diff --git a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java index 07d60fea99a..547f3efc735 100644 --- a/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java +++ b/elasticsearch/x-pack/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java @@ -125,6 +125,8 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { .put(super.transportClientSettings()) .put("client.transport.sniff", false) .put(Security.USER_SETTING.getKey(), "test:changeme") + .put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME4) + .put(NetworkModule.HTTP_TYPE_KEY, Security.NAME4) .build(); } return Settings.builder().put(super.transportClientSettings()) @@ -541,7 +543,9 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { .put(FileRolesStore.ROLES_FILE_SETTING.getKey(), writeFile(folder, "roles.yml", ROLES)) .put(CryptoService.FILE_SETTING.getKey(), writeFile(folder, "system_key.yml", systemKey)) .put("xpack.security.authc.sign_user_header", false) - .put("xpack.security.audit.enabled", auditLogsEnabled); + .put("xpack.security.audit.enabled", auditLogsEnabled) + .put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME4) + .put(NetworkModule.HTTP_TYPE_KEY, Security.NAME4); } catch (IOException ex) { throw new RuntimeException("failed to build settings for security", ex); } diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java index d56e83c7f4f..a317a82803f 100644 --- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -347,13 +347,16 @@ public class Security implements ActionPlugin, IngestPlugin { return additionalSettings(settings); } - @SuppressWarnings("StatementWithEmptyBody") // visible for tests static Settings additionalSettings(Settings settings) { final Settings.Builder settingsBuilder = Settings.builder(); if (NetworkModule.TRANSPORT_TYPE_SETTING.exists(settings)) { - // for symmetry with http.type + final String transportType = NetworkModule.TRANSPORT_TYPE_SETTING.get(settings); + if (NAME3.equals(transportType) == false && NAME4.equals(transportType) == false) { + throw new IllegalArgumentException("transport type setting [" + NetworkModule.TRANSPORT_TYPE_KEY + "] must be one of [" + + NAME3 + "," + NAME4 + "]"); + } } else { // default to security4 settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, NAME4); @@ -365,6 +368,9 @@ public class Security implements ActionPlugin, IngestPlugin { SecurityNetty3HttpServerTransport.overrideSettings(settingsBuilder, settings); } else if (httpType.equals(NAME4)) { SecurityNetty4HttpServerTransport.overrideSettings(settingsBuilder, settings); + } else { + throw new IllegalArgumentException("http type setting [" + NetworkModule.HTTP_TYPE_KEY + "] must be one of [" + + NAME3 + "," + NAME4 + "]"); } } else { // default to security4 diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 5d3b909d64b..f80ba892308 100644 --- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -12,6 +12,7 @@ import java.util.Collections; import java.util.Map; import org.elasticsearch.cluster.service.ClusterService; +import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.Environment; import org.elasticsearch.license.XPackLicenseState; @@ -25,6 +26,7 @@ import org.elasticsearch.xpack.security.authc.Realm; import org.elasticsearch.xpack.security.authc.Realms; import org.elasticsearch.xpack.security.authc.file.FileRealm; +import static org.hamcrest.Matchers.containsString; import static org.mockito.Mockito.mock; public class SecurityTests extends ESTestCase { @@ -126,4 +128,49 @@ public class SecurityTests extends ESTestCase { IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> createComponents(settings)); assertEquals("Unknown audit trail output [foo]", e.getMessage()); } + + public void testTransportTypeSetting() throws Exception { + Settings defaultSettings = Security.additionalSettings(Settings.EMPTY); + assertEquals(Security.NAME4, NetworkModule.TRANSPORT_TYPE_SETTING.get(defaultSettings)); + assertEquals(Security.NAME4, NetworkModule.HTTP_TYPE_SETTING.get(defaultSettings)); + + // set transport back to security3 + Settings transport3 = Security.additionalSettings(Settings.builder().put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME3).build()); + assertFalse(NetworkModule.TRANSPORT_TYPE_SETTING.exists(transport3)); + assertEquals(Security.NAME4, NetworkModule.HTTP_TYPE_SETTING.get(transport3)); + + // set http back to security3 + Settings http3 = Security.additionalSettings(Settings.builder().put(NetworkModule.HTTP_TYPE_KEY, Security.NAME3).build()); + assertEquals(Security.NAME4, NetworkModule.TRANSPORT_TYPE_SETTING.get(http3)); + assertFalse(NetworkModule.HTTP_TYPE_SETTING.exists(http3)); + + // set both to security3 + Settings both3 = Security.additionalSettings(Settings.builder() + .put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME3) + .put(NetworkModule.HTTP_TYPE_KEY, Security.NAME3) + .build()); + assertFalse(NetworkModule.TRANSPORT_TYPE_SETTING.exists(both3)); + assertFalse(NetworkModule.HTTP_TYPE_SETTING.exists(both3)); + + // set both to 4 + Settings both4 = Security.additionalSettings(Settings.builder() + .put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME4) + .put(NetworkModule.HTTP_TYPE_KEY, Security.NAME4) + .build()); + assertFalse(NetworkModule.TRANSPORT_TYPE_SETTING.exists(both4)); + assertFalse(NetworkModule.HTTP_TYPE_SETTING.exists(both4)); + + final String badType = randomFrom("netty3", "netty4", "other", "security1"); + IllegalArgumentException badTransport = expectThrows(IllegalArgumentException.class, + () -> Security.additionalSettings(Settings.builder().put(NetworkModule.TRANSPORT_TYPE_KEY, badType).build())); + assertThat(badTransport.getMessage(), containsString(Security.NAME3)); + assertThat(badTransport.getMessage(), containsString(Security.NAME4)); + assertThat(badTransport.getMessage(), containsString(NetworkModule.TRANSPORT_TYPE_KEY)); + + IllegalArgumentException badHttp = expectThrows(IllegalArgumentException.class, + () -> Security.additionalSettings(Settings.builder().put(NetworkModule.HTTP_TYPE_KEY, badType).build())); + assertThat(badHttp.getMessage(), containsString(Security.NAME3)); + assertThat(badHttp.getMessage(), containsString(Security.NAME4)); + assertThat(badHttp.getMessage(), containsString(NetworkModule.HTTP_TYPE_KEY)); + } } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/security/BasicSecurityTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/security/BasicSecurityTests.java index 4976f31da9c..b390047e077 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/security/BasicSecurityTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/security/BasicSecurityTests.java @@ -39,7 +39,7 @@ public class BasicSecurityTests extends AbstractWatcherIntegrationTestCase { @Override protected Settings transportClientSettings() { return Settings.builder() - .put("client.transport.sniff", false) + .put(super.transportClientSettings()) // Use just the transport user here, so we can test Watcher roles specifically .put(Security.USER_SETTING.getKey(), "transport_client:changeme") .build(); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/AbstractWatcherIntegrationTestCase.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/AbstractWatcherIntegrationTestCase.java index 06b7162aa98..08a085ab5f4 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/AbstractWatcherIntegrationTestCase.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/AbstractWatcherIntegrationTestCase.java @@ -273,6 +273,8 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase return Settings.builder() .put("client.transport.sniff", false) .put(Security.USER_SETTING.getKey(), "admin:changeme") + .put(NetworkModule.TRANSPORT_TYPE_KEY, useSecurity3 ? Security.NAME3 : Security.NAME4) + .put(NetworkModule.HTTP_TYPE_KEY, useSecurity3 ? Security.NAME3 : Security.NAME4) .build(); } @@ -707,6 +709,11 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase if (useSecurity3) { builder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME3); builder.put(NetworkModule.HTTP_TYPE_KEY, Security.NAME3); + } else { + // security should always use one of its transports so if it is enabled explicitly declare one otherwise a local + // transport could be used + builder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME4); + builder.put(NetworkModule.HTTP_TYPE_KEY, Security.NAME4); } return builder.build(); } catch (IOException ex) {