security: don't iterate over realms if authentication is not enabled

This changes the realms iterator call to alway return a empty iterator when we have a basic license otherwise an exception would be thrown. Closes elastic/elasticsearch#2474 Original commit: elastic/x-pack-elasticsearch@168cab9e1d
2016-06-09 11:49:53 -04:00 · 2016-06-09 11:49:53 -04:00 · 3c1218ac1c
parent b8e76475b1
commit 3c1218ac1c
4 changed files with 27 additions and 2 deletions
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc;

 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.common.collect.Iterators;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
@ -101,6 +102,10 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab

    @Override
    public Iterator<Realm> iterator() {
+        if (shieldLicenseState.authenticationAndAuthorizationEnabled() == false) {
+            return Collections.emptyIterator();
+        }
+
        EnabledRealmType enabledRealmType = shieldLicenseState.enabledRealmType();
        switch (enabledRealmType) {
            case ALL:
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java
@ -15,6 +15,7 @@ import org.elasticsearch.xpack.watcher.support.xcontent.XContentSource;
 import org.junit.Before;

 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -92,7 +93,7 @@ public class SecurityFeatureSetTests extends ESTestCase {
            realmUsage.put("key3", i % 2 == 0);
            when(realm.usageStats()).thenReturn(realmUsage);
        }
-        when(realms.iterator()).thenReturn(realmsList.iterator());
+        when(realms.iterator()).thenReturn(available ? realmsList.iterator() : Collections.<Realm>emptyIterator());

        SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry);
        XPackFeatureSet.Usage usage = featureSet.usage();
@ -102,12 +103,14 @@ public class SecurityFeatureSetTests extends ESTestCase {
        assertThat(usage.available(), is(available));
        XContentSource source = new XContentSource(usage);

-        if (enabled) {
+        if (enabled && available) {
            for (int i = 0; i < 5; i++) {
                assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i));
                assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i));
                assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0));
            }
+        } else if (enabled) {
+            assertThat(source.getValue("enabled_realms"), is(notNullValue()));
        } else {
            assertThat(source.getValue("enabled_realms"), is(nullValue()));
        }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@ -94,6 +94,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
        Settings settings = Settings.builder().put("path.home", createTempDir()).build();
        SecurityLicenseState shieldLicenseState = mock(SecurityLicenseState.class);
        when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
        realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.<String, Realm.Factory>emptyMap(), shieldLicenseState,
                mock(ReservedRealm.class)) {

--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
@ -52,6 +52,7 @@ public class RealmsTests extends ESTestCase {
        }
        shieldLicenseState = mock(SecurityLicenseState.class);
        reservedRealm = mock(ReservedRealm.class);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
        when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
    }

@ -338,6 +339,21 @@ public class RealmsTests extends ESTestCase {
        assertThat(count, equalTo(orderToIndex.size()));
    }

+    public void testAuthcAuthzDisabled() {
+        Settings settings = Settings.builder()
+                .put("path.home", createTempDir())
+                .put("xpack.security.authc.realms.realm_1.type", FileRealm.TYPE)
+                .put("xpack.security.authc.realms.realm_1.order", 0)
+                .build();
+        Environment env = new Environment(settings);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState, reservedRealm).start();
+
+        assertThat(realms.iterator().hasNext(), is(true));
+
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(false);
+        assertThat(realms.iterator().hasNext(), is(false));
+    }
+
    static class DummyRealm extends Realm {

        public DummyRealm(String type, RealmConfig config) {