License state is currently made up of boolean methods that check whether a particular feature is allowed by the current license state. Each new feature must copy/past boiler plate code. While that has gotten easier with utilities like isAllowedByLicense, this is still more cumbersome than should be necessary. This commit adds a general purpose isAllowed method which takes a new Feature enum, where each value of the enum defines the minimum license mode and whether the license must be active to be allowed. Only security features are converted in this PR, in order to keep the commit size relatively small. The rest of the features will be converted in a followup.
This commit is contained in:
parent
715c90bf7d
commit
97c4b64fb1
|
@ -30,6 +30,32 @@ import java.util.function.Predicate;
|
|||
*/
|
||||
public class XPackLicenseState {
|
||||
|
||||
/**
|
||||
* A licensed feature.
|
||||
*
|
||||
* Each value defines the licensed state necessary for the feature to be allowed.
|
||||
*/
|
||||
public enum Feature {
|
||||
SECURITY_IP_FILTERING(OperationMode.GOLD, false),
|
||||
SECURITY_AUDITING(OperationMode.GOLD, false),
|
||||
SECURITY_DLS_FLS(OperationMode.PLATINUM, false),
|
||||
SECURITY_ALL_REALMS(OperationMode.PLATINUM, false),
|
||||
SECURITY_STANDARD_REALMS(OperationMode.GOLD, false),
|
||||
SECURITY_CUSTOM_ROLE_PROVIDERS(OperationMode.PLATINUM, true),
|
||||
SECURITY_TOKEN_SERVICE(OperationMode.GOLD, false),
|
||||
SECURITY_API_KEY_SERVICE(OperationMode.MISSING, false),
|
||||
SECURITY_AUTHORIZATION_REALM(OperationMode.PLATINUM, true),
|
||||
SECURITY_AUTHORIZATION_ENGINE(OperationMode.PLATINUM, true);
|
||||
|
||||
final OperationMode minimumOperationMode;
|
||||
final boolean needsActive;
|
||||
|
||||
Feature(OperationMode minimumOperationMode, boolean needsActive) {
|
||||
this.minimumOperationMode = minimumOperationMode;
|
||||
this.needsActive = needsActive;
|
||||
}
|
||||
}
|
||||
|
||||
/** Messages for each feature which are printed when the license expires. */
|
||||
static final Map<String, String[]> EXPIRATION_MESSAGES;
|
||||
static {
|
||||
|
@ -401,77 +427,14 @@ public class XPackLicenseState {
|
|||
return checkAgainstStatus(status -> status.active);
|
||||
}
|
||||
|
||||
public boolean isIpFilteringAllowed() {
|
||||
return isAllowedByLicense(OperationMode.GOLD, false);
|
||||
}
|
||||
|
||||
public boolean isAuditingAllowed() {
|
||||
return isAllowedByLicense(OperationMode.GOLD, false);
|
||||
public boolean isAllowed(Feature feature) {
|
||||
return isAllowedByLicense(feature.minimumOperationMode, feature.needsActive);
|
||||
}
|
||||
|
||||
public boolean isStatsAndHealthAllowed() {
|
||||
return allowForAllLicenses();
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if Document Level Security (DLS) and Field Level Security (FLS) should be enabled.
|
||||
* <p>
|
||||
* DLS and FLS are only disabled when the mode is not:
|
||||
* <ul>
|
||||
* <li>{@link OperationMode#PLATINUM} or higher</li>
|
||||
* <li>{@link OperationMode#TRIAL}</li>
|
||||
* </ul>
|
||||
* Note: This does not consider the <em>state</em> of the license so that Security does not suddenly leak information!
|
||||
* i.e. the same DLS guarantee keeps working for existing configuration even after license expires.
|
||||
*
|
||||
* @return {@code true} to enable DLS and FLS. Otherwise {@code false}.
|
||||
*/
|
||||
public boolean isDocumentAndFieldLevelSecurityAllowed() {
|
||||
return isAllowedByLicense(OperationMode.PLATINUM, false);
|
||||
}
|
||||
|
||||
public boolean areAllRealmsAllowed() {
|
||||
return isAllowedByLicense(OperationMode.PLATINUM, false);
|
||||
}
|
||||
|
||||
public boolean areStandardRealmsAllowed() {
|
||||
return isAllowedByLicense(OperationMode.GOLD, false);
|
||||
}
|
||||
|
||||
public boolean isCustomRoleProvidersAllowed() {
|
||||
return isAllowedByLicense(OperationMode.PLATINUM, true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether the Elasticsearch {@code TokenService} is allowed
|
||||
*/
|
||||
public boolean isTokenServiceAllowed() {
|
||||
return isAllowedByLicense(OperationMode.GOLD, false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether the Elasticsearch {@code ApiKeyService} is allowed
|
||||
*/
|
||||
public boolean isApiKeyServiceAllowed() {
|
||||
return isAllowedByLicense(OperationMode.MISSING, false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether "authorization_realms" is allowed
|
||||
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
|
||||
*/
|
||||
public boolean isAuthorizationRealmAllowed() {
|
||||
return isAllowedByLicense(OperationMode.PLATINUM, true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether a custom authorization engine is allowed
|
||||
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
|
||||
*/
|
||||
public boolean isAuthorizationEngineAllowed() {
|
||||
return isAllowedByLicense(OperationMode.PLATINUM, true);
|
||||
}
|
||||
|
||||
public boolean isWatcherAllowed() {
|
||||
return isAllowedByLicense(OperationMode.STANDARD);
|
||||
}
|
||||
|
|
|
@ -18,6 +18,7 @@ import org.elasticsearch.index.query.QueryShardContext;
|
|||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.index.shard.ShardUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.script.ScriptService;
|
||||
import org.elasticsearch.xpack.core.security.SecurityContext;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
|
||||
|
@ -61,7 +62,8 @@ public class SecurityIndexReaderWrapper implements CheckedFunction<DirectoryRead
|
|||
|
||||
@Override
|
||||
public DirectoryReader apply(final DirectoryReader reader) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false ||
|
||||
licenseState.isAllowed(Feature.SECURITY_DLS_FLS) == false) {
|
||||
return reader;
|
||||
}
|
||||
|
||||
|
|
|
@ -8,6 +8,7 @@ package org.elasticsearch.license;
|
|||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.test.VersionUtils;
|
||||
import org.elasticsearch.xpack.core.XPackField;
|
||||
|
@ -78,12 +79,12 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
XPackLicenseState licenseState =
|
||||
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.areAllRealmsAllowed(), is(true));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
|
||||
|
||||
licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
assertSecurityNotAllowed(licenseState);
|
||||
|
@ -101,13 +102,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(BASIC, true, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(false));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
|
||||
assertThat(licenseState.isSecurityAvailable(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
|
@ -119,13 +120,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(BASIC, true, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(false));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
|
||||
assertThat(licenseState.isSecurityAvailable(), is(true));
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
|
@ -136,13 +137,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(BASIC, false, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(false));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(false));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityEnabledBasicExpired() {
|
||||
|
@ -151,13 +152,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(BASIC, false, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(false));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityStandard() {
|
||||
|
@ -166,11 +167,11 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(STANDARD, true, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityStandardExpired() {
|
||||
|
@ -179,11 +180,11 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(STANDARD, false, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(false));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityGold() {
|
||||
|
@ -192,14 +193,14 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(GOLD, true, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityGoldExpired() {
|
||||
|
@ -208,14 +209,14 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(GOLD, false, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityPlatinum() {
|
||||
|
@ -224,14 +225,14 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(PLATINUM, true, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.areAllRealmsAllowed(), is(true));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityPlatinumExpired() {
|
||||
|
@ -240,14 +241,14 @@ public class XPackLicenseStateTests extends ESTestCase {
|
|||
licenseState.update(PLATINUM, false, null);
|
||||
|
||||
assertThat(licenseState.isSecurityEnabled(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.areAllRealmsAllowed(), is(true));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
assertThat(licenseState.isTokenServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
|
||||
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
|
||||
}
|
||||
|
||||
public void testNewTrialDefaultsSecurityOff() {
|
||||
|
|
|
@ -36,6 +36,7 @@ import org.elasticsearch.index.query.QueryShardContext;
|
|||
import org.elasticsearch.index.query.TermsQueryBuilder;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.mock.orig.Mockito;
|
||||
import org.elasticsearch.script.ScriptService;
|
||||
import org.elasticsearch.search.internal.ContextIndexSearcher;
|
||||
|
@ -98,7 +99,7 @@ public class SecurityIndexReaderWrapperIntegrationTests extends AbstractBuilderT
|
|||
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
|
||||
Directory directory = newDirectory();
|
||||
IndexWriter iw = new IndexWriter(
|
||||
|
@ -234,7 +235,7 @@ public class SecurityIndexReaderWrapperIntegrationTests extends AbstractBuilderT
|
|||
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> queryShardContext,
|
||||
bitsetCache, securityContext, licenseState, scriptService) {
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.index.mapper.SourceFieldMapper;
|
|||
import org.elasticsearch.index.shard.IndexShard;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.script.ScriptService;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.SecurityContext;
|
||||
|
@ -65,7 +66,7 @@ public class SecurityIndexReaderWrapperUnitTests extends ESTestCase {
|
|||
ShardId shardId = new ShardId(index, 0);
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
|
||||
IndexShard indexShard = mock(IndexShard.class);
|
||||
when(indexShard.shardId()).thenReturn(shardId);
|
||||
|
@ -114,7 +115,7 @@ public class SecurityIndexReaderWrapperUnitTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testWrapReaderWhenFeatureDisabled() throws Exception {
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
|
||||
securityIndexReaderWrapper =
|
||||
new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService);
|
||||
DirectoryReader reader = securityIndexReaderWrapper.apply(esIn);
|
||||
|
|
|
@ -50,6 +50,7 @@ import org.elasticsearch.ingest.Processor;
|
|||
import org.elasticsearch.license.License;
|
||||
import org.elasticsearch.license.LicenseService;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.plugins.ClusterPlugin;
|
||||
import org.elasticsearch.plugins.DiscoveryPlugin;
|
||||
import org.elasticsearch.plugins.ExtensiblePlugin;
|
||||
|
@ -1030,7 +1031,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
|
|||
if (enabled) {
|
||||
return index -> {
|
||||
XPackLicenseState licenseState = getLicenseState();
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isAllowed(Feature.SECURITY_DLS_FLS) == false) {
|
||||
return MapperPlugin.NOOP_FIELD_PREDICATE;
|
||||
}
|
||||
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(
|
||||
|
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.audit;
|
|||
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
|
@ -32,7 +33,7 @@ public class AuditTrailService {
|
|||
|
||||
public AuditTrail get() {
|
||||
if (compositeAuditTrail.isEmpty() == false &&
|
||||
licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_AUDITING)) {
|
||||
return compositeAuditTrail;
|
||||
} else {
|
||||
return NOOP_AUDIT_TRAIL;
|
||||
|
|
|
@ -581,11 +581,13 @@ public class ApiKeyService {
|
|||
}
|
||||
|
||||
private boolean isEnabled() {
|
||||
return enabled && licenseState.isSecurityEnabled() && licenseState.isApiKeyServiceAllowed();
|
||||
return enabled && licenseState.isSecurityEnabled() &&
|
||||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_API_KEY_SERVICE);
|
||||
}
|
||||
|
||||
public void ensureEnabled() {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isApiKeyServiceAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false ||
|
||||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_API_KEY_SERVICE) == false) {
|
||||
throw LicenseUtils.newComplianceException("api keys");
|
||||
}
|
||||
if (enabled == false) {
|
||||
|
|
|
@ -16,6 +16,7 @@ import org.elasticsearch.common.util.concurrent.CountDown;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.xpack.core.security.authc.Realm;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
|
||||
|
@ -118,7 +119,7 @@ public class Realms implements Iterable<Realm> {
|
|||
}
|
||||
|
||||
// If all realms are allowed, then nothing is unlicensed
|
||||
if (licenseStateSnapshot.areAllRealmsAllowed()) {
|
||||
if (licenseStateSnapshot.isAllowed(Feature.SECURITY_ALL_REALMS)) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
|
@ -142,9 +143,9 @@ public class Realms implements Iterable<Realm> {
|
|||
if (licenseStateSnapshot.isSecurityEnabled() == false) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
if (licenseStateSnapshot.areAllRealmsAllowed()) {
|
||||
if (licenseStateSnapshot.isAllowed(Feature.SECURITY_ALL_REALMS)) {
|
||||
return realms;
|
||||
} else if (licenseStateSnapshot.areStandardRealmsAllowed()) {
|
||||
} else if (licenseStateSnapshot.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
|
||||
return standardRealmsOnly;
|
||||
} else {
|
||||
// native realms are basic licensed, and always allowed, even for an expired license
|
||||
|
@ -336,9 +337,9 @@ public class Realms implements Iterable<Realm> {
|
|||
}
|
||||
|
||||
public static boolean isRealmTypeAvailable(XPackLicenseState licenseState, String type) {
|
||||
if (licenseState.areAllRealmsAllowed()) {
|
||||
if (licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)) {
|
||||
return true;
|
||||
} else if (licenseState.areStandardRealmsAllowed()) {
|
||||
} else if (licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
|
||||
return InternalRealms.isStandardRealm(type) || ReservedRealm.TYPE.equals(type);
|
||||
} else {
|
||||
return FileRealmSettings.TYPE.equals(type) || NativeRealmSettings.TYPE.equals(type);
|
||||
|
|
|
@ -1519,11 +1519,13 @@ public final class TokenService {
|
|||
}
|
||||
|
||||
private boolean isEnabled() {
|
||||
return enabled && licenseState.isSecurityEnabled() && licenseState.isTokenServiceAllowed();
|
||||
return enabled && licenseState.isSecurityEnabled() &&
|
||||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE);
|
||||
}
|
||||
|
||||
private void ensureEnabled() {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isTokenServiceAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false ||
|
||||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) {
|
||||
throw LicenseUtils.newComplianceException("security tokens");
|
||||
}
|
||||
if (enabled == false) {
|
||||
|
|
|
@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.core.security.authc.Realm;
|
||||
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
|
||||
|
@ -80,7 +81,7 @@ public class DelegatedAuthorizationSupport {
|
|||
* with a meaningful diagnostic message.
|
||||
*/
|
||||
public void resolve(String username, ActionListener<AuthenticationResult> resultListener) {
|
||||
boolean authzOk = licenseState.isSecurityEnabled() && licenseState.isAuthorizationRealmAllowed();
|
||||
boolean authzOk = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM);
|
||||
if (authzOk == false) {
|
||||
resultListener.onResponse(AuthenticationResult.unsuccessful(
|
||||
DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX + " are not permitted",
|
||||
|
|
|
@ -34,6 +34,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.index.IndexNotFoundException;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.transport.TransportActionProxy;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
|
@ -365,7 +366,8 @@ public class AuthorizationService {
|
|||
}
|
||||
|
||||
private AuthorizationEngine getAuthorizationEngineForUser(final User user) {
|
||||
if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() && licenseState.isAuthorizationEngineAllowed()) {
|
||||
if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() &&
|
||||
licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)) {
|
||||
if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternalUser(user)) {
|
||||
return rbacEngine;
|
||||
} else {
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.action.bulk.BulkShardRequest;
|
|||
import org.elasticsearch.action.update.UpdateRequest;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
|
||||
|
@ -40,7 +41,7 @@ public class BulkShardRequestInterceptor implements RequestInterceptor {
|
|||
@Override
|
||||
public void intercept(RequestInfo requestInfo, AuthorizationEngine authzEngine, AuthorizationInfo authorizationInfo,
|
||||
ActionListener<Void> listener) {
|
||||
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
|
||||
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
|
||||
if (requestInfo.getRequest() instanceof BulkShardRequest && shouldIntercept) {
|
||||
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.elasticsearch.action.ActionListener;
|
|||
import org.elasticsearch.action.IndicesRequest;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo;
|
||||
|
@ -38,7 +39,7 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor implements Reques
|
|||
ActionListener<Void> listener) {
|
||||
if (requestInfo.getRequest() instanceof IndicesRequest) {
|
||||
IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequest();
|
||||
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
|
||||
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
|
||||
if (supports(indicesRequest) && shouldIntercept) {
|
||||
final IndicesAccessControl indicesAccessControl =
|
||||
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
|||
import org.elasticsearch.common.collect.Tuple;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
|
||||
|
@ -51,7 +52,7 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
|
|||
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
|
||||
final AuditTrail auditTrail = auditTrailService.get();
|
||||
if (frozenLicenseState.isSecurityEnabled()) {
|
||||
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
if (frozenLicenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
|
||||
IndicesAccessControl indicesAccessControl =
|
||||
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
|
||||
|
|
|
@ -10,6 +10,7 @@ import org.elasticsearch.action.ActionListener;
|
|||
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
|
||||
|
@ -47,7 +48,7 @@ public final class ResizeRequestInterceptor implements RequestInterceptor {
|
|||
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
|
||||
final AuditTrail auditTrail = auditTrailService.get();
|
||||
if (frozenLicenseState.isSecurityEnabled()) {
|
||||
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
if (frozenLicenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
|
||||
IndicesAccessControl indicesAccessControl =
|
||||
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
IndicesAccessControl.IndexAccessControl indexAccessControl =
|
||||
|
|
|
@ -25,6 +25,7 @@ import org.elasticsearch.common.util.concurrent.ReleasableLock;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.xpack.core.common.IteratingActionListener;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
|
||||
|
@ -165,7 +166,7 @@ public class CompositeRolesStore {
|
|||
rolesRetrievalResult.getMissingRoles()));
|
||||
}
|
||||
final Set<RoleDescriptor> effectiveDescriptors;
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
|
||||
effectiveDescriptors = rolesRetrievalResult.getRoleDescriptors();
|
||||
} else {
|
||||
effectiveDescriptors = rolesRetrievalResult.getRoleDescriptors().stream()
|
||||
|
@ -320,7 +321,7 @@ public class CompositeRolesStore {
|
|||
private void loadRoleDescriptorsAsync(Set<String> roleNames, ActionListener<RolesRetrievalResult> listener) {
|
||||
final RolesRetrievalResult rolesResult = new RolesRetrievalResult();
|
||||
final List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> asyncRoleProviders =
|
||||
licenseState.isCustomRoleProvidersAllowed() ? allRoleProviders : builtInRoleProviders;
|
||||
licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS) ? allRoleProviders : builtInRoleProviders;
|
||||
|
||||
final ActionListener<RoleRetrievalResult> descriptorsListener =
|
||||
ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(ignore -> {
|
||||
|
|
|
@ -21,6 +21,7 @@ import org.elasticsearch.common.xcontent.XContentParser;
|
|||
import org.elasticsearch.common.xcontent.yaml.YamlXContent;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.watcher.FileChangesListener;
|
||||
import org.elasticsearch.watcher.FileWatcher;
|
||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||
|
@ -175,7 +176,7 @@ public class FileRolesStore implements BiConsumer<Set<String>, ActionListener<Ro
|
|||
if (Files.exists(path)) {
|
||||
try {
|
||||
List<String> roleSegments = roleSegments(path);
|
||||
final boolean flsDlsLicensed = licenseState.isDocumentAndFieldLevelSecurityAllowed();
|
||||
final boolean flsDlsLicensed = licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
|
||||
for (String segment : roleSegments) {
|
||||
RoleDescriptor descriptor = parseRoleDescriptor(segment, path, logger, resolvePermission, settings, xContentRegistry);
|
||||
if (descriptor != null) {
|
||||
|
|
|
@ -38,6 +38,7 @@ import org.elasticsearch.index.query.QueryBuilder;
|
|||
import org.elasticsearch.index.query.QueryBuilders;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.xpack.core.security.ScrollHelper;
|
||||
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheRequest;
|
||||
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheResponse;
|
||||
|
@ -200,7 +201,7 @@ public class NativeRolesStore implements BiConsumer<Set<String>, ActionListener<
|
|||
}
|
||||
|
||||
public void putRole(final PutRoleRequest request, final RoleDescriptor role, final ActionListener<Boolean> listener) {
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
|
||||
innerPutRole(request, role, listener);
|
||||
} else if (role.isUsingDocumentOrFieldLevelSecurity()) {
|
||||
listener.onFailure(LicenseUtils.newComplianceException("field and document level security"));
|
||||
|
@ -381,7 +382,7 @@ public class NativeRolesStore implements BiConsumer<Set<String>, ActionListener<
|
|||
// we pass true as last parameter because we do not want to reject permissions if the field permissions
|
||||
// are given in 2.x syntax
|
||||
RoleDescriptor roleDescriptor = RoleDescriptor.parse(name, sourceBytes, true, XContentType.JSON);
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
|
||||
return roleDescriptor;
|
||||
} else {
|
||||
final boolean dlsEnabled =
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
|
|||
import org.elasticsearch.common.xcontent.XContentParser;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.BytesRestResponse;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.rest.RestResponse;
|
||||
|
@ -54,7 +55,7 @@ public final class RestDelegatePkiAuthenticationAction extends SecurityBaseRestH
|
|||
Exception failedFeature = super.checkFeatureAvailable(request);
|
||||
if (failedFeature != null) {
|
||||
return failedFeature;
|
||||
} else if (licenseState.areStandardRealmsAllowed()) {
|
||||
} else if (licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
|
||||
return null;
|
||||
} else {
|
||||
logger.info("The '{}' realm is not available under the current license", PkiRealmSettings.TYPE);
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.apache.logging.log4j.Logger;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
|
||||
|
||||
|
@ -29,7 +30,7 @@ abstract class ApiKeyBaseRestHandler extends SecurityBaseRestHandler {
|
|||
Exception failedFeature = super.checkFeatureAvailable(request);
|
||||
if (failedFeature != null) {
|
||||
return failedFeature;
|
||||
} else if (licenseState.isApiKeyServiceAllowed()) {
|
||||
} else if (licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)) {
|
||||
return null;
|
||||
} else {
|
||||
logger.info("API Keys are not available under the current [{}] license", licenseState.getOperationMode().description());
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.apache.logging.log4j.Logger;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
|
||||
|
||||
|
@ -30,7 +31,7 @@ abstract class TokenBaseRestHandler extends SecurityBaseRestHandler {
|
|||
Exception failedFeature = super.checkFeatureAvailable(request);
|
||||
if (failedFeature != null) {
|
||||
return failedFeature;
|
||||
} else if (licenseState.isTokenServiceAllowed()) {
|
||||
} else if (licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)) {
|
||||
return null;
|
||||
} else {
|
||||
logger.info("Security tokens are not available under the current [{}] license", licenseState.getOperationMode().description());
|
||||
|
|
|
@ -18,6 +18,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.common.transport.BoundTransportAddress;
|
||||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.transport.TransportSettings;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrail;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
|
@ -199,7 +200,8 @@ public class IPFilter {
|
|||
}
|
||||
|
||||
public boolean accept(String profile, InetSocketAddress peerAddress) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false ||
|
||||
licenseState.isAllowed(Feature.SECURITY_IP_FILTERING) == false) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@ import org.elasticsearch.env.Environment;
|
|||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.tasks.Task;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
|
@ -178,7 +179,7 @@ public class TransportOpenIdConnectLogoutActionTests extends OpenIdConnectTestCa
|
|||
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
|
||||
tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, new SecurityContext(settings, threadContext),
|
||||
securityIndex, securityIndex, clusterService);
|
||||
|
|
|
@ -48,6 +48,7 @@ import org.elasticsearch.index.query.QueryBuilder;
|
|||
import org.elasticsearch.index.query.TermQueryBuilder;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.search.SearchHit;
|
||||
import org.elasticsearch.search.SearchHits;
|
||||
import org.elasticsearch.tasks.Task;
|
||||
|
@ -205,7 +206,7 @@ public class TransportSamlInvalidateSessionActionTests extends SamlTestCase {
|
|||
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
|
||||
final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool);
|
||||
final SecurityContext securityContext = new SecurityContext(settings, threadContext);
|
||||
|
|
|
@ -40,6 +40,7 @@ import org.elasticsearch.env.Environment;
|
|||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.tasks.Task;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
|
@ -208,7 +209,7 @@ public class TransportSamlLogoutActionTests extends SamlTestCase {
|
|||
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool);
|
||||
final SecurityContext securityContext = new SecurityContext(settings, threadContext);
|
||||
tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, securityContext, securityIndex, securityIndex,
|
||||
|
|
|
@ -31,6 +31,7 @@ import org.elasticsearch.common.settings.SecureString;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
|
@ -169,7 +170,7 @@ public class TransportCreateTokenActionTests extends ESTestCase {
|
|||
|
||||
this.license = mock(XPackLicenseState.class);
|
||||
when(license.isSecurityEnabled()).thenReturn(true);
|
||||
when(license.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(license.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
}
|
||||
|
||||
@After
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.index.Index;
|
||||
import org.elasticsearch.indices.IndexClosedException;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
|
@ -74,7 +75,7 @@ public class TransportInvalidateTokenActionTests extends ESTestCase {
|
|||
this.clusterService = ClusterServiceUtils.createClusterService(threadPool);
|
||||
this.license = mock(XPackLicenseState.class);
|
||||
when(license.isSecurityEnabled()).thenReturn(true);
|
||||
when(license.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(license.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
}
|
||||
|
||||
public void testInvalidateTokensWhenIndexUnavailable() throws Exception {
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
package org.elasticsearch.xpack.security.audit;
|
||||
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
|
@ -51,7 +52,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
service = new AuditTrailService(auditTrails, licenseState);
|
||||
isAuditingAllowed = randomBoolean();
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(isAuditingAllowed);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed);
|
||||
token = mock(AuthenticationToken.class);
|
||||
request = mock(TransportRequest.class);
|
||||
restRequest = mock(RestRequest.class);
|
||||
|
@ -60,7 +61,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailed() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, token, "_action", request);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, token, "_action", request);
|
||||
|
@ -73,7 +74,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailedNoToken() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, "_action", request);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, "_action", request);
|
||||
|
@ -86,7 +87,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailedRestNoToken() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, restRequest);
|
||||
|
@ -99,7 +100,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailedRest() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, token, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, token, restRequest);
|
||||
|
@ -112,7 +113,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailedRealm() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, "_realm", token, "_action", request);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, "_realm", token, "_action", request);
|
||||
|
@ -125,7 +126,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAuthenticationFailedRestRealm() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationFailed(requestId, "_realm", token, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(requestId, "_realm", token, restRequest);
|
||||
|
@ -138,7 +139,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
public void testAnonymousAccess() throws Exception {
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().anonymousAccessDenied(requestId, "_action", request);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).anonymousAccessDenied(requestId, "_action", request);
|
||||
|
@ -155,7 +156,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().accessGranted(requestId, authentication, "_action", request, authzInfo);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).accessGranted(requestId, authentication, "_action", request, authzInfo);
|
||||
|
@ -172,7 +173,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().accessDenied(requestId, authentication, "_action", request, authzInfo);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).accessDenied(requestId, authentication, "_action", request, authzInfo);
|
||||
|
@ -186,7 +187,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
||||
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
|
||||
service.get().connectionGranted(inetAddress, "client", rule);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
|
||||
|
@ -200,7 +201,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
InetAddress inetAddress = InetAddress.getLoopbackAddress();
|
||||
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
|
||||
service.get().connectionDenied(inetAddress, "client", rule);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
|
||||
|
@ -215,7 +216,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
String realm = "_realm";
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationSuccess(requestId, realm, user, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationSuccess(requestId, realm, user, restRequest);
|
||||
|
@ -230,7 +231,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
|||
String realm = "_realm";
|
||||
final String requestId = randomAlphaOfLengthBetween(6, 12);
|
||||
service.get().authenticationSuccess(requestId, realm, user, "_action", request);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationSuccess(requestId, realm, user, "_action", request);
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.elasticsearch.common.xcontent.XContentHelper;
|
|||
import org.elasticsearch.common.xcontent.XContentType;
|
||||
import org.elasticsearch.common.xcontent.json.JsonXContent;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
|
@ -99,7 +100,7 @@ public class ApiKeyServiceTests extends ESTestCase {
|
|||
public void setupMocks() {
|
||||
this.licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
|
||||
|
||||
this.client = mock(Client.class);
|
||||
this.securityIndex = SecurityMocks.mockSecurityIndexManager();
|
||||
|
@ -168,7 +169,7 @@ public class ApiKeyServiceTests extends ESTestCase {
|
|||
|
||||
mockKeyDocument(service, id, key, new User(randomAlphaOfLength(6), randomAlphaOfLength(12)));
|
||||
|
||||
when(licenseState.isApiKeyServiceAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(false);
|
||||
final AuthenticationResult auth = tryAuthenticate(service, id, key);
|
||||
assertThat(auth.getStatus(), is(AuthenticationResult.Status.CONTINUE));
|
||||
assertThat(auth.getUser(), nullValue());
|
||||
|
|
|
@ -46,6 +46,7 @@ import org.elasticsearch.index.get.GetResult;
|
|||
import org.elasticsearch.index.seqno.SequenceNumbers;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.rest.RestStatus;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
|
@ -188,12 +189,12 @@ public class AuthenticationServiceTests extends ESTestCase {
|
|||
.put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)
|
||||
.build();
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
ReservedRealm reservedRealm = mock(ReservedRealm.class);
|
||||
when(reservedRealm.type()).thenReturn("reserved");
|
||||
when(reservedRealm.name()).thenReturn("reserved_realm");
|
||||
|
|
|
@ -12,6 +12,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
|
||||
|
@ -81,18 +82,18 @@ public class RealmsTests extends ESTestCase {
|
|||
}
|
||||
|
||||
private void allowAllRealms() {
|
||||
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
|
||||
when(licenseState.areStandardRealmsAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(true);
|
||||
}
|
||||
|
||||
private void allowOnlyStandardRealms() {
|
||||
when(licenseState.areAllRealmsAllowed()).thenReturn(false);
|
||||
when(licenseState.areStandardRealmsAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(true);
|
||||
}
|
||||
|
||||
private void allowOnlyNativeRealms() {
|
||||
when(licenseState.areAllRealmsAllowed()).thenReturn(false);
|
||||
when(licenseState.areStandardRealmsAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(false);
|
||||
}
|
||||
|
||||
public void testWithSettings() throws Exception {
|
||||
|
|
|
@ -41,6 +41,7 @@ import org.elasticsearch.common.xcontent.XContentType;
|
|||
import org.elasticsearch.index.Index;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.test.ClusterServiceUtils;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
|
@ -143,7 +144,7 @@ public class TokenServiceTests extends ESTestCase {
|
|||
// License state (enabled by default)
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
|
||||
// version 7.2 was an "inflection" point in the Token Service development (access_tokens as UUIDS, multiple concurrent refreshes,
|
||||
// tokens docs on a separate index), let's test the TokenService works in a mixed cluster with nodes with versions prior to these
|
||||
|
@ -753,7 +754,7 @@ public class TokenServiceTests extends ESTestCase {
|
|||
}
|
||||
|
||||
public void testCannotValidateTokenIfLicenseDoesNotAllowTokens() throws Exception {
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
TokenService tokenService = createTokenService(tokenServiceEnabledSettings, Clock.systemUTC());
|
||||
Authentication authentication = new Authentication(new User("joe", "admin"), new RealmRef("native_realm", "native", "node1"), null);
|
||||
final String userTokenId = UUIDs.randomBase64UUID();
|
||||
|
@ -766,7 +767,7 @@ public class TokenServiceTests extends ESTestCase {
|
|||
storeTokenHeader(threadContext, tokenService.prependVersionAndEncodeAccessToken(token.getVersion(), accessToken));
|
||||
|
||||
PlainActionFuture<UserToken> authFuture = new PlainActionFuture<>();
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(false);
|
||||
tokenService.getAndValidateToken(threadContext, authFuture);
|
||||
UserToken authToken = authFuture.actionGet();
|
||||
assertThat(authToken, Matchers.nullValue());
|
||||
|
|
|
@ -15,6 +15,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.script.ScriptService;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
|
@ -84,7 +85,7 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
|
|||
writeKeyTab(dir.resolve("key.keytab"), "asa").toString(), 100, "10m", true, randomBoolean());
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
|
||||
}
|
||||
|
||||
@After
|
||||
|
|
|
@ -19,6 +19,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.script.ScriptModule;
|
||||
import org.elasticsearch.script.ScriptService;
|
||||
import org.elasticsearch.script.mustache.MustacheScriptEngine;
|
||||
|
@ -107,7 +108,7 @@ public class LdapRealmTests extends LdapTestCase {
|
|||
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
|
||||
}
|
||||
|
||||
@After
|
||||
|
|
|
@ -16,6 +16,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.RestUtils;
|
||||
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
|
||||
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
|
||||
|
@ -381,7 +382,7 @@ public class OpenIdConnectRealmTests extends OpenIdConnectTestCase {
|
|||
private void initializeRealms(Realm... realms) {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
|
||||
|
||||
final List<Realm> realmList = Arrays.asList(realms);
|
||||
for (Realm realm : realms) {
|
||||
|
|
|
@ -16,6 +16,7 @@ import org.elasticsearch.common.util.CollectionUtils;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef;
|
||||
|
@ -75,7 +76,7 @@ public class PkiRealmTests extends ESTestCase {
|
|||
.build();
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
|
||||
}
|
||||
|
||||
public void testTokenSupport() throws Exception {
|
||||
|
|
|
@ -18,6 +18,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.http.MockResponse;
|
||||
import org.elasticsearch.test.http.MockWebServer;
|
||||
import org.elasticsearch.watcher.ResourceWatcherService;
|
||||
|
@ -297,7 +298,7 @@ public class SamlRealmTests extends SamlTestCase {
|
|||
private void initializeRealms(Realm... realms) {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
|
||||
|
||||
final List<Realm> realmList = Arrays.asList(realms);
|
||||
for (Realm realm : realms) {
|
||||
|
|
|
@ -12,6 +12,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
|
|||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.env.TestEnvironment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
|
||||
import org.elasticsearch.xpack.core.security.authc.Realm;
|
||||
|
@ -189,7 +190,7 @@ public class DelegatedAuthorizationSupportTests extends ESTestCase {
|
|||
private XPackLicenseState getLicenseState(boolean authzRealmsAllowed) {
|
||||
final XPackLicenseState license = mock(XPackLicenseState.class);
|
||||
when(license.isSecurityEnabled()).thenReturn(true);
|
||||
when(license.isAuthorizationRealmAllowed()).thenReturn(authzRealmsAllowed);
|
||||
when(license.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(authzRealmsAllowed);
|
||||
return license;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,6 +90,7 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
|
|||
import org.elasticsearch.index.IndexNotFoundException;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.transport.TransportActionProxy;
|
||||
|
@ -204,7 +205,7 @@ public class AuthorizationServiceTests extends ESTestCase {
|
|||
auditTrail = mock(AuditTrail.class);
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
|
||||
threadContext = new ThreadContext(settings);
|
||||
threadPool = mock(ThreadPool.class);
|
||||
|
@ -1456,7 +1457,7 @@ public class AuthorizationServiceTests extends ESTestCase {
|
|||
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
authorizationService = new AuthorizationService(Settings.EMPTY, rolesStore, clusterService,
|
||||
auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool,
|
||||
new AnonymousUser(Settings.EMPTY), engine, Collections.emptySet(), licenseState, new IndexNameExpressionResolver());
|
||||
|
@ -1464,61 +1465,61 @@ public class AuthorizationServiceTests extends ESTestCase {
|
|||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(new User("test user", "a_all"));
|
||||
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(new User("runas", new String[]{"runas_role"}, new User("runner", "runner_role")));
|
||||
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
|
||||
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(new User("runas", new String[]{"runas_role"}, new ElasticUser(true)));
|
||||
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
|
||||
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(new User("elastic", new String[]{"superuser"}, new User("runner", "runner_role")));
|
||||
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(new User("kibana", new String[]{"kibana_system"}, new ElasticUser(true)));
|
||||
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
|
||||
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
|
||||
authentication = createAuthentication(randomFrom(XPackUser.INSTANCE, XPackSecurityUser.INSTANCE,
|
||||
new ElasticUser(true), new KibanaUser(true)));
|
||||
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
|
||||
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
|
||||
}
|
||||
|
|
|
@ -11,6 +11,7 @@ import org.elasticsearch.common.unit.TimeValue;
|
|||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.search.Scroll;
|
||||
import org.elasticsearch.search.SearchContextMissingException;
|
||||
import org.elasticsearch.search.internal.InternalScrollSearchRequest;
|
||||
|
@ -96,7 +97,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
|
||||
AuditTrail auditTrail = mock(AuditTrail.class);
|
||||
|
@ -185,7 +186,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
|||
TransportRequest request = Empty.INSTANCE;
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
AuditTrail auditTrail = mock(AuditTrail.class);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@ import org.elasticsearch.common.bytes.BytesReference;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef;
|
||||
|
@ -46,8 +47,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
|
||||
Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null),
|
||||
|
@ -105,8 +106,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(randomBoolean());
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(randomBoolean());
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
|
||||
Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null),
|
||||
|
|
|
@ -16,6 +16,7 @@ import org.elasticsearch.common.bytes.BytesReference;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
|
@ -50,8 +51,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
when(threadPool.getThreadContext()).thenReturn(threadContext);
|
||||
|
@ -102,8 +103,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
|||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
when(threadPool.getThreadContext()).thenReturn(threadContext);
|
||||
|
|
|
@ -28,6 +28,7 @@ import org.elasticsearch.index.query.QueryBuilders;
|
|||
import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.license.TestUtils.UpdatableLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
|
@ -118,7 +119,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
|||
public void testRolesWhenDlsFlsUnlicensed() throws IOException {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
|
||||
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
|
||||
IndicesPrivileges.builder()
|
||||
.grantedFields("*")
|
||||
|
@ -189,7 +190,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
|||
public void testRolesWhenDlsFlsLicensed() throws IOException {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
|
||||
IndicesPrivileges.builder()
|
||||
.grantedFields("*")
|
||||
|
|
|
@ -17,6 +17,7 @@ import org.elasticsearch.env.TestEnvironment;
|
|||
import org.elasticsearch.index.query.MatchAllQueryBuilder;
|
||||
import org.elasticsearch.index.query.QueryBuilder;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
|
@ -288,7 +289,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
|||
events.clear();
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, licenseState, xContentRegistry());
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(9));
|
||||
|
|
|
@ -36,6 +36,7 @@ import org.elasticsearch.index.Index;
|
|||
import org.elasticsearch.index.query.QueryBuilders;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
|
@ -95,7 +96,7 @@ public class NativeRolesStoreTests extends ESTestCase {
|
|||
public void testRoleDescriptorWithFlsDlsLicensing() throws IOException {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
|
||||
RoleDescriptor flsRole = new RoleDescriptor("fls", null,
|
||||
new IndicesPrivileges[] { IndicesPrivileges.builder().privileges("READ").indices("*")
|
||||
.grantedFields("*")
|
||||
|
@ -157,7 +158,7 @@ public class NativeRolesStoreTests extends ESTestCase {
|
|||
assertNotNull(role);
|
||||
assertFalse(role.getTransientMetadata().containsKey("unlicensed_features"));
|
||||
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
|
||||
builder = flsRole.toXContent(XContentBuilder.builder(XContentType.JSON.xContent()), ToXContent.EMPTY_PARAMS);
|
||||
bytes = BytesReference.bytes(builder);
|
||||
role = NativeRolesStore.transformRole(RoleDescriptor.ROLE_TYPE + "fls", bytes, logger, licenseState);
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
|
|||
import org.elasticsearch.common.xcontent.XContentType;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.AbstractRestChannel;
|
||||
import org.elasticsearch.rest.RestChannel;
|
||||
import org.elasticsearch.rest.RestResponse;
|
||||
|
@ -55,7 +56,7 @@ public class RestCreateApiKeyActionTests extends ESTestCase {
|
|||
threadPool = new ThreadPool(settings);
|
||||
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
|
||||
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
|
|||
import org.elasticsearch.common.xcontent.XContentType;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.AbstractRestChannel;
|
||||
import org.elasticsearch.rest.RestChannel;
|
||||
import org.elasticsearch.rest.RestResponse;
|
||||
|
@ -55,7 +56,7 @@ public class RestGetApiKeyActionTests extends ESTestCase {
|
|||
threadPool = new ThreadPool(settings);
|
||||
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
|
||||
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
|
|||
import org.elasticsearch.common.xcontent.XContentType;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.rest.AbstractRestChannel;
|
||||
import org.elasticsearch.rest.RestChannel;
|
||||
import org.elasticsearch.rest.RestResponse;
|
||||
|
@ -55,7 +56,7 @@ public class RestInvalidateApiKeyActionTests extends ESTestCase {
|
|||
threadPool = new ThreadPool(settings);
|
||||
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
|
||||
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
|
||||
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -23,6 +23,7 @@ import org.elasticsearch.common.settings.Settings;
|
|||
import org.elasticsearch.index.get.GetResult;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
|
@ -173,7 +174,7 @@ public final class SecurityMocks {
|
|||
when(client.threadPool()).thenReturn(threadPool);
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
|
||||
final ClusterService clusterService = mock(ClusterService.class);
|
||||
|
||||
final SecurityContext securityContext = new SecurityContext(settings, threadPool.getThreadContext());
|
||||
|
|
|
@ -15,6 +15,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
|
|||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.http.HttpServerTransport;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.node.MockNode;
|
||||
import org.elasticsearch.node.Node;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
|
@ -61,8 +62,8 @@ public class IPFilterTests extends ESTestCase {
|
|||
public void init() {
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
|
||||
auditTrail = mock(AuditTrail.class);
|
||||
auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
|
||||
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(
|
||||
|
@ -252,7 +253,7 @@ public class IPFilterTests extends ESTestCase {
|
|||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.transport.filter.deny", "_all")
|
||||
.build();
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(false);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(false);
|
||||
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
|
||||
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
|
||||
|
||||
|
@ -263,7 +264,7 @@ public class IPFilterTests extends ESTestCase {
|
|||
verifyZeroInteractions(auditTrail);
|
||||
|
||||
// for sanity enable license and check that it is denied
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
|
||||
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
|
||||
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
|
|||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.http.HttpServerTransport;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
|
@ -57,7 +58,7 @@ public class IpFilterRemoteAddressFilterTests extends ESTestCase {
|
|||
IPFilter.PROFILE_FILTER_DENY_SETTING)));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
|
||||
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
|
||||
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
|
||||
|
|
|
@ -13,6 +13,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
|
|||
import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.http.HttpServerTransport;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState.Feature;
|
||||
import org.elasticsearch.nio.NioChannelHandler;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
|
@ -60,7 +61,7 @@ public class NioIPFilterTests extends ESTestCase {
|
|||
IPFilter.PROFILE_FILTER_DENY_SETTING)));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
|
||||
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
|
||||
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
|
||||
|
|
Loading…
Reference in New Issue