Allow license installation in dev mode without TLS (elastic/x-pack-elasticsearch#4155)

This commit allows license installation without TLS being enabled when the cluster is in dev mode. The main difference this change enables is the ability to install a production license on a single node cluster that is bound to localhost and does not have the single-node discovery enabled. relates elastic/x-pack-elasticsearch#4123 Original commit: elastic/x-pack-elasticsearch@04ebcc0fab
2018-04-19 13:49:27 -06:00 · 2018-04-19 13:49:27 -06:00 · 3bc6fd76a3
parent f0be979541
commit 3bc6fd76a3
5 changed files with 117 additions and 96 deletions
--- a/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java
+++ b/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java
@ -14,6 +14,7 @@ import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
 import org.elasticsearch.cluster.metadata.MetaData;
+import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.component.Lifecycle;
@ -206,7 +207,7 @@ public class LicenseService extends AbstractLifecycleComponent implements Cluste
            if (newLicense.isProductionLicense()
                    && XPackSettings.SECURITY_ENABLED.get(settings)
                    && XPackSettings.TRANSPORT_SSL_ENABLED.get(settings) == false
-                    && "single-node".equals(DiscoveryModule.DISCOVERY_TYPE_SETTING.get(settings)) == false) {
+                    && isProductionMode(settings, clusterService.localNode())) {
                // security is on but TLS is not configured we gonna fail the entire request and throw an exception
                throw new IllegalStateException("Cannot install a [" + newLicense.operationMode() +
                        "] license unless TLS is configured or security is disabled");
@ -512,4 +513,13 @@ public class LicenseService extends AbstractLifecycleComponent implements Cluste
        }
        return null;
    }
-}
+
+    private static boolean isProductionMode(Settings settings, DiscoveryNode localNode) {
+        final boolean singleNodeDisco = "single-node".equals(DiscoveryModule.DISCOVERY_TYPE_SETTING.get(settings));
+        return singleNodeDisco == false && isBoundToLoopback(localNode) == false;
+    }
+
+    private static boolean isBoundToLoopback(DiscoveryNode localNode) {
+        return localNode.getAddress().address().getAddress().isLoopbackAddress();
+    }
+}
--- a/plugin/core/src/test/java/org/elasticsearch/license/AbstractLicenseServiceTestCase.java
+++ b/plugin/core/src/test/java/org/elasticsearch/license/AbstractLicenseServiceTestCase.java
@ -64,7 +64,7 @@ public abstract class AbstractLicenseServiceTestCase extends ESTestCase {
        MetaData metaData = mock(MetaData.class);
        when(metaData.custom(LicensesMetaData.TYPE)).thenReturn(new LicensesMetaData(license, null));
        when(state.metaData()).thenReturn(metaData);
-        final DiscoveryNode mockNode = new DiscoveryNode("b", buildNewFakeTransportAddress(), emptyMap(), emptySet(), Version.CURRENT);
+        final DiscoveryNode mockNode = getLocalNode();
        when(discoveryNodes.getMasterNode()).thenReturn(mockNode);
        when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(false);
        when(state.nodes()).thenReturn(discoveryNodes);
@ -72,6 +72,11 @@ public abstract class AbstractLicenseServiceTestCase extends ESTestCase {
        when(clusterService.state()).thenReturn(state);
        when(clusterService.lifecycleState()).thenReturn(Lifecycle.State.STARTED);
        when(clusterService.getClusterName()).thenReturn(new ClusterName("a"));
+        when(clusterService.localNode()).thenReturn(mockNode);
+    }
+
+    protected DiscoveryNode getLocalNode() {
+        return new DiscoveryNode("b", buildNewFakeTransportAddress(), emptyMap(), emptySet(), Version.CURRENT);
    }

    @After
--- a/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java
+++ b/plugin/core/src/test/java/org/elasticsearch/license/LicenseTLSTests.java
@ -0,0 +1,99 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.license;
+
+import org.elasticsearch.Version;
+import org.elasticsearch.action.support.PlainActionFuture;
+import org.elasticsearch.cluster.ClusterStateUpdateTask;
+import org.elasticsearch.cluster.node.DiscoveryNode;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.transport.TransportAddress;
+import org.elasticsearch.common.unit.TimeValue;
+
+import java.net.InetAddress;
+
+import static java.util.Collections.emptyMap;
+import static java.util.Collections.emptySet;
+import static org.hamcrest.Matchers.containsString;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
+public class LicenseTLSTests extends AbstractLicenseServiceTestCase {
+
+    private InetAddress inetAddress;
+
+    public void testApplyLicenseInDevMode() throws Exception {
+        License newLicense = TestUtils.generateSignedLicense(randomFrom("gold", "platinum"), TimeValue.timeValueHours(24L));
+        PutLicenseRequest request = new PutLicenseRequest();
+        request.acknowledge(true);
+        request.license(newLicense);
+        Settings settings = Settings.builder().put("xpack.security.enabled", true).build();
+        XPackLicenseState licenseState = new XPackLicenseState(settings);
+        inetAddress = InetAddress.getLoopbackAddress();
+
+        setInitialState(null, licenseState, settings);
+        licenseService.start();
+        PlainActionFuture<PutLicenseResponse> responseFuture = new PlainActionFuture<>();
+        licenseService.registerLicense(request, responseFuture);
+        verify(clusterService).submitStateUpdateTask(any(String.class), any(ClusterStateUpdateTask.class));
+
+        inetAddress = TransportAddress.META_ADDRESS;
+        settings = Settings.builder()
+                .put("xpack.security.enabled", true)
+                .put("discovery.type", "single-node")
+                .build();
+        licenseService.stop();
+        licenseState = new XPackLicenseState(settings);
+        setInitialState(null, licenseState, settings);
+        licenseService.start();
+        licenseService.registerLicense(request, responseFuture);
+        verify(clusterService, times(2)).submitStateUpdateTask(any(String.class), any(ClusterStateUpdateTask.class));
+    }
+
+    public void testApplyLicenseInProdMode() throws Exception {
+        final String licenseType = randomFrom("GOLD", "PLATINUM");
+        License newLicense = TestUtils.generateSignedLicense(licenseType, TimeValue.timeValueHours(24L));
+        PutLicenseRequest request = new PutLicenseRequest();
+        request.acknowledge(true);
+        request.license(newLicense);
+        Settings settings = Settings.builder().put("xpack.security.enabled", true).build();
+        XPackLicenseState licenseState = new XPackLicenseState(settings);
+        inetAddress = TransportAddress.META_ADDRESS;
+
+        setInitialState(null, licenseState, settings);
+        licenseService.start();
+        PlainActionFuture<PutLicenseResponse> responseFuture = new PlainActionFuture<>();
+        IllegalStateException e = expectThrows(IllegalStateException.class, () -> licenseService.registerLicense(request, responseFuture));
+        assertThat(e.getMessage(),
+                containsString("Cannot install a [" + licenseType + "] license unless TLS is configured or security is disabled"));
+
+        settings = Settings.builder().put("xpack.security.enabled", false).build();
+        licenseService.stop();
+        licenseState = new XPackLicenseState(settings);
+        setInitialState(null, licenseState, settings);
+        licenseService.start();
+        licenseService.registerLicense(request, responseFuture);
+        verify(clusterService).submitStateUpdateTask(any(String.class), any(ClusterStateUpdateTask.class));
+
+        settings = Settings.builder()
+                .put("xpack.security.enabled", true)
+                .put("xpack.security.transport.ssl.enabled", true)
+                .build();
+        licenseService.stop();
+        licenseState = new XPackLicenseState(settings);
+        setInitialState(null, licenseState, settings);
+        licenseService.start();
+        licenseService.registerLicense(request, responseFuture);
+        verify(clusterService, times(2)).submitStateUpdateTask(any(String.class), any(ClusterStateUpdateTask.class));
+    }
+
+    @Override
+    protected DiscoveryNode getLocalNode() {
+        return new DiscoveryNode("localnode", new TransportAddress(inetAddress, randomIntBetween(9300, 9399)),
+                emptyMap(), emptySet(), Version.CURRENT);
+    }
+}
--- a/plugin/security/src/test/java/org/elasticsearch/license/LicenseServiceSingleNodeSecurityTests.java
+++ b/plugin/security/src/test/java/org/elasticsearch/license/LicenseServiceSingleNodeSecurityTests.java
@ -1,40 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.license;
-
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.test.ESIntegTestCase;
-import org.elasticsearch.test.SecurityIntegTestCase;
-
-import static org.hamcrest.CoreMatchers.equalTo;
-
-@ESIntegTestCase.ClusterScope(
-        scope = ESIntegTestCase.Scope.TEST,
-        numDataNodes = 1,
-        numClientNodes = 0,
-        supportsDedicatedMasters = false,
-        autoMinMasterNodes = false)
-public class LicenseServiceSingleNodeSecurityTests extends SecurityIntegTestCase {
-
-    @Override
-    protected Settings nodeSettings(int nodeOrdinal) {
-        return Settings
-                .builder()
-                .put(super.nodeSettings(nodeOrdinal))
-                .put("discovery.type", "single-node")
-                .put("transport.tcp.port", "0")
-                .build();
-    }
-
-    public void testLicenseUpgradeSucceeds() throws Exception {
-        LicensingClient licensingClient = new LicensingClient(client());
-        License prodLicense = TestUtils.generateSignedLicense("platinum", TimeValue.timeValueHours(24));
-        PutLicenseResponse putLicenseResponse = licensingClient.preparePutLicense(prodLicense).get();
-        assertEquals(putLicenseResponse.status(), LicensesStatus.VALID);
-        assertThat(licensingClient.prepareGetLicense().get().license(), equalTo(prodLicense));
-    }
-}
--- a/plugin/security/src/test/java/org/elasticsearch/license/LicenseServiceWithSecurityTests.java
+++ b/plugin/security/src/test/java/org/elasticsearch/license/LicenseServiceWithSecurityTests.java
@ -1,53 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.license;
-
-import org.elasticsearch.analysis.common.CommonAnalysisPlugin;
-import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.test.SecurityIntegTestCase;
-import org.elasticsearch.transport.Netty4Plugin;
-import org.elasticsearch.xpack.security.LocalStateSecurity;
-
-import java.util.Arrays;
-import java.util.Collection;
-
-import static org.hamcrest.CoreMatchers.equalTo;
-
-/**
- * Basic integration test that checks if license can be upgraded to a production license if TLS is enabled and vice versa.
- */
-public class LicenseServiceWithSecurityTests extends SecurityIntegTestCase {
-
-    @Override
-    protected Collection<Class<? extends Plugin>> nodePlugins() {
-        return Arrays.asList(LocalStateSecurity.class, CommonAnalysisPlugin.class, Netty4Plugin.class);
-    }
-
-    @Override
-    protected Collection<Class<? extends Plugin>> transportClientPlugins() {
-        return nodePlugins();
-    }
-
-    public void testLicenseUpgradeFailsWithoutTLS() throws Exception {
-        assumeFalse("transport ssl is enabled", isTransportSSLEnabled());
-        LicensingClient licensingClient = new LicensingClient(client());
-        License license = licensingClient.prepareGetLicense().get().license();
-        License prodLicense = TestUtils.generateSignedLicense("platinum", TimeValue.timeValueHours(24));
-        IllegalStateException ise = expectThrows(IllegalStateException.class, () -> licensingClient.preparePutLicense(prodLicense).get());
-        assertEquals("Cannot install a [PLATINUM] license unless TLS is configured or security is disabled", ise.getMessage());
-        assertThat(licensingClient.prepareGetLicense().get().license(), equalTo(license));
-    }
-
-    public void testLicenseUpgradeSucceedsWithTLS() throws Exception {
-        assumeTrue("transport ssl is disabled", isTransportSSLEnabled());
-        LicensingClient licensingClient = new LicensingClient(client());
-        License prodLicense = TestUtils.generateSignedLicense("platinum", TimeValue.timeValueHours(24));
-        PutLicenseResponse putLicenseResponse = licensingClient.preparePutLicense(prodLicense).get();
-        assertEquals(putLicenseResponse.status(), LicensesStatus.VALID);
-        assertThat(licensingClient.prepareGetLicense().get().license(), equalTo(prodLicense));
-    }
-}