAPq3lRL2lwc8j3ZZ16I1eNyWastvBDdtANlDArCUamZoboBm +HE/jrssC9DOQhxAraiitH3YqjquqztEp1zIuqRI0qYTDFNPzyfyXIyCFIT+3eVI5 +22MqjFL+9IDuoET+VU1i22LhF32TEPotz2hfZTFddql0V1IOJQuVkDkQGFvaJMFy +Xw7d4orV3sxzQYd7muCoaao7g/F675KqpZiiVHqKxTOLafF/MPcfLhH6xZk= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key new file mode 100644 index 0000000000000..f540e17202492 --- /dev/null +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/resources/ssl/transport.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,0B9EFA0829A750FB + +NCrPD7gkQ4Jr5/xIiohWILW3nO/WmNjApqOIc5g/wX/xJpk/554f8zCZ8dUD0D2E +ZW+z7Yj8GWKB0E6+hQZ+3ZUHLYASYSpSDVjg8UaaCxQyoVcUhshahFprqlzgU/An +Er8TbrGvhH0VmNlcQhaImqCOk41Hf8gjrxrtoLKbk3DfTk/Uuv4Jlsz4X+oSBVZN +fezIN70IZvGLKu7O3T9DeVLV1bLL6hNGIXnYe+FzLomMck2UoFv6uGS1VyFIGNf0 +ly80NGgdWTGxzLmiiGCgm5gbqbIehMsei1CC3jZIcfgfGyp4NVvF4HxFxZLTR3kY +YqzBWta/PoY6XXOlLFZupYt/YMt9hU6It9xdudPyNxwSuFXU66Fc08Ljj151iyhv +Ggf88jo9xSVvKOlqqHN6dY/xo9CfzTyuldG4jsKVHgGosSGghksjZ+PpHc7Mo5aP +S/UofhQgApJgU30TQPiQuJ+my/h9CiJyIgP7HnZtltwxg1k3dj+LxlpRKvjTOfuc +epOFmPeIdPkrQDir0j9+h+yoMgeqoT2unUYXw/qx5SVQxB5ckajLmJkUJPej9U3O +wASqNcWCTBEkGt102RU8o6lywdzBvfTB7gegR6oDvRfaxHOiUrRT/IwgszRfIdoC +fZa7Pb9pUuR3oY4uduDYgIKnxJhhQF2ERVXsfQeyxdiHEXvRnBFoAhoDjO8rWv07 +xiFPVMCAqXPImmdI34QezuzV2MUIVlKyeovbf+Kjv/Uat3zTj5FbmyVHcmPXpTY7 +t5iTQG+nQwz6UGcM5lF40EWrRdCzHEXNszwEY3Oz8D5rgBa6kxHYjcG9rzbTGlk2 +gsKdKA0am0hnCCJdTxbK5AkDcCWn/eclw0RPpbhFv5anvHTJ5WAWE7ZaACRuSfvy +UbNRGiWo4cNcR7+PGgV5184zjwJOql1mz+I79tlpxtK/FazP61WAYKOeEx1paKXX +syq+WDWgoZu/RzKDyTu10NUgq9J/IXDBn8/JjOVPCmPhMMLxNdoUhMfO4Ij9+3Jv +mH6ZaU6E+NZuc5N4Ivws42PwNY9FoyuLLgMBbezjhepQrDveHUK5v0weWqEapZ7Z +4KkFAeK7pjuItn5Of+233cp9Y68G8NrwMLQzI23kebNJwwzUMf3DnUJCXiy3PvrF +WpA0Q6/FspJgG3x2AXKo2QsHxydW+4w4pkawS9TCl0E03D7V6Gf17/HOxPDSH972 ++Yzzv8IkaOw5g+paeX9+tHjDFaxuvKiFyn/J7xYZAAQUoa2uQu440RakE73qLO34 +wtWdRzvIYitwLNJSfSojQDNoXuv8eyI/hP573cs6pmbheKXG1XKsWfpfj8sI7OkH +AdjRyeToSKbZ8yCn2vp0jyaRocOucu5oo7c0v+IocWOgdw+913EToJ6G3ck1heVR +b/U04VqKkXowO1YK7xDBAalMxyWq40spIKCC8HBBlng3vfUKqF46q9bMpesXnwPr +/00JfDVhFbqkJbqB8UYpjs9MN+vV5A7lsYbObom4pV25FSnwNSyxK0bhWGfZgutI +pjeQDkvHNG606AsqLz6SmIJP/GBBSMwvT3PGMPOO5XcayKeK3cbOQYJ0Yh7Muoqe +-----END RSA PRIVATE KEY----- From a12494dbcab14cf1c925aefc6d8cab2050ca8b90 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 4 Aug 2021 14:12:46 +0300 Subject: [PATCH 46/46] add test for no realms --- .../xpack/security/SecurityTests.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index cd65fd0e96c69..4ae0ca66a8574 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -70,6 +70,8 @@ import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail; import org.elasticsearch.xpack.security.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.Realms; +import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore; +import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm; import org.hamcrest.Matchers; import org.junit.After; @@ -95,6 +97,7 @@ import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_MAIN_INDEX_FORMAT; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.empty; +import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.instanceOf; @@ -236,6 +239,19 @@ public void testTransportSettingValidation() { assertThat(badHttp.getMessage(), containsString(NetworkModule.HTTP_TYPE_KEY)); } + public void testNoRealmsWhenSecurityDisabled() throws Exception { + Settings settings = Settings.builder() + .put(XPackSettings.SECURITY_ENABLED.getKey(), false) + .put("path.home", createTempDir()) + .build(); + Collection components = createComponents(settings); + for (Object component: components) { + assertThat(component, not(instanceOf(Realms.class))); + assertThat(component, not(instanceOf(NativeUsersStore.class))); + assertThat(component, not(instanceOf(ReservedRealm.class))); + } + } + public void testSettingFilter() throws Exception { createComponents(Settings.EMPTY); final List filter = security.getSettingsFilter();