Fixes multiple Active Directory related tests that run against the samba fixture. Some were failing since we changed the realm settings format in 7.0 and a few were slightly broken in other ways. We can move to cleanup the tests in a follow up but this work fits better to be done with or after we move the tests from a Samba based fixture to a real(-ish) Microsoft Active Directory based fixture. Resolves: #33425, #35738
This commit is contained in:
Ioannis Kakavas
GitHub
parent
2228a7dd8d
commit
4f722f0f53
|
|
@ -0,0 +1,22 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDoDCCAoigAwIBAgIUMVGoHuyNTjTFaoRmqFELz75jzDEwDQYJKoZIhvcNAQEL
|
||||
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
|
||||
cmF0ZWQgQ0EwHhcNMTgwMjE1MTc0OTExWhcNMjEwMjE0MTc0OTExWjARMQ8wDQYD
|
||||
VQQDEwZzYW1iYTQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtGBwa
|
||||
n+7JN2vweSUsYh4zPmh8RPIE+nEVjK1lx/rADUBY7UVjfTYC+MVKKiezZe7gYCNT
|
||||
7JNKazPpgVI9e3ZFKw/UxomLqRuuvn5bTh+1tMs3afY5+GGzi7oPmEbBO3ceg0Hi
|
||||
rNSTDa1rfroZnRYK8uIeSZacQnAW90plITI7rBBt9jq+W9albFbDybfDgNv+yS/C
|
||||
rzIsofm4rbFC3SMRYfrT6HvwDhjOmmYKZci5x7tsn0T+3tSiR44Bw5/DgiN5kX3m
|
||||
/kl9qg1eoYWbCUy1dKmQlb4Nb4uNcxrIugLB3zjBkfhMZ0OHoveKh/lJASTWik9k
|
||||
xQ9rEYbpsRbuXpsHAgMBAAGjgcwwgckwHQYDVR0OBBYEFJOLa7UXKtLPibgKeFh7
|
||||
Kq1+rS0/MG8GA1UdIwRoMGaAFGaNmN5mi9jaMW25MEWYgt+5OkDBoTikNjA0MTIw
|
||||
MAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBD
|
||||
QYIUdwsnIxjgSneHNVKT6JNCCsrQ3T0wLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
|
||||
AAABhxAAAAAAAAAAAAAAAAAAAAABMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD
|
||||
ggEBAEHqT1WHkcF8DuOgyIBx7wKcUVQ5H1qYYlJ1xgMGrKFFZLUzouLcON7oadEu
|
||||
HLIJ4Z3AKD3bqWpcls5XJ9MTECGR48tou67x9cXqTV7jR3Rh0H/VGwzwhR85vbpu
|
||||
o8ielOPL8XAQOfnAFESJii5sfCU4ZwLg+3evmGZdKfhU6rqQtLimgG/Gm96vOJne
|
||||
y0a/TZTWrfAarithkOHHXSSAhEI5SdW5SlZAytF4AmYqFvafwxe1+NyFwfCRy0Xl
|
||||
H40WgVsq+z84psU+WyORb3THX5rgB4au9nuMXOqFKAtrJSI/uApncYraaqU28rqB
|
||||
gYd8XrtjhKOLw+6viqAKu8l7/cs=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -6,7 +6,6 @@
|
|||
package org.elasticsearch.xpack.security.authc.ldap;
|
||||
|
||||
import org.elasticsearch.action.support.PlainActionFuture;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
|
|
@ -15,10 +14,8 @@ import org.elasticsearch.env.TestEnvironment;
|
|||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope;
|
||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||
import org.elasticsearch.xpack.security.authc.ldap.support.LdapSession;
|
||||
import org.elasticsearch.xpack.security.authc.ldap.support.LdapTestCase;
|
||||
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
|
|
@ -49,7 +46,7 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
|
|||
|
||||
globalSettings = Settings.builder()
|
||||
.put("path.home", createTempDir())
|
||||
.put("xpack.security.authc.realms.active_directory.ad.ssl.certificate_authorities", certPath)
|
||||
.put("xpack.security.authc.realms.ldap.ad-as-ldap-test.ssl.certificate_authorities", certPath)
|
||||
.build();
|
||||
sslService = new SSLService(globalSettings, env);
|
||||
threadPool = new TestThreadPool("ADLdapUserSearchSessionFactoryTests");
|
||||
|
|
@ -60,15 +57,12 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
|
|||
terminate(threadPool);
|
||||
}
|
||||
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testUserSearchWithActiveDirectory() throws Exception {
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
String userSearchBase = "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(
|
||||
new String[] { ActiveDirectorySessionFactoryTests.AD_LDAP_URL },
|
||||
Strings.EMPTY_ARRAY, groupSearchBase, LdapSearchScope.SUB_TREE, null,
|
||||
true))
|
||||
.put("url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.put("group_search.base_dn", groupSearchBase)
|
||||
.put("user_search.base_dn", userSearchBase)
|
||||
.put("bind_dn", "ironman@ad.test.elasticsearch.com")
|
||||
.put("bind_password", ActiveDirectorySessionFactoryTests.PASSWORD)
|
||||
|
|
@ -79,13 +73,13 @@ public class ADLdapUserSearchSessionFactoryTests extends AbstractActiveDirectory
|
|||
Settings.Builder builder = Settings.builder()
|
||||
.put(globalSettings);
|
||||
settings.keySet().forEach(k -> {
|
||||
builder.copy("xpack.security.authc.realms.ad-as-ldap-test." + k, k, settings);
|
||||
builder.copy("xpack.security.authc.realms.ldap.ad-as-ldap-test." + k, k, settings);
|
||||
|
||||
});
|
||||
Settings fullSettings = builder.build();
|
||||
sslService = new SSLService(fullSettings, TestEnvironment.newEnvironment(fullSettings));
|
||||
RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test"), globalSettings,
|
||||
TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings));
|
||||
RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("ldap", "ad-as-ldap-test"), fullSettings,
|
||||
TestEnvironment.newEnvironment(fullSettings), new ThreadContext(fullSettings));
|
||||
LdapUserSearchSessionFactory sessionFactory = getLdapUserSearchSessionFactory(config, sslService, threadPool);
|
||||
|
||||
String user = "Bruce Banner";
|
||||
|
|
|
|||
|
|
@ -84,10 +84,10 @@ public abstract class AbstractActiveDirectoryTestCase extends ESTestCase {
|
|||
Settings.Builder builder = Settings.builder().put("path.home", createTempDir());
|
||||
|
||||
// fake realms so ssl will get loaded
|
||||
builder.putList("xpack.security.authc.realms.foo.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.putList("xpack.security.authc.realms.bar.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
builder.putList("xpack.security.authc.realms.active_directory.foo.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.active_directory.foo.ssl.verification_mode", VerificationMode.FULL);
|
||||
builder.putList("xpack.security.authc.realms.active_directory.bar.ssl.certificate_authorities", certificatePaths);
|
||||
builder.put("xpack.security.authc.realms.active_directory.bar.ssl.verification_mode", VerificationMode.CERTIFICATE);
|
||||
globalSettings = builder.build();
|
||||
Environment environment = TestEnvironment.newEnvironment(globalSettings);
|
||||
sslService = new SSLService(globalSettings, environment);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ import org.elasticsearch.action.index.IndexResponse;
|
|||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.common.Nullable;
|
||||
import org.elasticsearch.common.bytes.BytesArray;
|
||||
import org.elasticsearch.common.settings.MockSecureSettings;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
|
|
@ -24,19 +23,16 @@ import org.elasticsearch.test.SecurityIntegTestCase;
|
|||
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequestBuilder;
|
||||
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingResponse;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.ActiveDirectorySessionFactorySettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings;
|
||||
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.core.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.core.ssl.VerificationMode;
|
||||
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
|
||||
import org.junit.After;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.UncheckedIOException;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
|
@ -50,6 +46,7 @@ import java.util.function.Supplier;
|
|||
import java.util.stream.Collectors;
|
||||
|
||||
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
|
||||
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
|
||||
import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.ONE_LEVEL;
|
||||
import static org.elasticsearch.xpack.core.security.authc.ldap.support.LdapSearchScope.SUB_TREE;
|
||||
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
||||
|
|
@ -66,7 +63,8 @@ import static org.hamcrest.Matchers.equalTo;
|
|||
*/
|
||||
public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase {
|
||||
|
||||
public static final String XPACK_SECURITY_AUTHC_REALMS_EXTERNAL = "xpack.security.authc.realms.external";
|
||||
public static final String XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL = "xpack.security.authc.realms.active_directory.external";
|
||||
public static final String XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL = "xpack.security.authc.realms.ldap.external";
|
||||
public static final String PASSWORD = AbstractActiveDirectoryTestCase.PASSWORD;
|
||||
public static final String ASGARDIAN_INDEX = "gods";
|
||||
public static final String PHILANTHROPISTS_INDEX = "philanthropists";
|
||||
|
|
@ -99,8 +97,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
)
|
||||
};
|
||||
|
||||
protected static final String TESTNODE_KEY = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem";
|
||||
protected static final String TESTNODE_CERT = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
|
||||
protected static RealmConfig realmConfig;
|
||||
protected static List<RoleMappingEntry> roleMappings;
|
||||
|
||||
|
|
@ -121,42 +117,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
@Override
|
||||
protected Settings nodeSettings(int nodeOrdinal) {
|
||||
final RealmConfig realm = AbstractAdLdapRealmTestCase.realmConfig;
|
||||
final Path nodeCert = getDataPath(TESTNODE_CERT);
|
||||
final Path nodeKey = getDataPath(TESTNODE_KEY);
|
||||
Settings.Builder builder = Settings.builder();
|
||||
// don't use filter since it returns a prefixed secure setting instead of mock!
|
||||
Settings settingsToAdd = super.nodeSettings(nodeOrdinal);
|
||||
builder.put(settingsToAdd.filter(k -> k.startsWith("xpack.transport.security.ssl.") == false), false);
|
||||
MockSecureSettings mockSecureSettings = (MockSecureSettings) Settings.builder().put(settingsToAdd).getSecureSettings();
|
||||
if (mockSecureSettings != null) {
|
||||
MockSecureSettings filteredSecureSettings = new MockSecureSettings();
|
||||
builder.setSecureSettings(filteredSecureSettings);
|
||||
for (String secureSetting : mockSecureSettings.getSettingNames()) {
|
||||
if (secureSetting.startsWith("xpack.transport.security.ssl.") == false) {
|
||||
SecureString secureString = mockSecureSettings.getString(secureSetting);
|
||||
if (secureString == null) {
|
||||
final byte[] fileBytes;
|
||||
try (InputStream in = mockSecureSettings.getFile(secureSetting);
|
||||
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
|
||||
int numRead;
|
||||
byte[] bytes = new byte[1024];
|
||||
while ((numRead = in.read(bytes)) != -1) {
|
||||
byteArrayOutputStream.write(bytes, 0, numRead);
|
||||
}
|
||||
byteArrayOutputStream.flush();
|
||||
fileBytes = byteArrayOutputStream.toByteArray();
|
||||
} catch (IOException e) {
|
||||
throw new UncheckedIOException(e);
|
||||
}
|
||||
|
||||
filteredSecureSettings.setFile(secureSetting, fileBytes);
|
||||
} else {
|
||||
filteredSecureSettings.setString(secureSetting, new String(secureString.getChars()));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
addSslSettingsForKeyPair(builder, nodeKey, "testnode", nodeCert, getNodeTrustedCertificates());
|
||||
builder.put(super.nodeSettings(nodeOrdinal), true);
|
||||
builder.put(buildRealmSettings(realm, roleMappings, getNodeTrustedCertificates()));
|
||||
return builder.build();
|
||||
}
|
||||
|
|
@ -165,7 +127,7 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
certificateAuthorities) {
|
||||
Settings.Builder builder = Settings.builder();
|
||||
builder.put(realm.buildSettings(certificateAuthorities));
|
||||
configureFileRoleMappings(builder, roleMappingEntries);
|
||||
configureFileRoleMappings(builder, realm.type, roleMappingEntries);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
|
@ -214,11 +176,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
.collect(Collectors.toList());
|
||||
}
|
||||
|
||||
protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {
|
||||
protected final void configureFileRoleMappings(Settings.Builder builder, String realmType, List<RoleMappingEntry> mappings) {
|
||||
String content = getRoleMappingContent(RoleMappingEntry::getFileContent, mappings).stream().collect(Collectors.joining("\n"));
|
||||
Path nodeFiles = createTempDir();
|
||||
String file = writeFile(nodeFiles, "role_mapping.yml", content);
|
||||
builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".files.role_mapping", file);
|
||||
builder.put("xpack.security.authc.realms." + realmType + ".external.files.role_mapping", file);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -287,15 +249,6 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
return UsernamePasswordToken.basicAuthHeaderValue(username, new SecureString(password.toCharArray()));
|
||||
}
|
||||
|
||||
private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert,
|
||||
List<String> certificateAuthorities) {
|
||||
builder.put("xpack.transport.security.ssl.key", key)
|
||||
.put("xpack.transport.security.ssl.key_passphrase", keyPassphrase)
|
||||
.put("xpack.transport.security.ssl.verification_mode", "certificate")
|
||||
.put("xpack.transport.security.ssl.certificate", cert)
|
||||
.putList("xpack.transport.security.ssl.certificate_authorities", certificateAuthorities);
|
||||
}
|
||||
|
||||
/**
|
||||
* Collects all the certificates that are normally trusted by the node ( contained in testnode.jks )
|
||||
*/
|
||||
|
|
@ -378,57 +331,55 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
|
||||
AD(false, AD_ROLE_MAPPING,
|
||||
Settings.builder()
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.AD_TYPE)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".domain_name", ActiveDirectorySessionFactoryTests.AD_DOMAIN)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL
|
||||
+ ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".follow_referrals",
|
||||
ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
|
||||
ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING.getKey(), AD_LDAP_PORT)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
|
||||
ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING.getKey(), AD_LDAPS_PORT)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
|
||||
ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING.getKey(), AD_GC_LDAP_PORT)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "." +
|
||||
ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING.getKey(), AD_GC_LDAPS_PORT)
|
||||
.build()),
|
||||
.put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAP_PORT_SETTING), AD_LDAP_PORT)
|
||||
.put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_LDAPS_PORT_SETTING), AD_LDAPS_PORT)
|
||||
.put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAP_PORT_SETTING), AD_GC_LDAP_PORT)
|
||||
.put(getFullSettingKey("external",ActiveDirectorySessionFactorySettings.AD_GC_LDAPS_PORT_SETTING), AD_GC_LDAPS_PORT)
|
||||
.build(),
|
||||
"active_directory"),
|
||||
|
||||
AD_LDAP_GROUPS_FROM_SEARCH(true, AD_ROLE_MAPPING,
|
||||
Settings.builder()
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL
|
||||
+ ".group_search.base_dn", "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates",
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".group_search.scope", randomBoolean() ? SUB_TREE : ONE_LEVEL)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates",
|
||||
"cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals",
|
||||
ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
|
||||
.build()),
|
||||
.build(),
|
||||
"ldap"),
|
||||
|
||||
AD_LDAP_GROUPS_FROM_ATTRIBUTE(true, AD_ROLE_MAPPING,
|
||||
Settings.builder()
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".type", LdapRealmSettings.LDAP_TYPE)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_dn_templates",
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".url", ActiveDirectorySessionFactoryTests.AD_LDAP_URL)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".user_dn_templates",
|
||||
"cn={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".follow_referrals",
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + ".follow_referrals",
|
||||
ActiveDirectorySessionFactoryTests.FOLLOW_REFERRALS)
|
||||
.build());
|
||||
.build(),
|
||||
"ldap");
|
||||
|
||||
final String type;
|
||||
final boolean mapGroupsAsRoles;
|
||||
final boolean loginWithCommonName;
|
||||
private final RoleMappingEntry[] roleMappings;
|
||||
final Settings settings;
|
||||
|
||||
RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings) {
|
||||
RealmConfig(boolean loginWithCommonName, RoleMappingEntry[] roleMappings, Settings settings, String type) {
|
||||
this.settings = settings;
|
||||
this.loginWithCommonName = loginWithCommonName;
|
||||
this.roleMappings = roleMappings;
|
||||
this.mapGroupsAsRoles = randomBoolean();
|
||||
this.type = type;
|
||||
}
|
||||
|
||||
public Settings buildSettings(List<String> certificateAuthorities) {
|
||||
|
|
@ -438,11 +389,11 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
|
|||
|
||||
protected Settings buildSettings(List<String> certificateAuthorities, int order) {
|
||||
Settings.Builder builder = Settings.builder()
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".order", order)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".hostname_verification", false)
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".unmapped_groups_as_roles", mapGroupsAsRoles)
|
||||
.put("xpack.security.authc.realms." + type + ".external.order", order)
|
||||
.put("xpack.security.authc.realms." + type + ".external.ssl.verification_mode", VerificationMode.CERTIFICATE)
|
||||
.put("xpack.security.authc.realms." + type + ".external.unmapped_groups_as_roles", mapGroupsAsRoles)
|
||||
.put(this.settings)
|
||||
.putList(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".ssl.certificate_authorities", certificateAuthorities);
|
||||
.putList("xpack.security.authc.realms." + type + ".external.ssl.certificate_authorities", certificateAuthorities);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,6 @@ public class ActiveDirectoryGroupsResolverTests extends GroupsResolverTestCase {
|
|||
ldapConnection.getConnectionOptions().setFollowReferrals(AbstractActiveDirectoryTestCase.FOLLOW_REFERRALS);
|
||||
}
|
||||
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testResolveSubTree() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.authc.realms.active_directory.ad.group_search.scope", LdapSearchScope.SUB_TREE)
|
||||
|
|
|
|||
|
|
@ -43,13 +43,13 @@ public class ActiveDirectoryRunAsIT extends AbstractAdLdapRealmTestCase {
|
|||
final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal));
|
||||
switch (realmConfig) {
|
||||
case AD:
|
||||
builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".user_search.pool.enabled", false);
|
||||
builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_dn", "ironman@ad.test.elasticsearch.com")
|
||||
.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".user_search.pool.enabled", false);
|
||||
if (useLegacyBindPassword) {
|
||||
builder.put(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD);
|
||||
builder.put(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".bind_password", ActiveDirectorySessionFactoryTests.PASSWORD);
|
||||
} else {
|
||||
SecuritySettingsSource.addSecureSettings(builder, secureSettings -> {
|
||||
secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + ".secure_bind_password",
|
||||
secureSettings.setString(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + ".secure_bind_password",
|
||||
ActiveDirectorySessionFactoryTests.PASSWORD);
|
||||
});
|
||||
}
|
||||
|
|
@ -60,7 +60,6 @@ public class ActiveDirectoryRunAsIT extends AbstractAdLdapRealmTestCase {
|
|||
return builder.build();
|
||||
}
|
||||
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testRunAs() throws Exception {
|
||||
String avenger = realmConfig.loginWithCommonName ? "Natasha Romanoff" : "blackwidow";
|
||||
final AuthenticateRequest request = new AuthenticateRequest(avenger);
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.ldap;
|
|||
|
||||
import com.unboundid.ldap.sdk.LDAPException;
|
||||
import com.unboundid.ldap.sdk.ResultCode;
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
import org.elasticsearch.action.support.PlainActionFuture;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
@ -43,11 +42,10 @@ import static org.hamcrest.Matchers.hasItem;
|
|||
import static org.hamcrest.Matchers.instanceOf;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
||||
@LuceneTestCase.AwaitsFix(bugUrl = "ActiveDirectorySessionFactoryTests")
|
||||
public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryTestCase {
|
||||
|
||||
private static final String REALM_NAME = "ad-test";
|
||||
private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("ad", REALM_NAME);
|
||||
private static final RealmConfig.RealmIdentifier REALM_ID = new RealmConfig.RealmIdentifier("active_directory", REALM_NAME);
|
||||
private final SecureString SECURED_PASSWORD = new SecureString(PASSWORD);
|
||||
private ThreadPool threadPool;
|
||||
|
||||
|
|
@ -67,7 +65,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
}
|
||||
|
||||
public void testAdAuth() throws Exception {
|
||||
RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String userName = "ironman";
|
||||
|
|
@ -88,21 +86,21 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
}
|
||||
}
|
||||
|
||||
private RealmConfig configureRealm(String name, Settings settings) {
|
||||
private RealmConfig configureRealm(String name, String type, Settings settings) {
|
||||
final Environment env = TestEnvironment.newEnvironment(globalSettings);
|
||||
final Settings mergedSettings = Settings.builder()
|
||||
.put(settings)
|
||||
.normalizePrefix("xpack.security.authc.realms." + name + ".")
|
||||
.normalizePrefix("xpack.security.authc.realms." + type + "." + name + ".")
|
||||
.put(globalSettings)
|
||||
.build();
|
||||
this.sslService = new SSLService(mergedSettings, env);
|
||||
final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(LdapRealmSettings.AD_TYPE, name);
|
||||
final RealmConfig.RealmIdentifier identifier = new RealmConfig.RealmIdentifier(type, name);
|
||||
return new RealmConfig(identifier, mergedSettings, env, new ThreadContext(globalSettings));
|
||||
}
|
||||
|
||||
public void testNetbiosAuth() throws Exception {
|
||||
final String adUrl = randomFrom(AD_LDAP_URL, AD_LDAP_GC_URL);
|
||||
RealmConfig config = configureRealm("ad-test", buildAdSettings(adUrl, AD_DOMAIN, false));
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(adUrl, AD_DOMAIN, false));
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String userName = "ades\\ironman";
|
||||
|
|
@ -124,7 +122,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
}
|
||||
|
||||
public void testAdAuthAvengers() throws Exception {
|
||||
RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false));
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String[] users = new String[]{"cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow"};
|
||||
|
|
@ -140,7 +138,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testAuthenticate() throws Exception {
|
||||
Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
|
||||
LdapSearchScope.ONE_LEVEL, false);
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String userName = "hulk";
|
||||
|
|
@ -163,7 +161,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testAuthenticateBaseUserSearch() throws Exception {
|
||||
Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN,
|
||||
"CN=Bruce Banner, CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", LdapSearchScope.BASE, false);
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String userName = "hulk";
|
||||
|
|
@ -191,7 +189,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
"CN=Avengers,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com")
|
||||
.put(ActiveDirectorySessionFactorySettings.AD_GROUP_SEARCH_SCOPE_SETTING, LdapSearchScope.BASE)
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
String userName = "hulk";
|
||||
|
|
@ -207,7 +205,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testAuthenticateWithUserPrincipalName() throws Exception {
|
||||
Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
|
||||
LdapSearchScope.ONE_LEVEL, false);
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
//Login with the UserPrincipalName
|
||||
|
|
@ -227,7 +225,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testAuthenticateWithSAMAccountName() throws Exception {
|
||||
Settings settings = buildAdSettings(REALM_ID, AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com",
|
||||
LdapSearchScope.ONE_LEVEL, false);
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
//login with sAMAccountName
|
||||
|
|
@ -252,7 +250,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
.put(getFullSettingKey(REALM_ID.getName(), ActiveDirectorySessionFactorySettings.AD_USER_SEARCH_FILTER_SETTING),
|
||||
"(&(objectclass=user)(userPrincipalName={0}@ad.test.elasticsearch.com))")
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-test", settings);
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, settings);
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
//Login with the UserPrincipalName
|
||||
|
|
@ -271,18 +269,14 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testStandardLdapConnection() throws Exception {
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(
|
||||
new String[]{AD_LDAP_URL},
|
||||
new String[]{userTemplate},
|
||||
groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE,
|
||||
null,
|
||||
true))
|
||||
.put("follow_referrals", FOLLOW_REFERRALS)
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
|
||||
final Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE, null, false))
|
||||
.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
|
||||
|
||||
String user = "Bruce Banner";
|
||||
|
|
@ -302,21 +296,15 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
public void testHandlingLdapReferralErrors() throws Exception {
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
final boolean ignoreReferralErrors = false;
|
||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier("ad", "ad-as-ldap-test");
|
||||
Settings settings = LdapTestCase.buildLdapSettings(realmId,
|
||||
new String[]{AD_LDAP_URL},
|
||||
new String[]{userTemplate},
|
||||
groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE,
|
||||
null,
|
||||
ignoreReferralErrors);
|
||||
final Settings.Builder builder = Settings.builder().put(settings).put(globalSettings);
|
||||
builder.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths);
|
||||
settings = builder.build();
|
||||
RealmConfig config = new RealmConfig(realmId,
|
||||
settings, TestEnvironment.newEnvironment(globalSettings),
|
||||
new ThreadContext(globalSettings));
|
||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE, null, false))
|
||||
.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
|
||||
.build();
|
||||
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
|
||||
|
||||
String user = "Bruce Banner";
|
||||
|
|
@ -335,12 +323,16 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
|
||||
public void testStandardLdapWithAttributeGroups() throws Exception {
|
||||
String userTemplate = "CN={0},CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
Settings settings = LdapTestCase.buildLdapSettings(new String[]{AD_LDAP_URL}, userTemplate, false);
|
||||
settings = Settings.builder()
|
||||
.put(settings)
|
||||
String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
final RealmConfig.RealmIdentifier realmId = new RealmConfig.RealmIdentifier(LdapRealmSettings.LDAP_TYPE, "ad-as-ldap-test");
|
||||
Settings settings = Settings.builder()
|
||||
.put(LdapTestCase.buildLdapSettings(realmId, new String[]{AD_LDAP_URL}, new String[]{userTemplate}, groupSearchBase,
|
||||
LdapSearchScope.SUB_TREE, null, false))
|
||||
.putList("ssl.certificate_authorities", certificatePaths)
|
||||
.putList(RealmSettings.realmSslPrefix(realmId) + "certificate_authorities", certificatePaths)
|
||||
.put(getFullSettingKey(realmId, SessionFactorySettings.FOLLOW_REFERRALS_SETTING), FOLLOW_REFERRALS)
|
||||
.build();
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", settings);
|
||||
RealmConfig config = configureRealm("ad-as-ldap-test", LdapRealmSettings.LDAP_TYPE, settings);
|
||||
LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
|
||||
|
||||
String user = "Bruce Banner";
|
||||
|
|
@ -357,7 +349,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryT
|
|||
}
|
||||
|
||||
public void testADLookup() throws Exception {
|
||||
RealmConfig config = configureRealm("ad-test", buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true));
|
||||
RealmConfig config = configureRealm("ad-test", LdapRealmSettings.AD_TYPE, buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true));
|
||||
try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
|
||||
|
||||
List<String> users = randomSubsetOf(Arrays.asList("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow",
|
||||
|
|
|
|||
|
|
@ -5,15 +5,12 @@
|
|||
*/
|
||||
package org.elasticsearch.xpack.security.authc.ldap;
|
||||
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* This tests the group to role mappings from LDAP sources provided by the super class - available from super.realmConfig.
|
||||
* The super class will provide appropriate group mappings via configGroupMappings()
|
||||
*/
|
||||
@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public class GroupMappingIT extends AbstractAdLdapRealmTestCase {
|
||||
|
||||
public void testAuthcAuthz() throws IOException {
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@ public class MultiGroupMappingIT extends AbstractAdLdapRealmTestCase {
|
|||
" privileges: [ all ]\n";
|
||||
}
|
||||
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testGroupMapping() throws IOException {
|
||||
String asgardian = "odin";
|
||||
String securityPhilanthropist = realmConfig.loginWithCommonName ? "Bruce Banner" : "hulk";
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authc.ldap;
|
|||
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.LdapRealmSettings;
|
||||
import org.junit.BeforeClass;
|
||||
|
||||
import java.io.IOException;
|
||||
|
|
@ -49,8 +50,13 @@ public class MultipleAdRealmIT extends AbstractAdLdapRealmTestCase {
|
|||
final Settings secondarySettings = super.buildRealmSettings(secondaryRealmConfig, secondaryRoleMappings,
|
||||
getNodeTrustedCertificates());
|
||||
secondarySettings.keySet().forEach(name -> {
|
||||
String newName = name.replace(XPACK_SECURITY_AUTHC_REALMS_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_EXTERNAL + "2");
|
||||
builder.copy(newName, name, secondarySettings);
|
||||
final String newname;
|
||||
if (name.contains(LdapRealmSettings.AD_TYPE)) {
|
||||
newname = name.replace(XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_AD_EXTERNAL + "2");
|
||||
} else {
|
||||
newname = name.replace(XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL, XPACK_SECURITY_AUTHC_REALMS_LDAP_EXTERNAL + "2");
|
||||
}
|
||||
builder.copy(newname, name, secondarySettings);
|
||||
});
|
||||
|
||||
return builder.build();
|
||||
|
|
@ -62,7 +68,6 @@ public class MultipleAdRealmIT extends AbstractAdLdapRealmTestCase {
|
|||
* Because one realm is using "common name" (cn) for login, and the other uses the "userid" (sAMAccountName) [see
|
||||
* {@link #setupSecondaryRealm()}], this is simply a matter of checking that we can authenticate with both identifiers.
|
||||
*/
|
||||
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public void testCanAuthenticateAgainstBothRealms() throws IOException {
|
||||
assertAccessAllowed("Natasha Romanoff", "avengers");
|
||||
assertAccessAllowed("blackwidow", "avengers");
|
||||
|
|
|
|||
|
|
@ -8,22 +8,22 @@ package org.elasticsearch.xpack.security.authc.ldap;
|
|||
import com.unboundid.ldap.sdk.Attribute;
|
||||
import com.unboundid.ldap.sdk.SearchRequest;
|
||||
import com.unboundid.ldap.sdk.SearchScope;
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.unit.TimeValue;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.ldap.UserAttributeGroupsResolverSettings;
|
||||
import org.elasticsearch.xpack.core.security.support.NoOpLogger;
|
||||
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
|
||||
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
|
||||
import static org.hamcrest.Matchers.containsInAnyOrder;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
import static org.hamcrest.Matchers.empty;
|
||||
import static org.hamcrest.Matchers.hasItems;
|
||||
import static org.hamcrest.Matchers.hasSize;
|
||||
|
||||
@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/35738")
|
||||
public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase {
|
||||
|
||||
public static final String BRUCE_BANNER_DN = "cn=Bruce Banner,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
|
||||
|
|
@ -57,18 +57,19 @@ public class UserAttributeGroupsResolverTests extends GroupsResolverTestCase {
|
|||
|
||||
public void testResolveCustomGroupAttribute() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("user_group_attribute", "seeAlso")
|
||||
.build();
|
||||
.put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "seeAlso")
|
||||
.build();
|
||||
UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings));
|
||||
List<String> groups =
|
||||
resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null);
|
||||
assertThat(groups, hasItems(containsString("Avengers"))); //seeAlso only has Avengers
|
||||
assertThat(groups, hasSize(1));
|
||||
assertThat(groups.get(0), containsString("Avengers")); //seeAlso only has Avengers
|
||||
}
|
||||
|
||||
public void testResolveInvalidGroupAttribute() throws Exception {
|
||||
Settings settings = Settings.builder()
|
||||
.put("user_group_attribute", "doesntExist")
|
||||
.build();
|
||||
.put(getFullSettingKey("realm1", UserAttributeGroupsResolverSettings.ATTRIBUTE), "doesntExist")
|
||||
.build();
|
||||
UserAttributeGroupsResolver resolver = new UserAttributeGroupsResolver(config(REALM_ID, settings));
|
||||
List<String> groups =
|
||||
resolveBlocking(resolver, ldapConnection, BRUCE_BANNER_DN, TimeValue.timeValueSeconds(20), NoOpLogger.INSTANCE, null);
|
||||
|
|
|
|||
Loading…
Reference in New Issue