Add isAllowed license utility (#55424) (#55700)

License state is currently made up of boolean methods that check whether
a particular feature is allowed by the current license state. Each new
feature must copy/past boiler plate code. While that has gotten easier
with utilities like isAllowedByLicense, this is still more cumbersome
than should be necessary. This commit adds a general purpose isAllowed
method which takes a new Feature enum, where each value of the enum
defines the minimum license mode and whether the license must be active
to be allowed. Only security features are converted in this PR, in order
to keep the commit size relatively small. The rest of the features will
be converted in a followup.
This commit is contained in:
Ryan Ernst 2020-04-23 16:28:28 -07:00 committed by GitHub
parent 715c90bf7d
commit 97c4b64fb1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
53 changed files with 259 additions and 239 deletions

View File

@ -30,6 +30,32 @@ import java.util.function.Predicate;
*/
public class XPackLicenseState {
/**
* A licensed feature.
*
* Each value defines the licensed state necessary for the feature to be allowed.
*/
public enum Feature {
SECURITY_IP_FILTERING(OperationMode.GOLD, false),
SECURITY_AUDITING(OperationMode.GOLD, false),
SECURITY_DLS_FLS(OperationMode.PLATINUM, false),
SECURITY_ALL_REALMS(OperationMode.PLATINUM, false),
SECURITY_STANDARD_REALMS(OperationMode.GOLD, false),
SECURITY_CUSTOM_ROLE_PROVIDERS(OperationMode.PLATINUM, true),
SECURITY_TOKEN_SERVICE(OperationMode.GOLD, false),
SECURITY_API_KEY_SERVICE(OperationMode.MISSING, false),
SECURITY_AUTHORIZATION_REALM(OperationMode.PLATINUM, true),
SECURITY_AUTHORIZATION_ENGINE(OperationMode.PLATINUM, true);
final OperationMode minimumOperationMode;
final boolean needsActive;
Feature(OperationMode minimumOperationMode, boolean needsActive) {
this.minimumOperationMode = minimumOperationMode;
this.needsActive = needsActive;
}
}
/** Messages for each feature which are printed when the license expires. */
static final Map<String, String[]> EXPIRATION_MESSAGES;
static {
@ -401,77 +427,14 @@ public class XPackLicenseState {
return checkAgainstStatus(status -> status.active);
}
public boolean isIpFilteringAllowed() {
return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isAuditingAllowed() {
return isAllowedByLicense(OperationMode.GOLD, false);
public boolean isAllowed(Feature feature) {
return isAllowedByLicense(feature.minimumOperationMode, feature.needsActive);
}
public boolean isStatsAndHealthAllowed() {
return allowForAllLicenses();
}
/**
* Determine if Document Level Security (DLS) and Field Level Security (FLS) should be enabled.
* <p>
* DLS and FLS are only disabled when the mode is not:
* <ul>
* <li>{@link OperationMode#PLATINUM} or higher</li>
* <li>{@link OperationMode#TRIAL}</li>
* </ul>
* Note: This does not consider the <em>state</em> of the license so that Security does not suddenly leak information!
* i.e. the same DLS guarantee keeps working for existing configuration even after license expires.
*
* @return {@code true} to enable DLS and FLS. Otherwise {@code false}.
*/
public boolean isDocumentAndFieldLevelSecurityAllowed() {
return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areAllRealmsAllowed() {
return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areStandardRealmsAllowed() {
return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isCustomRoleProvidersAllowed() {
return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
* Whether the Elasticsearch {@code TokenService} is allowed
*/
public boolean isTokenServiceAllowed() {
return isAllowedByLicense(OperationMode.GOLD, false);
}
/**
* Whether the Elasticsearch {@code ApiKeyService} is allowed
*/
public boolean isApiKeyServiceAllowed() {
return isAllowedByLicense(OperationMode.MISSING, false);
}
/**
* Whether "authorization_realms" is allowed
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationRealmAllowed() {
return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
* Whether a custom authorization engine is allowed
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationEngineAllowed() {
return isAllowedByLicense(OperationMode.PLATINUM, true);
}
public boolean isWatcherAllowed() {
return isAllowedByLicense(OperationMode.STANDARD);
}

View File

@ -18,6 +18,7 @@ import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
@ -61,7 +62,8 @@ public class SecurityIndexReaderWrapper implements CheckedFunction<DirectoryRead
@Override
public DirectoryReader apply(final DirectoryReader reader) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false ||
licenseState.isAllowed(Feature.SECURITY_DLS_FLS) == false) {
return reader;
}

View File

@ -8,6 +8,7 @@ package org.elasticsearch.license;
import org.elasticsearch.Version;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.test.VersionUtils;
import org.elasticsearch.xpack.core.XPackField;
@ -78,12 +79,12 @@ public class XPackLicenseStateTests extends ESTestCase {
XPackLicenseState licenseState =
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.areAllRealmsAllowed(), is(true));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
licenseState = new XPackLicenseState(Settings.EMPTY);
assertSecurityNotAllowed(licenseState);
@ -101,13 +102,13 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(BASIC, true, null);
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(false));
@ -119,13 +120,13 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(BASIC, true, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(true));
@ -136,13 +137,13 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(BASIC, false, null);
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testSecurityEnabledBasicExpired() {
@ -151,13 +152,13 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(BASIC, false, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testSecurityStandard() {
@ -166,11 +167,11 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(STANDARD, true, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
}
public void testSecurityStandardExpired() {
@ -179,11 +180,11 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(STANDARD, false, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
}
public void testSecurityGold() {
@ -192,14 +193,14 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(GOLD, true, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testSecurityGoldExpired() {
@ -208,14 +209,14 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(GOLD, false, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.areStandardRealmsAllowed(), is(true));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testSecurityPlatinum() {
@ -224,14 +225,14 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(PLATINUM, true, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.areAllRealmsAllowed(), is(true));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testSecurityPlatinumExpired() {
@ -240,14 +241,14 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(PLATINUM, false, null);
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_AUDITING), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.areAllRealmsAllowed(), is(true));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_DLS_FLS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
assertThat(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE), is(true));
assertThat(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE), is(true));
}
public void testNewTrialDefaultsSecurityOff() {

View File

@ -36,6 +36,7 @@ import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.mock.orig.Mockito;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.search.internal.ContextIndexSearcher;
@ -98,7 +99,7 @@ public class SecurityIndexReaderWrapperIntegrationTests extends AbstractBuilderT
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
Directory directory = newDirectory();
IndexWriter iw = new IndexWriter(
@ -234,7 +235,7 @@ public class SecurityIndexReaderWrapperIntegrationTests extends AbstractBuilderT
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> queryShardContext,
bitsetCache, securityContext, licenseState, scriptService) {

View File

@ -20,6 +20,7 @@ import org.elasticsearch.index.mapper.SourceFieldMapper;
import org.elasticsearch.index.shard.IndexShard;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.SecurityContext;
@ -65,7 +66,7 @@ public class SecurityIndexReaderWrapperUnitTests extends ESTestCase {
ShardId shardId = new ShardId(index, 0);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
IndexShard indexShard = mock(IndexShard.class);
when(indexShard.shardId()).thenReturn(shardId);
@ -114,7 +115,7 @@ public class SecurityIndexReaderWrapperUnitTests extends ESTestCase {
}
public void testWrapReaderWhenFeatureDisabled() throws Exception {
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
securityIndexReaderWrapper =
new SecurityIndexReaderWrapper(null, null, securityContext, licenseState, scriptService);
DirectoryReader reader = securityIndexReaderWrapper.apply(esIn);

View File

@ -50,6 +50,7 @@ import org.elasticsearch.ingest.Processor;
import org.elasticsearch.license.License;
import org.elasticsearch.license.LicenseService;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.plugins.ClusterPlugin;
import org.elasticsearch.plugins.DiscoveryPlugin;
import org.elasticsearch.plugins.ExtensiblePlugin;
@ -1030,7 +1031,7 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
if (enabled) {
return index -> {
XPackLicenseState licenseState = getLicenseState();
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isAllowed(Feature.SECURITY_DLS_FLS) == false) {
return MapperPlugin.NOOP_FIELD_PREDICATE;
}
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(

View File

@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.audit;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
@ -32,7 +33,7 @@ public class AuditTrailService {
public AuditTrail get() {
if (compositeAuditTrail.isEmpty() == false &&
licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_AUDITING)) {
return compositeAuditTrail;
} else {
return NOOP_AUDIT_TRAIL;

View File

@ -581,11 +581,13 @@ public class ApiKeyService {
}
private boolean isEnabled() {
return enabled && licenseState.isSecurityEnabled() && licenseState.isApiKeyServiceAllowed();
return enabled && licenseState.isSecurityEnabled() &&
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_API_KEY_SERVICE);
}
public void ensureEnabled() {
if (licenseState.isSecurityEnabled() == false || licenseState.isApiKeyServiceAllowed() == false) {
if (licenseState.isSecurityEnabled() == false ||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_API_KEY_SERVICE) == false) {
throw LicenseUtils.newComplianceException("api keys");
}
if (enabled == false) {

View File

@ -16,6 +16,7 @@ import org.elasticsearch.common.util.concurrent.CountDown;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
@ -118,7 +119,7 @@ public class Realms implements Iterable<Realm> {
}
// If all realms are allowed, then nothing is unlicensed
if (licenseStateSnapshot.areAllRealmsAllowed()) {
if (licenseStateSnapshot.isAllowed(Feature.SECURITY_ALL_REALMS)) {
return Collections.emptyList();
}
@ -142,9 +143,9 @@ public class Realms implements Iterable<Realm> {
if (licenseStateSnapshot.isSecurityEnabled() == false) {
return Collections.emptyList();
}
if (licenseStateSnapshot.areAllRealmsAllowed()) {
if (licenseStateSnapshot.isAllowed(Feature.SECURITY_ALL_REALMS)) {
return realms;
} else if (licenseStateSnapshot.areStandardRealmsAllowed()) {
} else if (licenseStateSnapshot.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
return standardRealmsOnly;
} else {
// native realms are basic licensed, and always allowed, even for an expired license
@ -336,9 +337,9 @@ public class Realms implements Iterable<Realm> {
}
public static boolean isRealmTypeAvailable(XPackLicenseState licenseState, String type) {
if (licenseState.areAllRealmsAllowed()) {
if (licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)) {
return true;
} else if (licenseState.areStandardRealmsAllowed()) {
} else if (licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
return InternalRealms.isStandardRealm(type) || ReservedRealm.TYPE.equals(type);
} else {
return FileRealmSettings.TYPE.equals(type) || NativeRealmSettings.TYPE.equals(type);

View File

@ -1519,11 +1519,13 @@ public final class TokenService {
}
private boolean isEnabled() {
return enabled && licenseState.isSecurityEnabled() && licenseState.isTokenServiceAllowed();
return enabled && licenseState.isSecurityEnabled() &&
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE);
}
private void ensureEnabled() {
if (licenseState.isSecurityEnabled() == false || licenseState.isTokenServiceAllowed() == false) {
if (licenseState.isSecurityEnabled() == false ||
licenseState.isAllowed(XPackLicenseState.Feature.SECURITY_TOKEN_SERVICE) == false) {
throw LicenseUtils.newComplianceException("security tokens");
}
if (enabled == false) {

View File

@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
@ -80,7 +81,7 @@ public class DelegatedAuthorizationSupport {
* with a meaningful diagnostic message.
*/
public void resolve(String username, ActionListener<AuthenticationResult> resultListener) {
boolean authzOk = licenseState.isSecurityEnabled() && licenseState.isAuthorizationRealmAllowed();
boolean authzOk = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM);
if (authzOk == false) {
resultListener.onResponse(AuthenticationResult.unsuccessful(
DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX + " are not permitted",

View File

@ -34,6 +34,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;
@ -365,7 +366,8 @@ public class AuthorizationService {
}
private AuthorizationEngine getAuthorizationEngineForUser(final User user) {
if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() && licenseState.isAuthorizationEngineAllowed()) {
if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() &&
licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)) {
if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternalUser(user)) {
return rbacEngine;
} else {

View File

@ -14,6 +14,7 @@ import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
@ -40,7 +41,7 @@ public class BulkShardRequestInterceptor implements RequestInterceptor {
@Override
public void intercept(RequestInfo requestInfo, AuthorizationEngine authzEngine, AuthorizationInfo authorizationInfo,
ActionListener<Void> listener) {
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
if (requestInfo.getRequest() instanceof BulkShardRequest && shouldIntercept) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

View File

@ -11,6 +11,7 @@ import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo;
@ -38,7 +39,7 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor implements Reques
ActionListener<Void> listener) {
if (requestInfo.getRequest() instanceof IndicesRequest) {
IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequest();
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
if (supports(indicesRequest) && shouldIntercept) {
final IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

View File

@ -11,6 +11,7 @@ import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
@ -51,7 +52,7 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
final AuditTrail auditTrail = auditTrailService.get();
if (frozenLicenseState.isSecurityEnabled()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
if (frozenLicenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {

View File

@ -10,6 +10,7 @@ import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
@ -47,7 +48,7 @@ public final class ResizeRequestInterceptor implements RequestInterceptor {
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
final AuditTrail auditTrail = auditTrailService.get();
if (frozenLicenseState.isSecurityEnabled()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
if (frozenLicenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
IndicesAccessControl.IndexAccessControl indexAccessControl =

View File

@ -25,6 +25,7 @@ import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
@ -165,7 +166,7 @@ public class CompositeRolesStore {
rolesRetrievalResult.getMissingRoles()));
}
final Set<RoleDescriptor> effectiveDescriptors;
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
effectiveDescriptors = rolesRetrievalResult.getRoleDescriptors();
} else {
effectiveDescriptors = rolesRetrievalResult.getRoleDescriptors().stream()
@ -320,7 +321,7 @@ public class CompositeRolesStore {
private void loadRoleDescriptorsAsync(Set<String> roleNames, ActionListener<RolesRetrievalResult> listener) {
final RolesRetrievalResult rolesResult = new RolesRetrievalResult();
final List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> asyncRoleProviders =
licenseState.isCustomRoleProvidersAllowed() ? allRoleProviders : builtInRoleProviders;
licenseState.isAllowed(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS) ? allRoleProviders : builtInRoleProviders;
final ActionListener<RoleRetrievalResult> descriptorsListener =
ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(ignore -> {

View File

@ -21,6 +21,7 @@ import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.yaml.YamlXContent;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
@ -175,7 +176,7 @@ public class FileRolesStore implements BiConsumer<Set<String>, ActionListener<Ro
if (Files.exists(path)) {
try {
List<String> roleSegments = roleSegments(path);
final boolean flsDlsLicensed = licenseState.isDocumentAndFieldLevelSecurityAllowed();
final boolean flsDlsLicensed = licenseState.isAllowed(Feature.SECURITY_DLS_FLS);
for (String segment : roleSegments) {
RoleDescriptor descriptor = parseRoleDescriptor(segment, path, logger, resolvePermission, settings, xContentRegistry);
if (descriptor != null) {

View File

@ -38,6 +38,7 @@ import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheRequest;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheResponse;
@ -200,7 +201,7 @@ public class NativeRolesStore implements BiConsumer<Set<String>, ActionListener<
}
public void putRole(final PutRoleRequest request, final RoleDescriptor role, final ActionListener<Boolean> listener) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
innerPutRole(request, role, listener);
} else if (role.isUsingDocumentOrFieldLevelSecurity()) {
listener.onFailure(LicenseUtils.newComplianceException("field and document level security"));
@ -381,7 +382,7 @@ public class NativeRolesStore implements BiConsumer<Set<String>, ActionListener<
// we pass true as last parameter because we do not want to reject permissions if the field permissions
// are given in 2.x syntax
RoleDescriptor roleDescriptor = RoleDescriptor.parse(name, sourceBytes, true, XContentType.JSON);
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
if (licenseState.isAllowed(Feature.SECURITY_DLS_FLS)) {
return roleDescriptor;
} else {
final boolean dlsEnabled =

View File

@ -14,6 +14,7 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestResponse;
@ -54,7 +55,7 @@ public final class RestDelegatePkiAuthenticationAction extends SecurityBaseRestH
Exception failedFeature = super.checkFeatureAvailable(request);
if (failedFeature != null) {
return failedFeature;
} else if (licenseState.areStandardRealmsAllowed()) {
} else if (licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)) {
return null;
} else {
logger.info("The '{}' realm is not available under the current license", PkiRealmSettings.TYPE);

View File

@ -11,6 +11,7 @@ import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
@ -29,7 +30,7 @@ abstract class ApiKeyBaseRestHandler extends SecurityBaseRestHandler {
Exception failedFeature = super.checkFeatureAvailable(request);
if (failedFeature != null) {
return failedFeature;
} else if (licenseState.isApiKeyServiceAllowed()) {
} else if (licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)) {
return null;
} else {
logger.info("API Keys are not available under the current [{}] license", licenseState.getOperationMode().description());

View File

@ -11,6 +11,7 @@ import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
@ -30,7 +31,7 @@ abstract class TokenBaseRestHandler extends SecurityBaseRestHandler {
Exception failedFeature = super.checkFeatureAvailable(request);
if (failedFeature != null) {
return failedFeature;
} else if (licenseState.isTokenServiceAllowed()) {
} else if (licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)) {
return null;
} else {
logger.info("Security tokens are not available under the current [{}] license", licenseState.getOperationMode().description());

View File

@ -18,6 +18,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.transport.TransportSettings;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
@ -199,7 +200,8 @@ public class IPFilter {
}
public boolean accept(String profile, InetSocketAddress peerAddress) {
if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
if (licenseState.isSecurityEnabled() == false ||
licenseState.isAllowed(Feature.SECURITY_IP_FILTERING) == false) {
return true;
}

View File

@ -33,6 +33,7 @@ import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.test.ClusterServiceUtils;
import org.elasticsearch.threadpool.ThreadPool;
@ -178,7 +179,7 @@ public class TransportOpenIdConnectLogoutActionTests extends OpenIdConnectTestCa
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, new SecurityContext(settings, threadContext),
securityIndex, securityIndex, clusterService);

View File

@ -48,6 +48,7 @@ import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.TermQueryBuilder;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchHits;
import org.elasticsearch.tasks.Task;
@ -205,7 +206,7 @@ public class TransportSamlInvalidateSessionActionTests extends SamlTestCase {
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool);
final SecurityContext securityContext = new SecurityContext(settings, threadContext);

View File

@ -40,6 +40,7 @@ import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.test.ClusterServiceUtils;
import org.elasticsearch.threadpool.ThreadPool;
@ -208,7 +209,7 @@ public class TransportSamlLogoutActionTests extends SamlTestCase {
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool);
final SecurityContext securityContext = new SecurityContext(settings, threadContext);
tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, securityContext, securityIndex, securityIndex,

View File

@ -31,6 +31,7 @@ import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.ClusterServiceUtils;
@ -169,7 +170,7 @@ public class TransportCreateTokenActionTests extends ESTestCase {
this.license = mock(XPackLicenseState.class);
when(license.isSecurityEnabled()).thenReturn(true);
when(license.isTokenServiceAllowed()).thenReturn(true);
when(license.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
}
@After

View File

@ -20,6 +20,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.Index;
import org.elasticsearch.indices.IndexClosedException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.ClusterServiceUtils;
@ -74,7 +75,7 @@ public class TransportInvalidateTokenActionTests extends ESTestCase {
this.clusterService = ClusterServiceUtils.createClusterService(threadPool);
this.license = mock(XPackLicenseState.class);
when(license.isSecurityEnabled()).thenReturn(true);
when(license.isTokenServiceAllowed()).thenReturn(true);
when(license.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
}
public void testInvalidateTokensWhenIndexUnavailable() throws Exception {

View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.security.audit;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.TransportRequest;
@ -51,7 +52,7 @@ public class AuditTrailServiceTests extends ESTestCase {
service = new AuditTrailService(auditTrails, licenseState);
isAuditingAllowed = randomBoolean();
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(isAuditingAllowed);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(isAuditingAllowed);
token = mock(AuthenticationToken.class);
request = mock(TransportRequest.class);
restRequest = mock(RestRequest.class);
@ -60,7 +61,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailed() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, token, "_action", request);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, token, "_action", request);
@ -73,7 +74,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedNoToken() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, "_action", request);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, "_action", request);
@ -86,7 +87,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestNoToken() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, restRequest);
@ -99,7 +100,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRest() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, token, restRequest);
@ -112,7 +113,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRealm() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, "_realm", token, "_action", request);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, "_realm", token, "_action", request);
@ -125,7 +126,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestRealm() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationFailed(requestId, "_realm", token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(requestId, "_realm", token, restRequest);
@ -138,7 +139,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAnonymousAccess() throws Exception {
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().anonymousAccessDenied(requestId, "_action", request);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).anonymousAccessDenied(requestId, "_action", request);
@ -155,7 +156,7 @@ public class AuditTrailServiceTests extends ESTestCase {
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().accessGranted(requestId, authentication, "_action", request, authzInfo);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessGranted(requestId, authentication, "_action", request, authzInfo);
@ -172,7 +173,7 @@ public class AuditTrailServiceTests extends ESTestCase {
() -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, new String[] { randomAlphaOfLengthBetween(1, 6) });
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().accessDenied(requestId, authentication, "_action", request, authzInfo);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessDenied(requestId, authentication, "_action", request, authzInfo);
@ -186,7 +187,7 @@ public class AuditTrailServiceTests extends ESTestCase {
InetAddress inetAddress = InetAddress.getLoopbackAddress();
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
service.get().connectionGranted(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
@ -200,7 +201,7 @@ public class AuditTrailServiceTests extends ESTestCase {
InetAddress inetAddress = InetAddress.getLoopbackAddress();
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
service.get().connectionDenied(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
@ -215,7 +216,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationSuccess(requestId, realm, user, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(requestId, realm, user, restRequest);
@ -230,7 +231,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
final String requestId = randomAlphaOfLengthBetween(6, 12);
service.get().authenticationSuccess(requestId, realm, user, "_action", request);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isAllowed(Feature.SECURITY_AUDITING);
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(requestId, realm, user, "_action", request);

View File

@ -22,6 +22,7 @@ import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ClusterServiceUtils;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.TestThreadPool;
@ -99,7 +100,7 @@ public class ApiKeyServiceTests extends ESTestCase {
public void setupMocks() {
this.licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
this.client = mock(Client.class);
this.securityIndex = SecurityMocks.mockSecurityIndexManager();
@ -168,7 +169,7 @@ public class ApiKeyServiceTests extends ESTestCase {
mockKeyDocument(service, id, key, new User(randomAlphaOfLength(6), randomAlphaOfLength(12)));
when(licenseState.isApiKeyServiceAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(false);
final AuthenticationResult auth = tryAuthenticate(service, id, key);
assertThat(auth.getStatus(), is(AuthenticationResult.Status.CONTINUE));
assertThat(auth.getUser(), nullValue());

View File

@ -46,6 +46,7 @@ import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.seqno.SequenceNumbers;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.test.ClusterServiceUtils;
@ -188,12 +189,12 @@ public class AuthenticationServiceTests extends ESTestCase {
.put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)
.build();
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
ReservedRealm reservedRealm = mock(ReservedRealm.class);
when(reservedRealm.type()).thenReturn("reserved");
when(reservedRealm.name()).thenReturn("reserved_realm");

View File

@ -12,6 +12,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
@ -81,18 +82,18 @@ public class RealmsTests extends ESTestCase {
}
private void allowAllRealms() {
when(licenseState.areAllRealmsAllowed()).thenReturn(true);
when(licenseState.areStandardRealmsAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(true);
}
private void allowOnlyStandardRealms() {
when(licenseState.areAllRealmsAllowed()).thenReturn(false);
when(licenseState.areStandardRealmsAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(true);
}
private void allowOnlyNativeRealms() {
when(licenseState.areAllRealmsAllowed()).thenReturn(false);
when(licenseState.areStandardRealmsAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_ALL_REALMS)).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_STANDARD_REALMS)).thenReturn(false);
}
public void testWithSettings() throws Exception {

View File

@ -41,6 +41,7 @@ import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.node.Node;
import org.elasticsearch.test.ClusterServiceUtils;
import org.elasticsearch.test.ESTestCase;
@ -143,7 +144,7 @@ public class TokenServiceTests extends ESTestCase {
// License state (enabled by default)
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
// version 7.2 was an "inflection" point in the Token Service development (access_tokens as UUIDS, multiple concurrent refreshes,
// tokens docs on a separate index), let's test the TokenService works in a mixed cluster with nodes with versions prior to these
@ -753,7 +754,7 @@ public class TokenServiceTests extends ESTestCase {
}
public void testCannotValidateTokenIfLicenseDoesNotAllowTokens() throws Exception {
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
TokenService tokenService = createTokenService(tokenServiceEnabledSettings, Clock.systemUTC());
Authentication authentication = new Authentication(new User("joe", "admin"), new RealmRef("native_realm", "native", "node1"), null);
final String userTokenId = UUIDs.randomBase64UUID();
@ -766,7 +767,7 @@ public class TokenServiceTests extends ESTestCase {
storeTokenHeader(threadContext, tokenService.prependVersionAndEncodeAccessToken(token.getVersion(), accessToken));
PlainActionFuture<UserToken> authFuture = new PlainActionFuture<>();
when(licenseState.isTokenServiceAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(false);
tokenService.getAndValidateToken(threadContext, authFuture);
UserToken authToken = authFuture.actionGet();
assertThat(authToken, Matchers.nullValue());

View File

@ -15,6 +15,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.TestThreadPool;
@ -84,7 +85,7 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
writeKeyTab(dir.resolve("key.keytab"), "asa").toString(), 100, "10m", true, randomBoolean());
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
}
@After

View File

@ -19,6 +19,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.script.ScriptModule;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.mustache.MustacheScriptEngine;
@ -107,7 +108,7 @@ public class LdapRealmTests extends LdapTestCase {
sslService = new SSLService(defaultGlobalSettings, TestEnvironment.newEnvironment(defaultGlobalSettings));
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
}
@After

View File

@ -16,6 +16,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.RestUtils;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
@ -381,7 +382,7 @@ public class OpenIdConnectRealmTests extends OpenIdConnectTestCase {
private void initializeRealms(Realm... realms) {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
final List<Realm> realmList = Arrays.asList(realms);
for (Realm realm : realms) {

View File

@ -16,6 +16,7 @@ import org.elasticsearch.common.util.CollectionUtils;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef;
@ -75,7 +76,7 @@ public class PkiRealmTests extends ESTestCase {
.build();
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
}
public void testTokenSupport() throws Exception {

View File

@ -18,6 +18,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.http.MockResponse;
import org.elasticsearch.test.http.MockWebServer;
import org.elasticsearch.watcher.ResourceWatcherService;
@ -297,7 +298,7 @@ public class SamlRealmTests extends SamlTestCase {
private void initializeRealms(Realm... realms) {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(true);
final List<Realm> realmList = Arrays.asList(realms);
for (Realm realm : realms) {

View File

@ -12,6 +12,7 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.Realm;
@ -189,7 +190,7 @@ public class DelegatedAuthorizationSupportTests extends ESTestCase {
private XPackLicenseState getLicenseState(boolean authzRealmsAllowed) {
final XPackLicenseState license = mock(XPackLicenseState.class);
when(license.isSecurityEnabled()).thenReturn(true);
when(license.isAuthorizationRealmAllowed()).thenReturn(authzRealmsAllowed);
when(license.isAllowed(Feature.SECURITY_AUTHORIZATION_REALM)).thenReturn(authzRealmsAllowed);
return license;
}
}

View File

@ -90,6 +90,7 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportActionProxy;
@ -204,7 +205,7 @@ public class AuthorizationServiceTests extends ESTestCase {
auditTrail = mock(AuditTrail.class);
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
threadContext = new ThreadContext(settings);
threadPool = mock(ThreadPool.class);
@ -1456,7 +1457,7 @@ public class AuthorizationServiceTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
authorizationService = new AuthorizationService(Settings.EMPTY, rolesStore, clusterService,
auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool,
new AnonymousUser(Settings.EMPTY), engine, Collections.emptySet(), licenseState, new IndexNameExpressionResolver());
@ -1464,61 +1465,61 @@ public class AuthorizationServiceTests extends ESTestCase {
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(new User("test user", "a_all"));
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(new User("runas", new String[]{"runas_role"}, new User("runner", "runner_role")));
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(new User("runas", new String[]{"runas_role"}, new ElasticUser(true)));
assertEquals(engine, authorizationService.getAuthorizationEngine(authentication));
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(new User("elastic", new String[]{"superuser"}, new User("runner", "runner_role")));
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(new User("kibana", new String[]{"kibana_system"}, new ElasticUser(true)));
assertNotEquals(engine, authorizationService.getAuthorizationEngine(authentication));
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(true);
try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
authentication = createAuthentication(randomFrom(XPackUser.INSTANCE, XPackSecurityUser.INSTANCE,
new ElasticUser(true), new KibanaUser(true)));
assertNotEquals(engine, authorizationService.getRunAsAuthorizationEngine(authentication));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_AUTHORIZATION_ENGINE)).thenReturn(false);
assertThat(authorizationService.getAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
assertThat(authorizationService.getRunAsAuthorizationEngine(authentication), instanceOf(RBACEngine.class));
}

View File

@ -11,6 +11,7 @@ import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.concurrent.ThreadContext.StoredContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.search.Scroll;
import org.elasticsearch.search.SearchContextMissingException;
import org.elasticsearch.search.internal.InternalScrollSearchRequest;
@ -96,7 +97,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
AuditTrail auditTrail = mock(AuditTrail.class);
@ -185,7 +186,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
TransportRequest request = Empty.INSTANCE;
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
AuditTrail auditTrail = mock(AuditTrail.class);
AuditTrailService auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);

View File

@ -15,6 +15,7 @@ import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef;
@ -46,8 +47,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null),
@ -105,8 +106,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(randomBoolean());
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(randomBoolean());
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
Authentication authentication = new Authentication(new User("john", "role"), new RealmRef(null, null, null),

View File

@ -16,6 +16,7 @@ import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.Authentication;
@ -50,8 +51,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
when(threadPool.getThreadContext()).thenReturn(threadContext);
@ -102,8 +103,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
when(threadPool.getThreadContext()).thenReturn(threadContext);

View File

@ -28,6 +28,7 @@ import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.license.TestUtils.UpdatableLicenseState;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
@ -118,7 +119,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
public void testRolesWhenDlsFlsUnlicensed() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
IndicesPrivileges.builder()
.grantedFields("*")
@ -189,7 +190,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
public void testRolesWhenDlsFlsLicensed() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
IndicesPrivileges.builder()
.grantedFields("*")

View File

@ -17,6 +17,7 @@ import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.index.query.MatchAllQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.TestThreadPool;
import org.elasticsearch.threadpool.ThreadPool;
@ -288,7 +289,7 @@ public class FileRolesStoreTests extends ESTestCase {
events.clear();
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, licenseState, xContentRegistry());
assertThat(roles, notNullValue());
assertThat(roles.size(), is(9));

View File

@ -36,6 +36,7 @@ import org.elasticsearch.index.Index;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.TestThreadPool;
import org.elasticsearch.threadpool.ThreadPool;
@ -95,7 +96,7 @@ public class NativeRolesStoreTests extends ESTestCase {
public void testRoleDescriptorWithFlsDlsLicensing() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(false);
RoleDescriptor flsRole = new RoleDescriptor("fls", null,
new IndicesPrivileges[] { IndicesPrivileges.builder().privileges("READ").indices("*")
.grantedFields("*")
@ -157,7 +158,7 @@ public class NativeRolesStoreTests extends ESTestCase {
assertNotNull(role);
assertFalse(role.getTransientMetadata().containsKey("unlicensed_features"));
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_DLS_FLS)).thenReturn(true);
builder = flsRole.toXContent(XContentBuilder.builder(XContentType.JSON.xContent()), ToXContent.EMPTY_PARAMS);
bytes = BytesReference.bytes(builder);
role = NativeRolesStore.transformRole(RoleDescriptor.ROLE_TYPE + "fls", bytes, logger, licenseState);

View File

@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.AbstractRestChannel;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestResponse;
@ -55,7 +56,7 @@ public class RestCreateApiKeyActionTests extends ESTestCase {
threadPool = new ThreadPool(settings);
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
}
@Override

View File

@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.AbstractRestChannel;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestResponse;
@ -55,7 +56,7 @@ public class RestGetApiKeyActionTests extends ESTestCase {
threadPool = new ThreadPool(settings);
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
}
@Override

View File

@ -20,6 +20,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.rest.AbstractRestChannel;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestResponse;
@ -55,7 +56,7 @@ public class RestInvalidateApiKeyActionTests extends ESTestCase {
threadPool = new ThreadPool(settings);
when(mockLicenseState.isSecurityAvailable()).thenReturn(true);
when(mockLicenseState.isSecurityEnabled()).thenReturn(true);
when(mockLicenseState.isApiKeyServiceAllowed()).thenReturn(true);
when(mockLicenseState.isAllowed(Feature.SECURITY_API_KEY_SERVICE)).thenReturn(true);
}
@Override

View File

@ -23,6 +23,7 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.XPackSettings;
@ -173,7 +174,7 @@ public final class SecurityMocks {
when(client.threadPool()).thenReturn(threadPool);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_TOKEN_SERVICE)).thenReturn(true);
final ClusterService clusterService = mock(ClusterService.class);
final SecurityContext securityContext = new SecurityContext(settings, threadPool.getThreadContext());

View File

@ -15,6 +15,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.node.MockNode;
import org.elasticsearch.node.Node;
import org.elasticsearch.test.ESTestCase;
@ -61,8 +62,8 @@ public class IPFilterTests extends ESTestCase {
public void init() {
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_AUDITING)).thenReturn(true);
auditTrail = mock(AuditTrail.class);
auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(
@ -252,7 +253,7 @@ public class IPFilterTests extends ESTestCase {
Settings settings = Settings.builder()
.put("xpack.security.transport.filter.deny", "_all")
.build();
when(licenseState.isIpFilteringAllowed()).thenReturn(false);
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(false);
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
@ -263,7 +264,7 @@ public class IPFilterTests extends ESTestCase {
verifyZeroInteractions(auditTrail);
// for sanity enable license and check that it is denied
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());

View File

@ -14,6 +14,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
@ -57,7 +58,7 @@ public class IpFilterRemoteAddressFilterTests extends ESTestCase {
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());

View File

@ -13,6 +13,7 @@ import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.license.XPackLicenseState.Feature;
import org.elasticsearch.nio.NioChannelHandler;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.Transport;
@ -60,7 +61,7 @@ public class NioIPFilterTests extends ESTestCase {
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isAllowed(Feature.SECURITY_IP_FILTERING)).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());