Fix origin.type for connection_* audit events (#36410)

The `origin.type` field's permitted values are now `rest` or
`transport` (as the docs declare) instead of `ip_filter`.
This commit is contained in:
Albert Zaharovits 2018-12-10 21:54:47 +02:00 committed by GitHub
parent 0909a631ba
commit 01afeff55d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 6 deletions

View File

@ -35,6 +35,7 @@ import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.audit.AuditLevel; import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail; import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.rest.RemoteHostHeader; import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule; import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
import com.fasterxml.jackson.core.io.JsonStringEncoder; import com.fasterxml.jackson.core.io.JsonStringEncoder;
@ -513,7 +514,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
final StringMapMessage logEntry = new LogEntryBuilder() final StringMapMessage logEntry = new LogEntryBuilder()
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE) .with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
.with(EVENT_ACTION_FIELD_NAME, "connection_granted") .with(EVENT_ACTION_FIELD_NAME, "connection_granted")
.with(ORIGIN_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE) .with(ORIGIN_TYPE_FIELD_NAME,
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE)
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile) .with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString()) .with(RULE_FIELD_NAME, rule.toString())
@ -529,7 +531,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
final StringMapMessage logEntry = new LogEntryBuilder() final StringMapMessage logEntry = new LogEntryBuilder()
.with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE) .with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE)
.with(EVENT_ACTION_FIELD_NAME, "connection_denied") .with(EVENT_ACTION_FIELD_NAME, "connection_denied")
.with(ORIGIN_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE) .with(ORIGIN_TYPE_FIELD_NAME,
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE)
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile) .with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString()) .with(RULE_FIELD_NAME, rule.toString())

View File

@ -700,13 +700,15 @@ public class LoggingAuditTrailTests extends ESTestCase {
public void testConnectionDenied() throws Exception { public void testConnectionDenied() throws Exception {
final InetAddress inetAddress = InetAddress.getLoopbackAddress(); final InetAddress inetAddress = InetAddress.getLoopbackAddress();
final SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all"); final SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
final String profile = randomAlphaOfLengthBetween(1, 6); final String profile = randomBoolean() ? IPFilter.HTTP_PROFILE_NAME : randomAlphaOfLengthBetween(1, 6);
auditTrail.connectionDenied(inetAddress, profile, rule); auditTrail.connectionDenied(inetAddress, profile, rule);
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields); final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE) checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_denied") .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_denied")
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE) .put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME,
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE
: LoggingAuditTrail.TRANSPORT_ORIGIN_FIELD_VALUE)
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile) .put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
.put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all"); .put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all");
@ -727,7 +729,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
public void testConnectionGranted() throws Exception { public void testConnectionGranted() throws Exception {
final InetAddress inetAddress = InetAddress.getLoopbackAddress(); final InetAddress inetAddress = InetAddress.getLoopbackAddress();
final SecurityIpFilterRule rule = IPFilter.DEFAULT_PROFILE_ACCEPT_ALL; final SecurityIpFilterRule rule = IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
final String profile = randomAlphaOfLengthBetween(1, 6); final String profile = randomBoolean() ? IPFilter.HTTP_PROFILE_NAME : randomAlphaOfLengthBetween(1, 6);
auditTrail.connectionGranted(inetAddress, profile, rule); auditTrail.connectionGranted(inetAddress, profile, rule);
assertEmptyLog(logger); assertEmptyLog(logger);
@ -742,7 +744,9 @@ public class LoggingAuditTrailTests extends ESTestCase {
final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields); final MapBuilder<String, String> checkedFields = new MapBuilder<>(commonFields);
checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE) checkedFields.put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE)
.put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_granted") .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "connection_granted")
.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE) .put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME,
IPFilter.HTTP_PROFILE_NAME.equals(profile) ? LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE
: LoggingAuditTrail.TRANSPORT_ORIGIN_FIELD_VALUE)
.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile) .put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile)
.put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all"); .put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all");