From 43a5fe07f4a139e67dcc347978ec2a40e750ac5e Mon Sep 17 00:00:00 2001 From: uboness Date: Tue, 17 Mar 2015 16:28:59 -0700 Subject: [PATCH] fixed Introduced settings filtering for active directory Filtering out the `hostname_verification` setting for active directory realms Original commit: elastic/x-pack-elasticsearch@27b931c5c636d6993790ff8872b458c947a0ae5e --- .../authc/activedirectory/ActiveDirectoryRealm.java | 7 +++++++ .../ActiveDirectorySessionFactory.java | 5 +++++ .../authc/ldap/LdapUserSearchSessionFactory.java | 2 +- .../integration/SettingsFilterTests.java | 12 +++++++++++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java b/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java index a8b4e6cb415..ebdcbd7ce4d 100644 --- a/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java +++ b/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java @@ -7,7 +7,9 @@ package org.elasticsearch.shield.authc.activedirectory; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.rest.RestController; +import org.elasticsearch.shield.ShieldSettingsFilter; import org.elasticsearch.shield.authc.RealmConfig; +import org.elasticsearch.shield.authc.ldap.LdapUserSearchSessionFactory; import org.elasticsearch.shield.authc.ldap.support.AbstractLdapRealm; import org.elasticsearch.shield.authc.ldap.support.LdapRoleMapper; import org.elasticsearch.shield.ssl.ClientSSLService; @@ -39,6 +41,11 @@ public class ActiveDirectoryRealm extends AbstractLdapRealm { this.clientSSLService = clientSSLService; } + @Override + public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) { + ActiveDirectorySessionFactory.filterOutSensitiveSettings(realmName, filter); + } + @Override public ActiveDirectoryRealm create(RealmConfig config) { ActiveDirectorySessionFactory connectionFactory = new ActiveDirectorySessionFactory(config, clientSSLService); diff --git a/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java b/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java index d6cd8161547..2f262d54ebd 100644 --- a/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java +++ b/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java @@ -10,6 +10,7 @@ import org.elasticsearch.common.Strings; import org.elasticsearch.common.primitives.Ints; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.ShieldSettingsException; +import org.elasticsearch.shield.ShieldSettingsFilter; import org.elasticsearch.shield.authc.RealmConfig; import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope; import org.elasticsearch.shield.authc.ldap.support.LdapSession; @@ -61,6 +62,10 @@ public class ActiveDirectorySessionFactory extends SessionFactory { groupResolver = new ActiveDirectoryGroupsResolver(settings.getAsSettings("group_search"), domainDN); } + static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) { + filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING); + } + ServerSet serverSet(Settings settings, ClientSSLService clientSSLService) { String[] ldapUrls = settings.getAsArray(URLS_SETTING, new String[] { "ldap://" + domainName + ":389" }); LDAPServers servers = new LDAPServers(ldapUrls); diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java index 6c13163c757..a2301080746 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java @@ -60,7 +60,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory { static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) { filter.filterOut("shield.authc.realms." + realmName + ".bind_dn"); filter.filterOut("shield.authc.realms." + realmName + ".bind_password"); - filter.filterOut("shield.authc.realms." + realmName + ".hostname_verification"); + filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING); } static LDAPConnectionPool connectionPool(Settings settings, ServerSet serverSet, TimeValue timeout) { diff --git a/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java b/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java index 36a0c39ca57..4ebf444b928 100644 --- a/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java +++ b/src/test/java/org/elasticsearch/integration/SettingsFilterTests.java @@ -61,8 +61,9 @@ public class SettingsFilterTests extends ShieldIntegrationTest { return ImmutableSettings.builder().put(super.nodeSettings(nodeOrdinal)) .put(InternalNode.HTTP_ENABLED, true) - // ldap realm filtering .put("shield.authc.realms.esusers.type", "esusers") + + // ldap realm filtering .put("shield.authc.realms.ldap1.type", "ldap") .put("shield.authc.realms.ldap1.enabled", "false") .put("shield.authc.realms.ldap1.url", "ldap://host.domain") @@ -70,6 +71,12 @@ public class SettingsFilterTests extends ShieldIntegrationTest { .put("shield.authc.realms.ldap1.bind_dn", randomAsciiOfLength(5)) .put("shield.authc.realms.ldap1.bind_password", randomAsciiOfLength(5)) + // active directory filtering + .put("shield.authc.realms.ad1.type", "active_directory") + .put("shield.authc.realms.ad1.enabled", "false") + .put("shield.authc.realms.ad1.url", "ldap://host.domain") + .put("shield.authc.realms.ad1.hostname_verification", randomAsciiOfLength(5)) + .put("shield.ssl.keystore.path", "/path/to/keystore") .put("shield.ssl.ciphers", "_ciphers") .put("shield.ssl.supported_protocols", randomFrom(AbstractSSLService.DEFAULT_SUPPORTED_PROTOCOLS)) @@ -115,6 +122,9 @@ public class SettingsFilterTests extends ShieldIntegrationTest { assertThat(settings.get("shield.authc.realms.ldap1.bind_dn"), nullValue()); assertThat(settings.get("shield.authc.realms.ldap1.url"), is("ldap://host.domain")); + assertThat(settings.get("shield.authc.realms.ad1.hostname_verification"), nullValue()); + assertThat(settings.get("shield.authc.realms.ad1.url"), is("ldap://host.domain")); + assertThat(settings.get("shield.ssl.keystore.path"), nullValue()); assertThat(settings.get("shield.ssl.ciphers"), nullValue()); assertThat(settings.get("shield.ssl.supported_protocols"), nullValue());