honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dynamic IP filtering: Disabling does not work in certain cases 

Due to a bug in how old settings were stored, disabling dynamic
ip filtering did not work, when it had not been changed before.

Closes elastic/elasticsearch#762

Original commit: elastic/x-pack-elasticsearch@0868e1b6f2
This commit is contained in:
Alexander Reelsen 2015-03-06 19:08:49 +01:00
parent a977bb404f
commit 15e0af9c9a
2 changed files with 67 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java
View File

@ -212,10 +212,10 @@ public class IPFilter extends AbstractLifecycleComponent<IPFilter> {
private void loadValuesFromSettings(Settings settings) {
this.enabled = settings.getAsBoolean(IP_FILTER_ENABLED_SETTING, this.enabled);
this.httpEnabled = settings.getAsBoolean(IP_FILTER_ENABLED_HTTP_SETTING, this.httpEnabled);
this.allowed = settings.getAsArray("shield.transport.filter.allow");
this.denied = settings.getAsArray("shield.transport.filter.deny");
this.httpAllowed = settings.getAsArray("shield.http.filter.allow");
this.httpDenied = settings.getAsArray("shield.http.filter.deny");
this.allowed = settings.getAsArray("shield.transport.filter.allow", this.allowed);
this.denied = settings.getAsArray("shield.transport.filter.deny", this.denied);
this.httpAllowed = settings.getAsArray("shield.http.filter.allow", this.httpAllowed);
this.httpDenied = settings.getAsArray("shield.http.filter.deny", this.httpDenied);
if (settings.getGroups("transport.profiles.").size() == 0) {
profileAllowed = HppcMaps.newMap(0);

74
src/test/java/org/elasticsearch/shield/transport/filter/IpFilteringUpdateTests.java
View File

@ -49,14 +49,14 @@ public class IpFilteringUpdateTests extends ShieldIntegrationTest {
.put("shield.transport.filter.allow", "127.0.0.1")
.put("shield.transport.filter.deny", "127.0.0.8")
.build();
assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings));
updateSettings(settings);
assertConnectionRejected("default", "127.0.0.8");
settings = settingsBuilder()
.putArray("shield.http.filter.allow", "127.0.0.1")
.putArray("shield.http.filter.deny", "127.0.0.8")
.build();
assertAcked(client().admin().cluster().prepareUpdateSettings().setPersistentSettings(settings));
updateSettings(settings);
assertConnectionRejected("default", "127.0.0.8");
assertConnectionRejected(".http", "127.0.0.8");
@ -64,7 +64,7 @@ public class IpFilteringUpdateTests extends ShieldIntegrationTest {
.put("transport.profiles.client.shield.filter.allow", "127.0.0.1")
.put("transport.profiles.client.shield.filter.deny", "127.0.0.8")
.build();
assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings));
updateSettings(settings);
assertConnectionRejected("default", "127.0.0.8");
assertConnectionRejected(".http", "127.0.0.8");
assertConnectionRejected("client", "127.0.0.8");
@ -73,8 +73,8 @@ public class IpFilteringUpdateTests extends ShieldIntegrationTest {
ClusterState clusterState = client().admin().cluster().prepareState().get().getState();
assertThat(clusterState.metaData().settings().get("shield.transport.filter.allow"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("shield.transport.filter.deny"), is("127.0.0.8"));
assertThat(clusterState.metaData().persistentSettings().get("shield.http.filter.allow.0"), is("127.0.0.1"));
assertThat(clusterState.metaData().persistentSettings().get("shield.http.filter.deny.0"), is("127.0.0.8"));
assertThat(clusterState.metaData().settings().get("shield.http.filter.allow.0"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("shield.http.filter.deny.0"), is("127.0.0.8"));
assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.allow"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.deny"), is("127.0.0.8"));
@ -83,17 +83,69 @@ public class IpFilteringUpdateTests extends ShieldIntegrationTest {
.put(IPFilter.IP_FILTER_ENABLED_SETTING, false)
.put(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, true)
.build();
assertAcked(client().admin().cluster().prepareUpdateSettings().setPersistentSettings(settings));
updateSettings(settings);
assertConnectionAccepted("default", "127.0.0.8");
assertConnectionAccepted("client", "127.0.0.8");
// disabling should not have any effect on the cluster state settings
clusterState = client().admin().cluster().prepareState().get().getState();
assertThat(clusterState.metaData().settings().get("shield.transport.filter.allow"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("shield.transport.filter.deny"), is("127.0.0.8"));
assertThat(clusterState.metaData().settings().get("shield.http.filter.allow.0"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("shield.http.filter.deny.0"), is("127.0.0.8"));
assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.allow"), is("127.0.0.1"));
assertThat(clusterState.metaData().settings().get("transport.profiles.client.shield.filter.deny"), is("127.0.0.8"));
// now also disable for HTTP
assertConnectionRejected(".http", "127.0.0.8");
settings = settingsBuilder()
.put(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, false)
if (httpEnabled) {
assertConnectionRejected(".http", "127.0.0.8");
settings = settingsBuilder()
.put(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, false)
.build();
// as we permanently switch between persistent and transient settings, just set both here to make sure we overwrite
assertAcked(client().admin().cluster().prepareUpdateSettings().setPersistentSettings(settings));
assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings));
assertConnectionAccepted(".http", "127.0.0.8");
}
}
@Test // issue #762, occured because in the above test we use HTTP and transport
public void testThatDisablingIpFilterWorksAsExpected() throws Exception {
Settings settings = settingsBuilder()
.put("shield.transport.filter.deny", "127.0.0.8")
.build();
assertAcked(client().admin().cluster().prepareUpdateSettings().setPersistentSettings(settings));
assertConnectionAccepted(".http", "127.0.0.8");
updateSettings(settings);
assertConnectionRejected("default", "127.0.0.8");
settings = settingsBuilder()
.put("shield.transport.filter.enabled", false)
.build();
updateSettings(settings);
assertConnectionAccepted("default", "127.0.0.8");
}
@Test
public void testThatDisablingIpFilterForProfilesWorksAsExpected() throws Exception {
Settings settings = settingsBuilder()
.put("transport.profiles.myprofile.shield.filter.deny", "127.0.0.8")
.build();
updateSettings(settings);
assertConnectionRejected("myprofile", "127.0.0.8");
settings = settingsBuilder()
.put("shield.transport.filter.enabled", false)
.build();
updateSettings(settings);
assertConnectionAccepted("myprofile", "127.0.0.8");
}
private void updateSettings(Settings settings) {
if (randomBoolean()) {
assertAcked(client().admin().cluster().prepareUpdateSettings().setPersistentSettings(settings));
} else {
assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings));
}
}
private void assertConnectionAccepted(String profile, String host) throws UnknownHostException {