Fix origin.type for connection_* audit events (#36410)
The `origin.type` field's permitted values are now `rest` or `transport` (as the docs declare) instead of `ip_filter`.
This commit is contained in:
parent
0909a631ba
commit
01afeff55d
|
@ -35,6 +35,7 @@ import org.elasticsearch.xpack.core.security.user.XPackUser;
|
||||||
import org.elasticsearch.xpack.security.audit.AuditLevel;
|
import org.elasticsearch.xpack.security.audit.AuditLevel;
|
||||||
import org.elasticsearch.xpack.security.audit.AuditTrail;
|
import org.elasticsearch.xpack.security.audit.AuditTrail;
|
||||||
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
|
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
|
||||||
|
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
|
||||||
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
|
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
|
||||||
|
|
||||||
import com.fasterxml.jackson.core.io.JsonStringEncoder;
|
import com.fasterxml.jackson.core.io.JsonStringEncoder;
|
||||||
|
@ -513,7 +514,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
|
||||||
final StringMapMessage logEntry = new LogEntryBuilder()
|
final StringMapMessage logEntry = new LogEntryBuilder()
|
||||||
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
||||||
.with(EVENT_ACTION_FIELD_NAME, "connection_granted")
|
.with(EVENT_ACTION_FIELD_NAME, "connection_granted")
|
||||||
.with(ORIGIN_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
.with(ORIGIN_TYPE_FIELD_NAME,
|
||||||
|
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE)
|
||||||
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
||||||
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
|
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
|
||||||
.with(RULE_FIELD_NAME, rule.toString())
|
.with(RULE_FIELD_NAME, rule.toString())
|
||||||
|
@ -529,7 +531,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
|
||||||
final StringMapMessage logEntry = new LogEntryBuilder()
|
final StringMapMessage logEntry = new LogEntryBuilder()
|
||||||
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
||||||
.with(EVENT_ACTION_FIELD_NAME, "connection_denied")
|
.with(EVENT_ACTION_FIELD_NAME, "connection_denied")
|
||||||
.with(ORIGIN_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
|
.with(ORIGIN_TYPE_FIELD_NAME,
|
||||||
|
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE)
|
||||||
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
||||||
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
|
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
|
||||||
.with(RULE_FIELD_NAME, rule.toString())
|
.with(RULE_FIELD_NAME, rule.toString())
|
||||||
|
|
|
@ -700,13 +700,15 @@ public class LoggingAuditTrailTests extends ESTestCase {
|
||||||
public void testConnectionDenied() throws Exception {
|
public void testConnectionDenied() throws Exception {
|
||||||
final InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
final InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
||||||
final SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
|
final SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
|
||||||
final String profile = randomAlphaOfLengthBetween(1, 6);
|
final String profile = randomBoolean() ? IPFilter.HTTP_PROFILE_NAME : randomAlphaOfLengthBetween(1, 6);
|
||||||
|
|
||||||
auditTrail.connectionDenied(inetAddress, profile, rule);
|
auditTrail.connectionDenied(inetAddress, profile, rule);
|
||||||
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
|
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
|
||||||
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
||||||
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_denied")
|
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_denied")
|
||||||
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME,
|
||||||
|
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE
|
||||||
|
: LoggingAuditTrail.TRANSPORT_ORIGIN_FIELD_VALUE)
|
||||||
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
||||||
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
|
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
|
||||||
.put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all");
|
.put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all");
|
||||||
|
@ -727,7 +729,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
|
||||||
public void testConnectionGranted() throws Exception {
|
public void testConnectionGranted() throws Exception {
|
||||||
final InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
final InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
||||||
final SecurityIpFilterRule rule = IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
|
final SecurityIpFilterRule rule = IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
|
||||||
final String profile = randomAlphaOfLengthBetween(1, 6);
|
final String profile = randomBoolean() ? IPFilter.HTTP_PROFILE_NAME : randomAlphaOfLengthBetween(1, 6);
|
||||||
|
|
||||||
auditTrail.connectionGranted(inetAddress, profile, rule);
|
auditTrail.connectionGranted(inetAddress, profile, rule);
|
||||||
assertEmptyLog(logger);
|
assertEmptyLog(logger);
|
||||||
|
@ -742,7 +744,9 @@ public class LoggingAuditTrailTests extends ESTestCase {
|
||||||
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
|
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
|
||||||
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
||||||
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_granted")
|
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_granted")
|
||||||
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
|
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME,
|
||||||
|
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE
|
||||||
|
: LoggingAuditTrail.TRANSPORT_ORIGIN_FIELD_VALUE)
|
||||||
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
|
||||||
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
|
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
|
||||||
.put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all");
|
.put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all");
|
||||||
|
|
Loading…
Reference in New Issue