honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed Introduced settings filtering for active directory 

Filtering out the `hostname_verification` setting for active directory realms

Original commit: elastic/x-pack-elasticsearch@27b931c5c6
This commit is contained in:
uboness 2015-03-17 16:28:59 -07:00
parent 3015ebccdb
commit 43a5fe07f4
4 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java
View File

@ -7,7 +7,9 @@ package org.elasticsearch.shield.authc.activedirectory;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.ldap.LdapUserSearchSessionFactory;
import org.elasticsearch.shield.authc.ldap.support.AbstractLdapRealm;
import org.elasticsearch.shield.authc.ldap.support.LdapRoleMapper;
import org.elasticsearch.shield.ssl.ClientSSLService;
@ -39,6 +41,11 @@ public class ActiveDirectoryRealm extends AbstractLdapRealm {
this.clientSSLService = clientSSLService;
}
@Override
public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
ActiveDirectorySessionFactory.filterOutSensitiveSettings(realmName, filter);
}
@Override
public ActiveDirectoryRealm create(RealmConfig config) {
ActiveDirectorySessionFactory connectionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);

5
src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
View File

@ -10,6 +10,7 @@ import org.elasticsearch.common.Strings;
import org.elasticsearch.common.primitives.Ints;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.ShieldSettingsException;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
import org.elasticsearch.shield.authc.ldap.support.LdapSession;
@ -61,6 +62,10 @@ public class ActiveDirectorySessionFactory extends SessionFactory {
groupResolver = new ActiveDirectoryGroupsResolver(settings.getAsSettings("group_search"), domainDN);
}
static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING);
}
ServerSet serverSet(Settings settings, ClientSSLService clientSSLService) {
String[] ldapUrls = settings.getAsArray(URLS_SETTING, new String[] { "ldap://" + domainName + ":389" });
LDAPServers servers = new LDAPServers(ldapUrls);

2
src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
View File

@ -60,7 +60,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
filter.filterOut("shield.authc.realms." + realmName + ".bind_dn");
filter.filterOut("shield.authc.realms." + realmName + ".bind_password");
filter.filterOut("shield.authc.realms." + realmName + ".hostname_verification");
filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING);
}
static LDAPConnectionPool connectionPool(Settings settings, ServerSet serverSet, TimeValue timeout) {

12
src/test/java/org/elasticsearch/integration/SettingsFilterTests.java
View File

@ -61,8 +61,9 @@ public class SettingsFilterTests extends ShieldIntegrationTest {
return ImmutableSettings.builder().put(super.nodeSettings(nodeOrdinal))
.put(InternalNode.HTTP_ENABLED, true)
// ldap realm filtering
.put("shield.authc.realms.esusers.type", "esusers")
// ldap realm filtering
.put("shield.authc.realms.ldap1.type", "ldap")
.put("shield.authc.realms.ldap1.enabled", "false")
.put("shield.authc.realms.ldap1.url", "ldap://host.domain")
@ -70,6 +71,12 @@ public class SettingsFilterTests extends ShieldIntegrationTest {
.put("shield.authc.realms.ldap1.bind_dn", randomAsciiOfLength(5))
.put("shield.authc.realms.ldap1.bind_password", randomAsciiOfLength(5))
// active directory filtering
.put("shield.authc.realms.ad1.type", "active_directory")
.put("shield.authc.realms.ad1.enabled", "false")
.put("shield.authc.realms.ad1.url", "ldap://host.domain")
.put("shield.authc.realms.ad1.hostname_verification", randomAsciiOfLength(5))
.put("shield.ssl.keystore.path", "/path/to/keystore")
.put("shield.ssl.ciphers", "_ciphers")
.put("shield.ssl.supported_protocols", randomFrom(AbstractSSLService.DEFAULT_SUPPORTED_PROTOCOLS))
@ -115,6 +122,9 @@ public class SettingsFilterTests extends ShieldIntegrationTest {
assertThat(settings.get("shield.authc.realms.ldap1.bind_dn"), nullValue());
assertThat(settings.get("shield.authc.realms.ldap1.url"), is("ldap://host.domain"));
assertThat(settings.get("shield.authc.realms.ad1.hostname_verification"), nullValue());
assertThat(settings.get("shield.authc.realms.ad1.url"), is("ldap://host.domain"));
assertThat(settings.get("shield.ssl.keystore.path"), nullValue());
assertThat(settings.get("shield.ssl.ciphers"), nullValue());
assertThat(settings.get("shield.ssl.supported_protocols"), nullValue());