From e4753656bc9a29122431d8e4871a354c545d5c1c Mon Sep 17 00:00:00 2001 From: Dimitris Athanasiou Date: Wed, 13 Sep 2017 09:12:39 +0100 Subject: [PATCH 1/9] [ML] Randomize default datafeed query delay (elastic/x-pack-elasticsearch#2475) Changes the default query delay from 1m to a random value between 1m and 2m. The motivation is to avoid having multiple jobs firing their searches at the same time which may potentially lead to increased load on the machine. relates elastic/x-pack-elasticsearch#2472 Original commit: elastic/x-pack-elasticsearch@3224e836fa436799edbb2aafd7dabf153832ca99 --- .../xpack/ml/datafeed/DatafeedConfig.java | 16 +++++++-- .../ml/datafeed/DatafeedConfigTests.java | 34 ++++++++++++++++--- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfig.java b/plugin/src/main/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfig.java index 41bf6c6fee5..d3207499512 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfig.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfig.java @@ -41,6 +41,7 @@ import java.util.EnumMap; import java.util.List; import java.util.Map; import java.util.Objects; +import java.util.Random; import java.util.concurrent.TimeUnit; /** @@ -352,12 +353,13 @@ public class DatafeedConfig extends AbstractDiffable implements public static class Builder { private static final int DEFAULT_SCROLL_SIZE = 1000; - private static final TimeValue DEFAULT_QUERY_DELAY = TimeValue.timeValueMinutes(1); + private static final TimeValue MIN_DEFAULT_QUERY_DELAY = TimeValue.timeValueMinutes(1); + private static final TimeValue MAX_DEFAULT_QUERY_DELAY = TimeValue.timeValueMinutes(2); private static final int DEFAULT_AGGREGATION_CHUNKING_BUCKETS = 1000; private String id; private String jobId; - private TimeValue queryDelay = DEFAULT_QUERY_DELAY; + private TimeValue queryDelay; private TimeValue frequency; private List indices = Collections.emptyList(); private List types = Collections.emptyList(); @@ -460,6 +462,7 @@ public class DatafeedConfig extends AbstractDiffable implements } validateAggregations(); setDefaultChunkingConfig(); + setDefaultQueryDelay(); return new DatafeedConfig(id, jobId, queryDelay, frequency, indices, types, query, aggregations, scriptFields, scrollSize, chunkingConfig); } @@ -530,6 +533,15 @@ public class DatafeedConfig extends AbstractDiffable implements } } + private void setDefaultQueryDelay() { + if (queryDelay == null) { + Random random = new Random(jobId.hashCode()); + long delayMillis = random.longs(MIN_DEFAULT_QUERY_DELAY.millis(), MAX_DEFAULT_QUERY_DELAY.millis()) + .findFirst().getAsLong(); + queryDelay = TimeValue.timeValueMillis(delayMillis); + } + } + private static ElasticsearchException invalidOptionValue(String fieldName, Object value) { String msg = Messages.getMessage(Messages.DATAFEED_CONFIG_INVALID_OPTION_VALUE, fieldName, value); throw ExceptionsHelper.badRequestException(msg); diff --git a/plugin/src/test/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfigTests.java b/plugin/src/test/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfigTests.java index d0bdb4c8404..57be39f7612 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfigTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/ml/datafeed/DatafeedConfigTests.java @@ -33,18 +33,23 @@ import org.elasticsearch.search.builder.SearchSourceBuilder.ScriptField; import org.elasticsearch.test.AbstractSerializingTestCase; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.ml.datafeed.ChunkingConfig.Mode; +import org.elasticsearch.xpack.ml.job.config.JobTests; import org.elasticsearch.xpack.ml.job.messages.Messages; import org.joda.time.DateTimeZone; import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.TimeZone; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.lessThan; +import static org.hamcrest.Matchers.not; public class DatafeedConfigTests extends AbstractSerializingTestCase { @@ -162,15 +167,36 @@ public class DatafeedConfigTests extends AbstractSerializingTestCase Date: Wed, 13 Sep 2017 14:53:44 +0100 Subject: [PATCH 2/9] [ML] Add random offset to the maintenance task execution time (elastic/x-pack-elasticsearch#2483) Currently the maintenance task is executed at 30 minutes past midnight of each day. In the scenario where multiple clusters are running on the same hardware infrastructure they all will be running at the same time, competing for resources. This commit changes this by adding a random offset to the execution time which ranges from 0 to 119 minutes. The minute granularity means that different offsets give at least 1 minute for the maintenance task to end. Moreover, the 2 hour window gives enough slots for different offsets to occur and remains within what most people would think as "middle of the night". relates elastic/x-pack-elasticsearch#2273 Original commit: elastic/x-pack-elasticsearch@b538923aca6f119ac4f8b1b9602eea02ef4c3aa3 --- .../xpack/ml/MlDailyMaintenanceService.java | 30 ++++++++++++++----- .../xpack/ml/MlInitializationService.java | 8 ++--- .../ml/MlInitializationServiceTests.java | 6 ++-- 3 files changed, 30 insertions(+), 14 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ml/MlDailyMaintenanceService.java b/plugin/src/main/java/org/elasticsearch/xpack/ml/MlDailyMaintenanceService.java index 481600877b3..6c926d61b22 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ml/MlDailyMaintenanceService.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ml/MlDailyMaintenanceService.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.ml; import org.apache.logging.log4j.Logger; import org.elasticsearch.client.Client; +import org.elasticsearch.cluster.ClusterName; import org.elasticsearch.common.lease.Releasable; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.unit.TimeValue; @@ -18,6 +19,7 @@ import org.joda.time.DateTime; import org.joda.time.chrono.ISOChronology; import java.util.Objects; +import java.util.Random; import java.util.concurrent.ScheduledFuture; import java.util.function.Supplier; @@ -28,6 +30,8 @@ public class MlDailyMaintenanceService implements Releasable { private static final Logger LOGGER = Loggers.getLogger(MlDailyMaintenanceService.class); + private static final int MAX_TIME_OFFSET_MINUTES = 120; + private final ThreadPool threadPool; private final Client client; @@ -45,16 +49,26 @@ public class MlDailyMaintenanceService implements Releasable { this.schedulerProvider = Objects.requireNonNull(scheduleProvider); } - public MlDailyMaintenanceService(ThreadPool threadPool, Client client) { - this(threadPool, client, createAfterMidnightScheduleProvider()); + public MlDailyMaintenanceService(ClusterName clusterName, ThreadPool threadPool, Client client) { + this(threadPool, client, () -> delayToNextTime(clusterName)); } - private static Supplier createAfterMidnightScheduleProvider() { - return () -> { - DateTime now = DateTime.now(ISOChronology.getInstance()); - DateTime next = now.plusDays(1).withTimeAtStartOfDay().plusMinutes(30); - return TimeValue.timeValueMillis(next.getMillis() - now.getMillis()); - }; + /** + * Calculates the delay until the next time the maintenance should be triggered. + * The next time is 30 minutes past midnight of the following day plus a random + * offset. The random offset is added in order to avoid multiple clusters + * running the maintenance tasks at the same time. A cluster with a given name + * shall have the same offset throughout its life. + * + * @param clusterName the cluster name is used to seed the random offset + * @return the delay to the next time the maintenance should be triggered + */ + private static TimeValue delayToNextTime(ClusterName clusterName) { + Random random = new Random(clusterName.hashCode()); + int minutesOffset = random.ints(0, MAX_TIME_OFFSET_MINUTES).findFirst().getAsInt(); + DateTime now = DateTime.now(ISOChronology.getInstance()); + DateTime next = now.plusDays(1).withTimeAtStartOfDay().plusMinutes(30).plusMinutes(minutesOffset); + return TimeValue.timeValueMillis(next.getMillis() - now.getMillis()); } public void start() { diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ml/MlInitializationService.java b/plugin/src/main/java/org/elasticsearch/xpack/ml/MlInitializationService.java index 4006ffe806f..a63a6e77381 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ml/MlInitializationService.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ml/MlInitializationService.java @@ -63,7 +63,7 @@ class MlInitializationService extends AbstractComponent implements ClusterStateL private void installMlMetadata(MetaData metaData) { if (metaData.custom(MlMetadata.TYPE) == null) { if (installMlMetadataCheck.compareAndSet(false, true)) { - threadPool.executor(ThreadPool.Names.GENERIC).execute(() -> { + threadPool.executor(ThreadPool.Names.GENERIC).execute(() -> clusterService.submitStateUpdateTask("install-ml-metadata", new ClusterStateUpdateTask() { @Override public ClusterState execute(ClusterState currentState) throws Exception { @@ -83,8 +83,8 @@ class MlInitializationService extends AbstractComponent implements ClusterStateL installMlMetadataCheck.set(false); logger.error("unable to install ml metadata", e); } - }); - }); + }) + ); } } else { installMlMetadataCheck.set(false); @@ -93,7 +93,7 @@ class MlInitializationService extends AbstractComponent implements ClusterStateL private void installDailyMaintenanceService() { if (mlDailyMaintenanceService == null) { - mlDailyMaintenanceService = new MlDailyMaintenanceService(threadPool, client); + mlDailyMaintenanceService = new MlDailyMaintenanceService(clusterService.getClusterName(), threadPool, client); mlDailyMaintenanceService.start(); clusterService.addLifecycleListener(new LifecycleListener() { @Override diff --git a/plugin/src/test/java/org/elasticsearch/xpack/ml/MlInitializationServiceTests.java b/plugin/src/test/java/org/elasticsearch/xpack/ml/MlInitializationServiceTests.java index 7adfc0cbd84..e4672af0b8a 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/ml/MlInitializationServiceTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/ml/MlInitializationServiceTests.java @@ -40,6 +40,8 @@ import static org.mockito.Mockito.when; public class MlInitializationServiceTests extends ESTestCase { + private static final ClusterName CLUSTER_NAME = new ClusterName("my_cluster"); + private ThreadPool threadPool; private ExecutorService executorService; private ClusterService clusterService; @@ -60,6 +62,8 @@ public class MlInitializationServiceTests extends ESTestCase { ScheduledFuture scheduledFuture = mock(ScheduledFuture.class); when(threadPool.schedule(any(), any(), any())).thenReturn(scheduledFuture); + + when(clusterService.getClusterName()).thenReturn(CLUSTER_NAME); } public void testInitialize() throws Exception { @@ -93,7 +97,6 @@ public class MlInitializationServiceTests extends ESTestCase { } public void testInitialize_alreadyInitialized() throws Exception { - ClusterService clusterService = mock(ClusterService.class); MlInitializationService initializationService = new MlInitializationService(Settings.EMPTY, threadPool, clusterService, client); ClusterState cs = ClusterState.builder(new ClusterName("_name")) @@ -113,7 +116,6 @@ public class MlInitializationServiceTests extends ESTestCase { } public void testInitialize_onlyOnce() throws Exception { - ClusterService clusterService = mock(ClusterService.class); MlInitializationService initializationService = new MlInitializationService(Settings.EMPTY, threadPool, clusterService, client); ClusterState cs = ClusterState.builder(new ClusterName("_name")) From f30e5c3fee2746d95b0011b51b85d50f30a0c1a6 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Wed, 13 Sep 2017 13:11:54 -0600 Subject: [PATCH 3/9] Register the legacy truststore password setting for the PKI realm (elastic/x-pack-elasticsearch#2487) After the addition of the secure settings in 5.6, the truststore.password setting for the PKI realm was no longer registered. This would cause new nodes to fail for customers that were upgrading and had configured a PKI realm with a truststore. This change registers the setting and adds a test to ensure a realm configuration with the old setting passes validation. Relates elastic/support-dev-help#2505 Original commit: elastic/x-pack-elasticsearch@54da044a27d87f093a65bbf75fb15f835e004ac3 --- .../xpack/security/authc/pki/PkiRealm.java | 1 + .../xpack/ssl/SSLConfigurationSettings.java | 4 +++- .../security/authc/pki/PkiRealmTests.java | 20 +++++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 78f9b9e9766..c4c948ef168 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -209,6 +209,7 @@ public class PkiRealm extends Realm { settings.add(SSL_SETTINGS.truststorePath); settings.add(SSL_SETTINGS.truststorePassword); + settings.add(SSL_SETTINGS.legacyTruststorePassword); settings.add(SSL_SETTINGS.truststoreAlgorithm); settings.add(SSL_SETTINGS.caPaths); diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java index 248181b9b23..03a9b244137 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLConfigurationSettings.java @@ -47,10 +47,12 @@ public class SSLConfigurationSettings { public final Setting> clientAuth; public final Setting> verificationMode; + // public for PKI realm + public final Setting legacyTruststorePassword; + // pkg private for tests final Setting legacyKeystorePassword; final Setting legacyKeystoreKeyPassword; - final Setting legacyTruststorePassword; final Setting legacyKeyPassword; private final List> allSettings; diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index a68f0806bc0..12869ff3104 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -11,25 +11,31 @@ import java.nio.file.Files; import java.nio.file.Path; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import java.util.regex.Pattern; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.support.PlainActionFuture; +import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.security.authc.AuthenticationResult; import org.elasticsearch.xpack.security.authc.RealmConfig; +import org.elasticsearch.xpack.security.authc.RealmSettings; import org.elasticsearch.xpack.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.support.NoOpLogger; import org.elasticsearch.xpack.security.user.User; +import org.elasticsearch.xpack.ssl.SSLConfigurationSettings; import org.junit.Before; import org.mockito.Mockito; @@ -248,6 +254,20 @@ public class PkiRealmTests extends ESTestCase { assertThat(token.dn(), is("EMAILADDRESS=pki@elastic.co, CN=PKI Client, OU=Security")); } + public void testPKIRealmSettingsPassValidation() throws Exception { + Settings settings = Settings.builder() + .put("xpack.security.authc.realms.pki1.type", "pki") + .put("xpack.security.authc.realms.pki1.truststore.path", "/foo/bar") + .put("xpack.security.authc.realms.pki1.truststore.password", "supersecret") + .build(); + List> settingList = new ArrayList<>(); + RealmSettings.addSettings(settingList, Collections.emptyList()); + ClusterSettings clusterSettings = new ClusterSettings(settings, new HashSet<>(settingList)); + clusterSettings.validate(settings); + + assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword }); + } + static X509Certificate readCert(Path path) throws Exception { try (InputStream in = Files.newInputStream(path)) { CertificateFactory factory = CertificateFactory.getInstance("X.509"); From 01a921a8e3177a8e8aad935b076dd86d4b63ce29 Mon Sep 17 00:00:00 2001 From: Simon Willnauer Date: Wed, 13 Sep 2017 22:14:29 +0200 Subject: [PATCH 4/9] Accept BootstrapContext in xpack (elastic/x-pack-elasticsearch#2486) This is the xpack side of elastic/elasticsearch#26628 Original commit: elastic/x-pack-elasticsearch@f6c0599ee28594c732dd287faa7f152d0fff44ac --- .../security/PkiRealmBootstrapCheck.java | 8 +++--- .../xpack/security/Security.java | 6 ++--- .../security/TokenSSLBootstrapCheck.java | 14 ++++------- .../RoleMappingFileBootstrapCheck.java | 3 ++- .../xpack/ssl/SSLBootstrapCheck.java | 9 +++---- .../EncryptSensitiveDataBootstrapCheck.java | 10 ++++---- .../elasticsearch/xpack/watcher/Watcher.java | 2 +- .../security/PkiRealmBootstrapCheckTests.java | 22 ++++++++-------- .../security/TokenSSLBootsrapCheckTests.java | 15 +++++------ .../RoleMappingFileBootstrapCheckTests.java | 9 ++++--- .../xpack/ssl/SSLBootstrapCheckTests.java | 25 ++++++++++--------- ...cryptSensitiveDataBootstrapCheckTests.java | 13 +++++----- 12 files changed, 69 insertions(+), 67 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java index 3001d82b495..ad31761cd24 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.security; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.xpack.security.authc.RealmSettings; import org.elasticsearch.xpack.security.authc.pki.PkiRealm; @@ -20,10 +21,8 @@ import static org.elasticsearch.xpack.security.Security.setting; class PkiRealmBootstrapCheck implements BootstrapCheck { private final SSLService sslService; - private final Settings settings; - PkiRealmBootstrapCheck(Settings settings, SSLService sslService) { - this.settings = settings; + PkiRealmBootstrapCheck(SSLService sslService) { this.sslService = sslService; } @@ -32,7 +31,8 @@ class PkiRealmBootstrapCheck implements BootstrapCheck { * least one network communication layer. */ @Override - public boolean check() { + public boolean check(BootstrapContext context) { + final Settings settings = context.settings; final boolean pkiRealmEnabled = settings.getGroups(RealmSettings.PREFIX).values().stream() .filter(s -> PkiRealm.TYPE.equals(s.get("type"))) .anyMatch(s -> s.getAsBoolean("enabled", true)); diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java b/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java index b205683b2bc..dd9de5bc2ae 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -242,9 +242,9 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin, Clus // fetched final List checks = new ArrayList<>(); checks.addAll(Arrays.asList( - new SSLBootstrapCheck(sslService, settings, env), - new TokenSSLBootstrapCheck(settings), - new PkiRealmBootstrapCheck(settings, sslService))); + new SSLBootstrapCheck(sslService, env), + new TokenSSLBootstrapCheck(), + new PkiRealmBootstrapCheck(sslService))); checks.addAll(InternalRealms.getBootstrapChecks(settings)); this.bootstrapChecks = Collections.unmodifiableList(checks); } else { diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java index dfeeb05805c..cf3a1b48ae3 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.security; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.xpack.XPackSettings; @@ -15,16 +16,11 @@ import org.elasticsearch.xpack.XPackSettings; */ final class TokenSSLBootstrapCheck implements BootstrapCheck { - private final Settings settings; - - TokenSSLBootstrapCheck(Settings settings) { - this.settings = settings; - } - @Override - public boolean check() { - if (NetworkModule.HTTP_ENABLED.get(settings)) { - return XPackSettings.HTTP_SSL_ENABLED.get(settings) == false && XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings); + public boolean check(BootstrapContext context) { + if (NetworkModule.HTTP_ENABLED.get(context.settings)) { + return XPackSettings.HTTP_SSL_ENABLED.get(context.settings) == false && XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get + (context.settings); } return false; } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java index 04de860b1b2..9b6e0880401 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java @@ -9,6 +9,7 @@ import java.nio.file.Path; import org.apache.lucene.util.SetOnce; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.xpack.security.authc.RealmConfig; /** @@ -27,7 +28,7 @@ public class RoleMappingFileBootstrapCheck implements BootstrapCheck { } @Override - public boolean check() { + public boolean check(BootstrapContext context) { try { DnRoleMapper.parseFile(path, realmConfig.logger(getClass()), realmConfig.type(), realmConfig.name(), true); return false; diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java index 909dd7228fb..4146215369a 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.ssl; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.inject.internal.Nullable; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; @@ -33,18 +34,16 @@ import java.util.stream.Stream; public final class SSLBootstrapCheck implements BootstrapCheck { private final SSLService sslService; - private final Settings settings; private final Environment environment; - public SSLBootstrapCheck(SSLService sslService, Settings settings, @Nullable Environment environment) { + public SSLBootstrapCheck(SSLService sslService, @Nullable Environment environment) { this.sslService = sslService; - this.settings = settings; this.environment = environment; } @Override - public boolean check() { - final Settings transportSSLSettings = settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); + public boolean check(BootstrapContext context) { + final Settings transportSSLSettings = context.settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); return sslService.sslConfiguration(transportSSLSettings).keyConfig() == KeyConfig.NONE || isDefaultCACertificateTrusted() || isDefaultPrivateKeyUsed(); } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java index 9da35e4e2ec..d9eafe414dc 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.watcher; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.XPackPlugin; @@ -15,17 +16,16 @@ import java.nio.file.Path; final class EncryptSensitiveDataBootstrapCheck implements BootstrapCheck { - private final Settings settings; private final Environment environment; - EncryptSensitiveDataBootstrapCheck(Settings settings, Environment environment) { - this.settings = settings; + EncryptSensitiveDataBootstrapCheck(Environment environment) { this.environment = environment; } @Override - public boolean check() { - return Watcher.ENCRYPT_SENSITIVE_DATA_SETTING.get(settings) && Watcher.ENCRYPTION_KEY_SETTING.exists(settings) == false; + public boolean check(BootstrapContext context) { + return Watcher.ENCRYPT_SENSITIVE_DATA_SETTING.get(context.settings) + && Watcher.ENCRYPTION_KEY_SETTING.exists(context.settings) == false; } @Override diff --git a/plugin/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java b/plugin/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java index 579ef9e57d3..8d3f901ad85 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java @@ -518,6 +518,6 @@ public class Watcher implements ActionPlugin { } public List getBootstrapChecks() { - return Collections.singletonList(new EncryptSensitiveDataBootstrapCheck(settings, new Environment(settings))); + return Collections.singletonList(new EncryptSensitiveDataBootstrapCheck(new Environment(settings))); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 5f6e0b4559a..0ce3ebd9b2a 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.security; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; @@ -14,8 +15,9 @@ import org.elasticsearch.xpack.ssl.SSLService; public class PkiRealmBootstrapCheckTests extends ESTestCase { public void testPkiRealmBootstrapDefault() throws Exception { - assertFalse(new PkiRealmBootstrapCheck(Settings.EMPTY, new SSLService(Settings.EMPTY, - new Environment(Settings.builder().put("path.home", createTempDir()).build()))).check()); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(Settings.EMPTY, + new Environment(Settings.builder().put("path.home", createTempDir()).build()))).check((new BootstrapContext(Settings + .EMPTY, null)))); } public void testBootstrapCheckWithPkiRealm() throws Exception { @@ -24,42 +26,42 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("path.home", createTempDir()) .build(); Environment env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // disable client auth default settings = Settings.builder().put(settings) .put("xpack.ssl.client_authentication", "none") .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // enable ssl for http settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.enabled", true) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // enable client auth for http settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // disable http ssl settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.enabled", false) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // set transport client auth settings = Settings.builder().put(settings) .put("xpack.security.transport.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); // test with transport profile settings = Settings.builder().put(settings) @@ -67,7 +69,7 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); } public void testBootstrapCheckWithDisabledRealm() throws Exception { @@ -78,6 +80,6 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("path.home", createTempDir()) .build(); Environment env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(settings, new SSLService(settings, env)).check()); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java index a795498b2b4..39b33eab0e9 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java @@ -5,39 +5,40 @@ */ package org.elasticsearch.xpack.security; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.xpack.XPackSettings; -import org.elasticsearch.xpack.security.TokenSSLBootstrapCheck; public class TokenSSLBootsrapCheckTests extends ESTestCase { public void testTokenSSLBootstrapCheck() { Settings settings = Settings.EMPTY; - assertFalse(new TokenSSLBootstrapCheck(settings).check()); + + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); settings = Settings.builder() .put(NetworkModule.HTTP_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertFalse(new TokenSSLBootstrapCheck(settings).check()); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); settings = Settings.builder().put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); - assertFalse(new TokenSSLBootstrapCheck(settings).check()); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); // XPackSettings.HTTP_SSL_ENABLED default false settings = Settings.builder().put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertTrue(new TokenSSLBootstrapCheck(settings).check()); + assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); settings = Settings.builder() .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertTrue(new TokenSSLBootstrapCheck(settings).check()); + assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); settings = Settings.builder() .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) .put(NetworkModule.HTTP_ENABLED.getKey(), false).build(); - assertFalse(new TokenSSLBootstrapCheck(settings).check()); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java index 5894076039b..629df88dc6c 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java @@ -12,6 +12,7 @@ import java.nio.file.Path; import java.util.Collections; import org.elasticsearch.bootstrap.BootstrapCheck; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.ESTestCase; @@ -45,7 +46,7 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(), equalTo(false)); + assertThat(check.check(new BootstrapContext(settings, null)), equalTo(false)); } public void testBootstrapCheckOfMissingFile() { @@ -58,7 +59,7 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(), equalTo(true)); + assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); assertThat(check.errorMessage(), containsString("the-realm-name")); assertThat(check.errorMessage(), containsString(fileName)); assertThat(check.errorMessage(), containsString("does not exist")); @@ -76,7 +77,7 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(), equalTo(true)); + assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); assertThat(check.errorMessage(), containsString("the-realm-name")); assertThat(check.errorMessage(), containsString(file.toString())); assertThat(check.errorMessage(), containsString("could not read")); @@ -94,7 +95,7 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(), equalTo(true)); + assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); assertThat(check.errorMessage(), containsString("the-realm-name")); assertThat(check.errorMessage(), containsString(file.toString())); assertThat(check.errorMessage(), containsString("invalid DN")); diff --git a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java index 83a9b542392..734814cc6b6 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.ssl; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; @@ -14,8 +15,8 @@ public class SSLBootstrapCheckTests extends ESTestCase { public void testSSLBootstrapCheckWithNoKey() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, null); - SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(sslService, Settings.EMPTY, null); - assertTrue(bootstrapCheck.check()); + SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(sslService, null); + assertTrue(bootstrapCheck.check(new BootstrapContext(Settings.EMPTY, null))); } public void testSSLBootstrapCheckWithKey() throws Exception { @@ -31,8 +32,8 @@ public class SSLBootstrapCheckTests extends ESTestCase { .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; - SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), settings, env); - assertFalse(bootstrapCheck.check()); + SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); + assertFalse(bootstrapCheck.check(new BootstrapContext(settings, null))); } public void testSSLBootstrapCheckWithDefaultCABeingTrusted() throws Exception { @@ -51,15 +52,15 @@ public class SSLBootstrapCheckTests extends ESTestCase { .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; - SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), settings, env); - assertTrue(bootstrapCheck.check()); + SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); settings = Settings.builder().put(settings.filter((s) -> s.contains(".certificate_authorities"))) .put("xpack.security.http.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString()) .build(); - bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), settings, env); - assertTrue(bootstrapCheck.check()); + bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); } public void testSSLBootstrapCheckWithDefaultKeyBeingUsed() throws Exception { @@ -77,8 +78,8 @@ public class SSLBootstrapCheckTests extends ESTestCase { .setSecureSettings(secureSettings) .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; - SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), settings, env); - assertTrue(bootstrapCheck.check()); + SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); settings = Settings.builder().put(settings.filter((s) -> s.contains(".http.ssl."))) .put("xpack.security.transport.profiles.foo.xpack.security.ssl.key", @@ -86,7 +87,7 @@ public class SSLBootstrapCheckTests extends ESTestCase { .put("xpack.security.transport.profiles.foo.xpack.security.ssl.certificate", getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString()) .build(); - bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), settings, env); - assertTrue(bootstrapCheck.check()); + bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java index a3830238b4a..d2ebab59d7f 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java @@ -5,6 +5,7 @@ */ package org.elasticsearch.xpack.watcher; +import org.elasticsearch.bootstrap.BootstrapContext; import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; @@ -16,8 +17,8 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { public void testDefaultIsFalse() { Settings settings = Settings.builder().put("path.home", createTempDir()).build(); Environment env = new Environment(settings); - EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(settings, env); - assertFalse(check.check()); + EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); + assertFalse(check.check(new BootstrapContext(settings, null))); assertTrue(check.alwaysEnforce()); } @@ -27,8 +28,8 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { .put(Watcher.ENCRYPT_SENSITIVE_DATA_SETTING.getKey(), true) .build(); Environment env = new Environment(settings); - EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(settings, env); - assertTrue(check.check()); + EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); + assertTrue(check.check(new BootstrapContext(settings, null))); } public void testKeyInKeystore() { @@ -40,7 +41,7 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { .setSecureSettings(secureSettings) .build(); Environment env = new Environment(settings); - EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(settings, env); - assertFalse(check.check()); + EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); + assertFalse(check.check(new BootstrapContext(settings, null))); } } From f15666f82e8612605473af48fb45b9bcc15a60b5 Mon Sep 17 00:00:00 2001 From: Nik Everett Date: Wed, 13 Sep 2017 14:58:14 -0400 Subject: [PATCH 5/9] Fix links in deprecation checks (elastic/x-pack-elasticsearch#2490) Some links must have moved since we wrote the tests and released 5.6.0. relates elastic/x-pack-elasticsearch#2488 Original commit: elastic/x-pack-elasticsearch@ebceee7f3df12603e1d9985e8a6e249c8561c760 --- .../xpack/deprecation/IndexDeprecationChecks.java | 4 ++-- .../deprecation/IndexDeprecationChecksTests.java | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecks.java b/plugin/src/main/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecks.java index 4ae4b87f3a0..4c8340d0d35 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecks.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecks.java @@ -187,8 +187,8 @@ public class IndexDeprecationChecks { indexMetaData.getSettings().get("index.shared_filesystem") != null) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "[index.shared_filesystem] setting should be removed", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/" + - "breaking_60_settings_changes.html#_shadow_replicas_have_been_removed", null); + "https://www.elastic.co/guide/en/elasticsearch/reference/6.0/" + + "breaking_60_indices_changes.html#_shadow_replicas_have_been_removed", null); } return null; diff --git a/plugin/src/test/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecksTests.java b/plugin/src/test/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecksTests.java index 750f39dfd74..fa8a21b19a7 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecksTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/deprecation/IndexDeprecationChecksTests.java @@ -142,11 +142,11 @@ public class IndexDeprecationChecksTests extends ESTestCase { } public void testStoreThrottleSettingsCheck() { assertSettingsAndIssue("index.store.throttle.max_bytes_per_sec", "32", - new DeprecationIssue(DeprecationIssue.Level.CRITICAL, - "index.store.throttle settings are no longer recognized. these settings should be removed", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/" + - "breaking_60_settings_changes.html#_store_throttling_settings", - "present settings: [index.store.throttle.max_bytes_per_sec]")); + new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "index.store.throttle settings are no longer recognized. these settings should be removed", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/" + + "breaking_60_settings_changes.html#_store_throttling_settings", + "present settings: [index.store.throttle.max_bytes_per_sec]")); assertSettingsAndIssue("index.store.throttle.type", "none", new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "index.store.throttle settings are no longer recognized. these settings should be removed", @@ -159,7 +159,7 @@ public class IndexDeprecationChecksTests extends ESTestCase { assertSettingsAndIssue("index.shared_filesystem", "true", new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "[index.shared_filesystem] setting should be removed", - "https://www.elastic.co/guide/en/elasticsearch/reference/master/" + - "breaking_60_settings_changes.html#_shadow_replicas_have_been_removed", null)); + "https://www.elastic.co/guide/en/elasticsearch/reference/6.0/" + + "breaking_60_indices_changes.html#_shadow_replicas_have_been_removed", null)); } } \ No newline at end of file From 447f2246772adc22e95f8619ba593f0fddc5c9d7 Mon Sep 17 00:00:00 2001 From: Aaron Bull Schaefer Date: Wed, 13 Sep 2017 16:01:21 -0700 Subject: [PATCH 6/9] Add releaseTest option to CI script (elastic/x-pack-elasticsearch#2482) This option runs a normal check but with `-Dsnapshot=false` (the flag used to indicate a release build). Related to https://github.com/elastic/infra/issues/2759 and https://github.com/elastic/infra/issues/2739 from the ES side. Original commit: elastic/x-pack-elasticsearch@e674e68905186792c724c0fb925dbae3caf3e9e1 --- dev-tools/ci | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dev-tools/ci b/dev-tools/ci index 803f2c035a6..b501cb30216 100755 --- a/dev-tools/ci +++ b/dev-tools/ci @@ -57,6 +57,16 @@ case $key in "-Dtests.badapples=true" ) ;; + releaseTest) + GRADLE_CLI_ARGS=( + "--info" + "check" + "-Dtests.network=true" + "-Dtests.badapples=true" + "-Dbuild.snapshot=false" + "-Dtests.jvm.argline=-Dbuild.snapshot=false" + ) + ;; jdk9) GRADLE_CLI_ARGS=( "-Pxpack.kibana.build=false" From 89d6c7e01ee273468fd7d32add506c3ce6c8f529 Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Wed, 13 Sep 2017 17:16:06 -0700 Subject: [PATCH 7/9] [DOCS] Create reference for users command (elastic/x-pack-elasticsearch#2480) Original commit: elastic/x-pack-elasticsearch@d0afe8a20defc2b91b20ea28f7e67c9f4b2bb591 --- docs/en/commands/index.asciidoc | 16 +++ docs/en/commands/users-command.asciidoc | 138 ++++++++++++++++++++++++ docs/en/index.asciidoc | 3 + 3 files changed, 157 insertions(+) create mode 100644 docs/en/commands/index.asciidoc create mode 100644 docs/en/commands/users-command.asciidoc diff --git a/docs/en/commands/index.asciidoc b/docs/en/commands/index.asciidoc new file mode 100644 index 00000000000..c1a063bc13d --- /dev/null +++ b/docs/en/commands/index.asciidoc @@ -0,0 +1,16 @@ +[role="xpack"] +[[xpack-commands]] += {xpack} Commands + +[partintro] +-- + +{xpack} includes commands that help you configure security: + +//* <> +//* <> +* <> + +-- + +include::users-command.asciidoc[] diff --git a/docs/en/commands/users-command.asciidoc b/docs/en/commands/users-command.asciidoc new file mode 100644 index 00000000000..6a889e86346 --- /dev/null +++ b/docs/en/commands/users-command.asciidoc @@ -0,0 +1,138 @@ +[role="xpack"] +[[users-command]] +== Users Command +++++ +users +++++ + +If you use file-based user authentication, the `users` command enables you to +add and remove users, assign user roles, and manage passwords. + +[float] +=== Synopsis + +[source,shell] +-------------------------------------------------- +bin/x-pack/users +([useradd ] [-p ] [-r ]) | +([list] ) | +([passwd ] [-p ]) | +([roles ] [-a ] [-r ]) | +([userdel ]) +-------------------------------------------------- + +[float] +=== Description + +If you use the built-in `file` internal realm, users are defined in local files +on each node in the cluster. + +Usernames and roles must be at least 1 and no more than 1024 characters. They +can contain alphanumeric characters (`a-z`, `A-Z`, `0-9`), spaces, punctuation, +and printable symbols in the +https://en.wikipedia.org/wiki/Basic_Latin_(Unicode_block)[Basic Latin (ASCII) block]. +Leading or trailing whitespace is not allowed. + +Passwords must be at least 6 characters long. + +For more information, see {xpack-ref}/file-realm.html[File-based User Authentication]. + +[float] +=== Parameters + +`-a `:: If used with the `roles` parameter, adds a comma-separated list +of roles to a user. + +//`-h, --help`:: Returns all of the command parameters. + +`list`:: List the users that are registered with the `file` realm +on the local node. If you also specify a user name, the command provides +information for that user. + +`-p `:: Specifies the user's password. If you do not specify this +parameter, the command prompts you for the password. ++ +-- +TIP: Omit the `-p` option to keep +plaintext passwords out of the terminal session's command history. + +-- + +`passwd `:: Resets a user's password. You can specify the new +password directly with the `-p` parameter. + +`-r `:: +* If used with the `useradd` parameter, defines a user's roles. This option +accepts a comma-separated list of role names to assign to the user. +* If used with the `roles` parameter, removes a comma-separated list of roles +from a user. + +`roles`:: Manages the roles of a particular user. You can combine adding and +removing roles within the same command to change a user's roles. + +//`-s, --silent`:: Shows minimal output. + +`useradd `:: Adds a user to your local node. + +`userdel `:: Deletes a user from your local node. + +//`-v, --verbose`:: Shows verbose output. + +[float] +=== Authorization + +To ensure that {es} can read the user and role information at startup, run +`users useradd` as the same user you use to run {es}. Running the command as +root or some other user updates the permissions for the `users` and `users_roles` +files and prevents {es} from accessing them. + +[float] +=== Examples + +The following example adds a new user named `jacknich` to the `file` realm. The +password for this user is `theshining`, and this user is associated with the +`network` and `monitoring` roles. + +[source,shell] +------------------------------------------------------------------- +bin/x-pack/users useradd jacknich -p theshining -r network,monitoring +------------------------------------------------------------------- + +The following example lists the users that are registered with the `file` realm +on the local node: + +[source, shell] +---------------------------------- +bin/x-pack/users list +rdeniro : admin +alpacino : power_user +jacknich : monitoring,network +---------------------------------- + +Users are in the left-hand column and their corresponding roles are listed in +the right-hand column. + +The following example resets the `jacknich` user's password: + +[source,shell] +-------------------------------------------------- +bin/x-pack/users passwd jachnich +-------------------------------------------------- + +Since the `-p` parameter was omitted, the command prompts you to enter and +confirm a password in interactive mode. + +The following example removes the `network` and `monitoring` roles from the +`jacknich` user and adds the `user` role: + +[source,shell] +------------------------------------------------------------ +bin/x-pack/users roles jacknich -r network,monitoring -a user +------------------------------------------------------------ + +The following example deletes the `jacknich` user: + +[source,shell] +-------------------------------------------------- +bin/x-pack/users userdel jacknich +-------------------------------------------------- diff --git a/docs/en/index.asciidoc b/docs/en/index.asciidoc index d865b7e2834..674adcce7d8 100644 --- a/docs/en/index.asciidoc +++ b/docs/en/index.asciidoc @@ -20,5 +20,8 @@ include::{es-repo-dir}/reference/index-shared2.asciidoc[] :edit_url!: include::rest-api/index.asciidoc[] +:edit_url!: +include::commands/index.asciidoc[] + :edit_url: include::{es-repo-dir}/reference/index-shared3.asciidoc[] From 9ea36ef7715aa0bb58f0373133ae53eb3d00056a Mon Sep 17 00:00:00 2001 From: lcawley Date: Wed, 13 Sep 2017 17:21:15 -0700 Subject: [PATCH 8/9] [DOCS] Added tip in users command Original commit: elastic/x-pack-elasticsearch@3fb4e1819c3d629ffe7ff9cbaa1993c9d895b5e0 --- docs/en/commands/users-command.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/en/commands/users-command.asciidoc b/docs/en/commands/users-command.asciidoc index 6a889e86346..98a3a6acf32 100644 --- a/docs/en/commands/users-command.asciidoc +++ b/docs/en/commands/users-command.asciidoc @@ -37,6 +37,11 @@ Passwords must be at least 6 characters long. For more information, see {xpack-ref}/file-realm.html[File-based User Authentication]. +TIP: To ensure that {es} can read the user and role information at startup, run +`users useradd` as the same user you use to run {es}. Running the command as +root or some other user updates the permissions for the `users` and `users_roles` +files and prevents {es} from accessing them. + [float] === Parameters @@ -78,13 +83,8 @@ removing roles within the same command to change a user's roles. //`-v, --verbose`:: Shows verbose output. -[float] -=== Authorization - -To ensure that {es} can read the user and role information at startup, run -`users useradd` as the same user you use to run {es}. Running the command as -root or some other user updates the permissions for the `users` and `users_roles` -files and prevents {es} from accessing them. +//[float] +//=== Authorization [float] === Examples From 4f3e740ba897fad42d2a0aa87b912c7012a93db4 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Wed, 13 Sep 2017 21:30:51 -0400 Subject: [PATCH 9/9] Refactor bootstrap check results and error messages This commit refactors the X-Pack bootstrap checks to respond to a change in core Elasticsearch where the checks now return a single result object. Relates elastic/x-pack-elasticsearch#2495 Original commit: elastic/x-pack-elasticsearch@230b05052975cf91ff468395d604b3ab4d2d870b --- .../security/PkiRealmBootstrapCheck.java | 18 ++++---- .../security/TokenSSLBootstrapCheck.java | 27 +++++++----- .../RoleMappingFileBootstrapCheck.java | 17 +++----- .../xpack/ssl/SSLBootstrapCheck.java | 15 +++---- .../EncryptSensitiveDataBootstrapCheck.java | 41 ++++++++++--------- .../security/PkiRealmBootstrapCheckTests.java | 18 ++++---- .../security/TokenSSLBootsrapCheckTests.java | 12 +++--- .../RoleMappingFileBootstrapCheckTests.java | 31 +++++++------- .../xpack/ssl/SSLBootstrapCheckTests.java | 12 +++--- ...cryptSensitiveDataBootstrapCheckTests.java | 7 ++-- 10 files changed, 99 insertions(+), 99 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java index ad31761cd24..9a79333efbe 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java @@ -31,7 +31,7 @@ class PkiRealmBootstrapCheck implements BootstrapCheck { * least one network communication layer. */ @Override - public boolean check(BootstrapContext context) { + public BootstrapCheckResult check(BootstrapContext context) { final Settings settings = context.settings; final boolean pkiRealmEnabled = settings.getGroups(RealmSettings.PREFIX).values().stream() .filter(s -> PkiRealm.TYPE.equals(s.get("type"))) @@ -42,34 +42,30 @@ class PkiRealmBootstrapCheck implements BootstrapCheck { Settings httpSSLSettings = SSLService.getHttpTransportSSLSettings(settings); final boolean httpClientAuth = sslService.isSSLClientAuthEnabled(httpSSLSettings); if (httpSsl && httpClientAuth) { - return false; + return BootstrapCheckResult.success(); } // Default Transport final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl.")); final boolean clientAuthEnabled = sslService.isSSLClientAuthEnabled(transportSSLSettings); if (clientAuthEnabled) { - return false; + return BootstrapCheckResult.success(); } // Transport Profiles Map groupedSettings = settings.getGroups("transport.profiles."); for (Map.Entry entry : groupedSettings.entrySet()) { if (sslService.isSSLClientAuthEnabled(SecurityNetty4Transport.profileSslSettings(entry.getValue()), transportSSLSettings)) { - return false; + return BootstrapCheckResult.success(); } } - return true; + return BootstrapCheckResult.failure( + "a PKI realm is enabled but cannot be used as neither HTTP or Transport have SSL and client authentication enabled"); } else { - return false; + return BootstrapCheckResult.success(); } } - @Override - public String errorMessage() { - return "A PKI realm is enabled but cannot be used as neither HTTP or Transport have SSL and client authentication enabled"; - } - @Override public boolean alwaysEnforce() { return true; diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java index cf3a1b48ae3..dfa3681c3f8 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenSSLBootstrapCheck.java @@ -11,24 +11,29 @@ import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.xpack.XPackSettings; +import java.util.Locale; + /** * Bootstrap check to ensure that the user has enabled HTTPS when using the token service */ final class TokenSSLBootstrapCheck implements BootstrapCheck { @Override - public boolean check(BootstrapContext context) { - if (NetworkModule.HTTP_ENABLED.get(context.settings)) { - return XPackSettings.HTTP_SSL_ENABLED.get(context.settings) == false && XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get - (context.settings); + public BootstrapCheckResult check(BootstrapContext context) { + final Boolean httpEnabled = NetworkModule.HTTP_ENABLED.get(context.settings); + final Boolean httpsEnabled = XPackSettings.HTTP_SSL_ENABLED.get(context.settings); + final Boolean tokenServiceEnabled = XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(context.settings); + if (httpEnabled && httpsEnabled == false && tokenServiceEnabled) { + final String message = String.format( + Locale.ROOT, + "HTTPS is required in order to use the token service; " + + "please enable HTTPS using the [%s] setting or disable the token service using the [%s] setting", + XPackSettings.HTTP_SSL_ENABLED.getKey(), + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey()); + return BootstrapCheckResult.failure(message); + } else { + return BootstrapCheckResult.success(); } - return false; } - @Override - public String errorMessage() { - return "HTTPS is required in order to use the token service. Please enable HTTPS using the [" + - XPackSettings.HTTP_SSL_ENABLED.getKey() + "] setting or disable the token service using the [" + - XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + "] setting."; - } } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java index 9b6e0880401..b948920ddcc 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheck.java @@ -20,30 +20,22 @@ public class RoleMappingFileBootstrapCheck implements BootstrapCheck { private final RealmConfig realmConfig; private final Path path; - private final SetOnce error = new SetOnce<>(); - - public RoleMappingFileBootstrapCheck(RealmConfig config, Path path) { + RoleMappingFileBootstrapCheck(RealmConfig config, Path path) { this.realmConfig = config; this.path = path; } @Override - public boolean check(BootstrapContext context) { + public BootstrapCheckResult check(BootstrapContext context) { try { DnRoleMapper.parseFile(path, realmConfig.logger(getClass()), realmConfig.type(), realmConfig.name(), true); - return false; + return BootstrapCheckResult.success(); } catch (Exception e) { - error.set(e.getMessage()); - return true; + return BootstrapCheckResult.failure(e.getMessage()); } } - @Override - public String errorMessage() { - return error.get(); - } - @Override public boolean alwaysEnforce() { return true; @@ -56,4 +48,5 @@ public class RoleMappingFileBootstrapCheck implements BootstrapCheck { } return null; } + } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java index 4146215369a..1cae925f8f8 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java @@ -42,10 +42,15 @@ public final class SSLBootstrapCheck implements BootstrapCheck { } @Override - public boolean check(BootstrapContext context) { + public BootstrapCheckResult check(BootstrapContext context) { final Settings transportSSLSettings = context.settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX); - return sslService.sslConfiguration(transportSSLSettings).keyConfig() == KeyConfig.NONE - || isDefaultCACertificateTrusted() || isDefaultPrivateKeyUsed(); + if (sslService.sslConfiguration(transportSSLSettings).keyConfig() == KeyConfig.NONE + || isDefaultCACertificateTrusted() || isDefaultPrivateKeyUsed()) { + return BootstrapCheckResult.failure( + "default SSL key and certificate do not provide security; please generate keys and certificates"); + } else { + return BootstrapCheckResult.success(); + } } /** @@ -91,8 +96,4 @@ public final class SSLBootstrapCheck implements BootstrapCheck { .anyMatch(defaultPrivateKey::equals); } - @Override - public String errorMessage() { - return "Default SSL key and certificate do not provide security; please generate keys and certificates"; - } } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java index d9eafe414dc..84fc4978c31 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheck.java @@ -23,27 +23,28 @@ final class EncryptSensitiveDataBootstrapCheck implements BootstrapCheck { } @Override - public boolean check(BootstrapContext context) { - return Watcher.ENCRYPT_SENSITIVE_DATA_SETTING.get(context.settings) - && Watcher.ENCRYPTION_KEY_SETTING.exists(context.settings) == false; - } - - @Override - public String errorMessage() { - final Path sysKeyPath = environment.configFile().resolve(XPackPlugin.NAME).resolve("system_key").toAbsolutePath(); - if (Files.exists(sysKeyPath)) { - return "Encryption of sensitive data requires the key to be placed in the secure setting store. Run " + - "'bin/elasticsearch-keystore add-file " + Watcher.ENCRYPTION_KEY_SETTING.getKey() + " " + - environment.configFile().resolve(XPackPlugin.NAME).resolve("system_key").toAbsolutePath() + - "' to import the file.\nAfter importing, the system_key file should be removed from the " + - "filesystem.\nRepeat this on every node in the cluster."; + public BootstrapCheckResult check(BootstrapContext context) { + if (Watcher.ENCRYPT_SENSITIVE_DATA_SETTING.get(context.settings) + && Watcher.ENCRYPTION_KEY_SETTING.exists(context.settings) == false) { + final Path systemKeyPath = environment.configFile().resolve(XPackPlugin.NAME).resolve("system_key").toAbsolutePath(); + final String message; + if (Files.exists(systemKeyPath)) { + message = "Encryption of sensitive data requires the key to be placed in the secure setting store. Run " + + "'bin/elasticsearch-keystore add-file " + Watcher.ENCRYPTION_KEY_SETTING.getKey() + " " + + systemKeyPath + + "' to import the file.\nAfter importing, the system_key file should be removed from the " + + "filesystem.\nRepeat this on every node in the cluster."; + } else { + message = "Encryption of sensitive data requires a key to be placed in the secure setting store. First run the " + + "bin/x-pack/syskeygen tool to generate a key file.\nThen run 'bin/elasticsearch-keystore add-file " + + Watcher.ENCRYPTION_KEY_SETTING.getKey() + " " + + systemKeyPath + "' to import the key into" + + " the secure setting store. Finally, remove the system_key file from the filesystem.\n" + + "Repeat this on every node in the cluster"; + } + return BootstrapCheckResult.failure(message); } else { - return "Encryption of sensitive data requires a key to be placed in the secure setting store. First run the " + - "bin/x-pack/syskeygen tool to generate a key file.\nThen run 'bin/elasticsearch-keystore add-file " + - Watcher.ENCRYPTION_KEY_SETTING.getKey() + " " + - environment.configFile().resolve(XPackPlugin.NAME).resolve("system_key").toAbsolutePath() + "' to import the key into" + - " the secure setting store. Finally, remove the system_key file from the filesystem.\n" + - "Repeat this on every node in the cluster"; + return BootstrapCheckResult.success(); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java index 0ce3ebd9b2a..e5c433341c5 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java @@ -17,7 +17,7 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { public void testPkiRealmBootstrapDefault() throws Exception { assertFalse(new PkiRealmBootstrapCheck(new SSLService(Settings.EMPTY, new Environment(Settings.builder().put("path.home", createTempDir()).build()))).check((new BootstrapContext(Settings - .EMPTY, null)))); + .EMPTY, null))).isFailure()); } public void testBootstrapCheckWithPkiRealm() throws Exception { @@ -26,42 +26,42 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("path.home", createTempDir()) .build(); Environment env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // disable client auth default settings = Settings.builder().put(settings) .put("xpack.ssl.client_authentication", "none") .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // enable ssl for http settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.enabled", true) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // enable client auth for http settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // disable http ssl settings = Settings.builder().put(settings) .put("xpack.security.http.ssl.enabled", false) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // set transport client auth settings = Settings.builder().put(settings) .put("xpack.security.transport.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); // test with transport profile settings = Settings.builder().put(settings) @@ -69,7 +69,7 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("transport.profiles.foo.xpack.security.ssl.client_authentication", randomFrom("required", "optional")) .build(); env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); } public void testBootstrapCheckWithDisabledRealm() throws Exception { @@ -80,6 +80,6 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase { .put("path.home", createTempDir()) .build(); Environment env = new Environment(settings); - assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null))); + assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure()); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java index 39b33eab0e9..a30cb834784 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenSSLBootsrapCheckTests.java @@ -16,29 +16,29 @@ public class TokenSSLBootsrapCheckTests extends ESTestCase { public void testTokenSSLBootstrapCheck() { Settings settings = Settings.EMPTY; - assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder() .put(NetworkModule.HTTP_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder().put(XPackSettings.HTTP_SSL_ENABLED.getKey(), true).build(); - assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); // XPackSettings.HTTP_SSL_ENABLED default false settings = Settings.builder().put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder() .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build(); - assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertTrue(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder() .put(XPackSettings.HTTP_SSL_ENABLED.getKey(), false) .put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true) .put(NetworkModule.HTTP_ENABLED.getKey(), false).build(); - assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null))); + assertFalse(new TokenSSLBootstrapCheck().check(new BootstrapContext(settings, null)).isFailure()); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java index 629df88dc6c..cbbc0366fb3 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java @@ -46,7 +46,7 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(new BootstrapContext(settings, null)), equalTo(false)); + assertFalse(check.check(new BootstrapContext(settings, null)).isFailure()); } public void testBootstrapCheckOfMissingFile() { @@ -59,10 +59,11 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); - assertThat(check.errorMessage(), containsString("the-realm-name")); - assertThat(check.errorMessage(), containsString(fileName)); - assertThat(check.errorMessage(), containsString("does not exist")); + final BootstrapCheck.BootstrapCheckResult result = check.check(new BootstrapContext(settings, null)); + assertTrue(result.isFailure()); + assertThat(result.getMessage(), containsString("the-realm-name")); + assertThat(result.getMessage(), containsString(fileName)); + assertThat(result.getMessage(), containsString("does not exist")); } public void testBootstrapCheckWithInvalidYaml() throws IOException { @@ -77,10 +78,11 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); - assertThat(check.errorMessage(), containsString("the-realm-name")); - assertThat(check.errorMessage(), containsString(file.toString())); - assertThat(check.errorMessage(), containsString("could not read")); + final BootstrapCheck.BootstrapCheckResult result = check.check(new BootstrapContext(settings, null)); + assertTrue(result.isFailure()); + assertThat(result.getMessage(), containsString("the-realm-name")); + assertThat(result.getMessage(), containsString(file.toString())); + assertThat(result.getMessage(), containsString("could not read")); } public void testBootstrapCheckWithInvalidDn() throws IOException { @@ -95,10 +97,11 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase { final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config); assertThat(check, notNullValue()); assertThat(check.alwaysEnforce(), equalTo(true)); - assertThat(check.check(new BootstrapContext(settings, null)), equalTo(true)); - assertThat(check.errorMessage(), containsString("the-realm-name")); - assertThat(check.errorMessage(), containsString(file.toString())); - assertThat(check.errorMessage(), containsString("invalid DN")); - assertThat(check.errorMessage(), containsString("not-a-dn")); + final BootstrapCheck.BootstrapCheckResult result = check.check(new BootstrapContext(settings, null)); + assertTrue(result.isFailure()); + assertThat(result.getMessage(), containsString("the-realm-name")); + assertThat(result.getMessage(), containsString(file.toString())); + assertThat(result.getMessage(), containsString("invalid DN")); + assertThat(result.getMessage(), containsString("not-a-dn")); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java index 734814cc6b6..22e9e830ae0 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java @@ -16,7 +16,7 @@ public class SSLBootstrapCheckTests extends ESTestCase { public void testSSLBootstrapCheckWithNoKey() throws Exception { SSLService sslService = new SSLService(Settings.EMPTY, null); SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(sslService, null); - assertTrue(bootstrapCheck.check(new BootstrapContext(Settings.EMPTY, null))); + assertTrue(bootstrapCheck.check(new BootstrapContext(Settings.EMPTY, null)).isFailure()); } public void testSSLBootstrapCheckWithKey() throws Exception { @@ -33,7 +33,7 @@ public class SSLBootstrapCheckTests extends ESTestCase { .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); - assertFalse(bootstrapCheck.check(new BootstrapContext(settings, null))); + assertFalse(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure()); } public void testSSLBootstrapCheckWithDefaultCABeingTrusted() throws Exception { @@ -53,14 +53,14 @@ public class SSLBootstrapCheckTests extends ESTestCase { .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); - assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder().put(settings.filter((s) -> s.contains(".certificate_authorities"))) .put("xpack.security.http.ssl.certificate_authorities", getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString()) .build(); bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); - assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure()); } public void testSSLBootstrapCheckWithDefaultKeyBeingUsed() throws Exception { @@ -79,7 +79,7 @@ public class SSLBootstrapCheckTests extends ESTestCase { .build(); final Environment env = randomBoolean() ? new Environment(settings) : null; SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); - assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure()); settings = Settings.builder().put(settings.filter((s) -> s.contains(".http.ssl."))) .put("xpack.security.transport.profiles.foo.xpack.security.ssl.key", @@ -88,6 +88,6 @@ public class SSLBootstrapCheckTests extends ESTestCase { getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString()) .build(); bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env); - assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null))); + assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure()); } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java index d2ebab59d7f..81ee272e3c8 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/watcher/EncryptSensitiveDataBootstrapCheckTests.java @@ -18,7 +18,7 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { Settings settings = Settings.builder().put("path.home", createTempDir()).build(); Environment env = new Environment(settings); EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); - assertFalse(check.check(new BootstrapContext(settings, null))); + assertFalse(check.check(new BootstrapContext(settings, null)).isFailure()); assertTrue(check.alwaysEnforce()); } @@ -29,7 +29,7 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { .build(); Environment env = new Environment(settings); EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); - assertTrue(check.check(new BootstrapContext(settings, null))); + assertTrue(check.check(new BootstrapContext(settings, null)).isFailure()); } public void testKeyInKeystore() { @@ -42,6 +42,7 @@ public class EncryptSensitiveDataBootstrapCheckTests extends ESTestCase { .build(); Environment env = new Environment(settings); EncryptSensitiveDataBootstrapCheck check = new EncryptSensitiveDataBootstrapCheck(env); - assertFalse(check.check(new BootstrapContext(settings, null))); + assertFalse(check.check(new BootstrapContext(settings, null)).isFailure()); } + }