From 3c1218ac1ce8af7ef554c77cdf3828deab274f43 Mon Sep 17 00:00:00 2001 From: jaymode Date: Thu, 9 Jun 2016 11:49:53 -0400 Subject: [PATCH] security: don't iterate over realms if authentication is not enabled This changes the realms iterator call to alway return a empty iterator when we have a basic license otherwise an exception would be thrown. Closes elastic/elasticsearch#2474 Original commit: elastic/x-pack-elasticsearch@168cab9e1d1773803ecd02e9a27ada64247a127f --- .../org/elasticsearch/shield/authc/Realms.java | 5 +++++ .../shield/SecurityFeatureSetTests.java | 7 +++++-- .../InternalAuthenticationServiceTests.java | 1 + .../elasticsearch/shield/authc/RealmsTests.java | 16 ++++++++++++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java index 0dcc995db5a..604110c6ddc 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java @@ -6,6 +6,7 @@ package org.elasticsearch.shield.authc; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.common.collect.Iterators; import org.elasticsearch.common.component.AbstractLifecycleComponent; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.settings.Setting; @@ -101,6 +102,10 @@ public class Realms extends AbstractLifecycleComponent implements Iterab @Override public Iterator iterator() { + if (shieldLicenseState.authenticationAndAuthorizationEnabled() == false) { + return Collections.emptyIterator(); + } + EnabledRealmType enabledRealmType = shieldLicenseState.enabledRealmType(); switch (enabledRealmType) { case ALL: diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java index be1a6412f2e..0aaee2b15b3 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java @@ -15,6 +15,7 @@ import org.elasticsearch.xpack.watcher.support.xcontent.XContentSource; import org.junit.Before; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -92,7 +93,7 @@ public class SecurityFeatureSetTests extends ESTestCase { realmUsage.put("key3", i % 2 == 0); when(realm.usageStats()).thenReturn(realmUsage); } - when(realms.iterator()).thenReturn(realmsList.iterator()); + when(realms.iterator()).thenReturn(available ? realmsList.iterator() : Collections.emptyIterator()); SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry); XPackFeatureSet.Usage usage = featureSet.usage(); @@ -102,12 +103,14 @@ public class SecurityFeatureSetTests extends ESTestCase { assertThat(usage.available(), is(available)); XContentSource source = new XContentSource(usage); - if (enabled) { + if (enabled && available) { for (int i = 0; i < 5; i++) { assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i)); assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i)); assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0)); } + } else if (enabled) { + assertThat(source.getValue("enabled_realms"), is(notNullValue())); } else { assertThat(source.getValue("enabled_realms"), is(nullValue())); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java index f0dcbaf5148..c21233e739e 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java @@ -94,6 +94,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase { Settings settings = Settings.builder().put("path.home", createTempDir()).build(); SecurityLicenseState shieldLicenseState = mock(SecurityLicenseState.class); when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL); + when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true); realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.emptyMap(), shieldLicenseState, mock(ReservedRealm.class)) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java index ee14210ff7d..426c9a13c23 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java @@ -52,6 +52,7 @@ public class RealmsTests extends ESTestCase { } shieldLicenseState = mock(SecurityLicenseState.class); reservedRealm = mock(ReservedRealm.class); + when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true); when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL); } @@ -338,6 +339,21 @@ public class RealmsTests extends ESTestCase { assertThat(count, equalTo(orderToIndex.size())); } + public void testAuthcAuthzDisabled() { + Settings settings = Settings.builder() + .put("path.home", createTempDir()) + .put("xpack.security.authc.realms.realm_1.type", FileRealm.TYPE) + .put("xpack.security.authc.realms.realm_1.order", 0) + .build(); + Environment env = new Environment(settings); + Realms realms = new Realms(settings, env, factories, shieldLicenseState, reservedRealm).start(); + + assertThat(realms.iterator().hasNext(), is(true)); + + when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(false); + assertThat(realms.iterator().hasNext(), is(false)); + } + static class DummyRealm extends Realm { public DummyRealm(String type, RealmConfig config) {