From 9028c0a642445eface45630364cff12e287d6cba Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Thu, 12 Oct 2017 10:07:08 -0600 Subject: [PATCH] Allow PkiRealm to use truststore.password setting (elastic/x-pack-elasticsearch#2727) This change fixes an incorrect check for a missing password setting for the PKI realm. The check only allowed the secure setting to be used for the PkiRealm password even though the legacy setting is still valid. This change fixes the check. Relates elastic/x-pack-elasticsearch#2487 Original commit: elastic/x-pack-elasticsearch@a4524c2c05d5d9a77268522d657920d271ed828d --- .../xpack/security/authc/pki/PkiRealm.java | 7 ++++--- .../xpack/security/authc/pki/PkiRealmTests.java | 14 +++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 6d325900878..4bfa884b3a2 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -174,9 +174,10 @@ public class PkiRealm extends Realm { private static X509TrustManager trustManagersFromTruststore(String truststorePath, RealmConfig realmConfig) { final Settings settings = realmConfig.settings(); - if (SSL_SETTINGS.truststorePassword.exists(settings) == false) { - throw new IllegalArgumentException( - "[" + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] is not configured" + if (SSL_SETTINGS.truststorePassword.exists(settings) == false && SSL_SETTINGS.legacyTruststorePassword.exists(settings) == false) { + throw new IllegalArgumentException("Neither [" + + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] or [" + + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.legacyTruststorePassword) + "] is configured" ); } try (SecureString password = SSL_SETTINGS.truststorePassword.get(settings)) { diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index 12869ff3104..cb4c9dd3e1f 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -214,10 +214,22 @@ public class PkiRealmTests extends ESTestCase { new ThreadContext(globalSettings)), mock(UserRoleMapper.class)); fail("exception should have been thrown"); } catch (IllegalArgumentException e) { - assertThat(e.getMessage(), containsString("[xpack.security.authc.realms.mypki.truststore.secure_password] is not configured")); + assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.mypki.truststore.secure_password] or [" + + "xpack.security.authc.realms.mypki.truststore.password] is configured")); } } + public void testTruststorePathWithLegacyPasswordDoesNotThrow() throws Exception { + Settings settings = Settings.builder() + .put("truststore.path", + getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks")) + .put("truststore.password", "testnode-client-profile") + .build(); + new PkiRealm(new RealmConfig("mypki", settings, globalSettings, new Environment(globalSettings), + new ThreadContext(globalSettings)), mock(UserRoleMapper.class)); + assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword }); + } + public void testCertificateWithOnlyCnExtractsProperly() throws Exception { X509Certificate certificate = mock(X509Certificate.class); X500Principal principal = new X500Principal("CN=PKI Client");